[SOLVED] Firewall rules problem

[GaardenZwerch]

Hi all,

this might be my own fault, or a lack of understanding on my behalf, so I apologize in advance if I am being dumb.

I do 802.1x on my switches in remote offices, and the switches talk to a radius server through an openvpn tunnel.

I have two symmetrical (floating) rules that should allow this:
radius-servers -> local switch net, accept ports 1812-1813
local switch net -> radius-servers, accept ports 1812-1813

It doesn't work, and I see in the live log that packets (udp, port 1812) are dropped from the radius servers to the switches.

When I include a third rule that allows anything from the radius to the switches, it works like a charm.

I include a screenshot of the three rules.

[GaardenZwerch]

this is somehow solved. It turned out that even with the more permissive rules, I had trouble with workstations not being able to authenticate. 

This only happened on a single site, and I wasn't able to reproduce it in the lab, with identical HW.

I finally discovered that opnsense reassembled fragmented Radius Access-Challenges to long packets (1570 bytes). The switches would nevertheless log their reception but give no further error. Once a station is authenticated, the Challenges are smaller in size until it is rebooted, so it would work like a charm when 'powercycling' ports or moving  cables on the switch.

Making sure no switch has jumbo frames enabled and lowering MTU to 1400 on the switch vlan finally fixed it.
Reaaaally hard to find because the results of tuning MTU and jumbo seem take some time before showing.

Frank