Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Deny Rule Blocking Active Directory Traffic

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 302 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      b_rad11
      last edited by

      Hello, I am currently running into an issue with active directory replication traffic by the Default Deny Rule on my pfSense.

      LAN1 (Cradlepoint) - 192.168.0.0/24
      Router - 192.168.0.1
      DC01 - 192.168.0.32
      DC02 - 192.168.0.42

      LAN2 (pfSense) - 192.168.1.0/29
      pfSense - 192.168.1.1
      LAN1 Router - 192.168.1.3

      LAN3 (AWS) - 172.100.0.1/24
      DC03 - 172.100.0.52

      DC01 and DC02 sit behind a Cradlepoint that handles all outbound traffic. The Cradlepoint on LAN1 has an IP directly attached to the LAN2 pfSense network. There are no rules between the Cradlepoint and the pfSense. The LAN2 pfSense has a site-to-site VPN connection to LAN3 AWS. The connection to AWS is using BGP.

      I keep having the "Default Deny Rule" blocking traffic between DC01/02 and DC03. Specifically, it is blocking TCP:A/RA/etc packets. I have the firewall rules permitting all traffic. I have reviewed other posts that suggest enabling the State Type of Sloppy and the packets are still being blocked. I have also checked System > Advanced > Firewall & NAT > Static Route Filtering (bypass firewall rules...)

      The replication will work for a brief period and then will stop. This was working flawlessly for about two weeks and now just recently the AD replication has stopped. Upon reviewing the firewall, the Default Deny Rule began blocking the packets again.

      Does anyone have any insight?

      Would it be better to bring another port up on the pfSense and place it directly in the LAN1 192.168.0.0/24 network?

      Thanks.

      A 1 Reply Last reply Reply Quote 0
      • A
        adelaide_guy @b_rad11
        last edited by

        @b_rad11

        I am no expert, just trying to understand your setup so I can learn more.

        I notice that you mention:

        "The Cradlepoint on LAN1 has an IP directly attached to the LAN2 pfSense network."

        Base on your IP address breakdown LAN1 of Cradlepoint has "192.168.0.0/24" IP network but on Pfsense LAN2 it has 192.168.1.0/29. I don't think they will see each other having the following IP address settings unless it is typo error when your writing this post.

        B 1 Reply Last reply Reply Quote 0
        • B
          b_rad11 @adelaide_guy
          last edited by b_rad11

          @adelaide_guy

          The Cradlepoint has 192.168.1.3 on a second interface, which is how they talk.

          Sorry if I didn’t correctly identify that.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @b_rad11
            last edited by

            @b_rad11 it’s not this?
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            B 1 Reply Last reply Reply Quote 0
            • B
              b_rad11 @SteveITS
              last edited by

              @SteveITS

              I appreciate the link, although I’m still having traffic blocked and can see that by the replication not working and the packets being blocked.

              What is very odd is that it worked for a period of time and then stopped randomly. “It” working is verifying the replication status of my DC via “repadmin /replsummary”. The delta for my AWS DC is nearly two days.

              I’m also finding that browsing file shares between the two locations is not going through either. \DC03 from DC01 or vice verse.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.