Active Directory and pfSense

fogogg

I wasn't sure if this was better off here or in Installation and Administration. I chose to place it here since 1.2.3 was the latest version I have encountered this issue with in testing.

We are running a Windows Server 2003 Active Directory with around 80 clients. These clients are segregated by subnets assigned to the building they are in on our campus. Currently we have our old main network and two subnets in use. The main network which is still being used by our main building and servers is 10.0.0.0/20. The two subnets are 10.0.20.0/24 and 10.0.30.0/24. These subnets are served DHCP directly by our AD DHCP server through the DHCP relay. We have used both DNS relay and allowing clients to connect directly to the AD DNS servers. Both configurations functioned the same. Under pfSense 1.2.0 this setup works flawlessly and fast.

However, under pfSense 1.2.1, 1.2.2 and 1.2.3, the subnets lose contact with the Active Directory. Log ins and connections to CIFS shares take 10+ minutes to connect, if at all. Deleting user profiles, removing and re-adding affected machines to the domain makes no difference. DNS is functioning correctly with all lookups resolving properly with forward and reverse queries and the clients can ping the domain controllers and member servers. We are not using WINS or any protocol besides TCP/IPv4. Additionally, the only rules in place affecting inter-subnet traffic are allowing all protocols from the source subnet to any other internal subnet.

Reverting to 1.2.0 from any of the above mentioned versions immediately clears up all issues. The firewall hardware does not need to remain the same, either. We have two identical 1U boxes and as long as it is running 1.2.0 either one can be put in place of the other running a later version to solve issues immediately.

Does anyone have any ideas? Are we unique in experiencing this problem? I can't say with any authority, but I feel like the issue may be connected with the change from FreeBSD 6.x to 7.x. Could the updated packet filter be mangling AD traffic or Kerberos tickets in some way? All services except those directly connected to AD authentication work fast and smooth.

cmb

Do you have any static routes configured?

fogogg

We have one static route to our external/DMZ firewall. The outward facing machine is connected to the inward facing machine via the former's LAN interface to the latter's WAN interface. The external machines LAN IP address is 192.168.5.29/30 and  has a matching static route to the internal machines WAN IP address of 192.168.5.30/30. The routes point to the other machine's interface in each case.

There are no AD enabled machines connected to the outward facing firewall, although we have a couple Ubuntu servers connected to our file server via CIFS. These function correctly no matter what version of pfSense is on either firewall.

The external machine is successfully routing/firewalling with no issues under version 1.2.3.

cmb

It sounds like out of state traffic getting blocked, as the version of pf in 1.2.1 and newer is more strict than previous versions, but that should only affect scenarios that can't be statefully filtered, such as with static routes and asymmetric routing. Try to check "Bypass rules for traffic on same interface" (paraphrasing from memory, you'll find it) under System -> Advanced.