Default Deny Rule Blocking Active Directory Traffic

b_rad11

Hello, I am currently running into an issue with active directory replication traffic by the Default Deny Rule on my pfSense.

LAN1 (Cradlepoint) - 192.168.0.0/24
Router - 192.168.0.1
DC01 - 192.168.0.32
DC02 - 192.168.0.42

LAN2 (pfSense) - 192.168.1.0/29
pfSense - 192.168.1.1
LAN1 Router - 192.168.1.3

LAN3 (AWS) - 172.100.0.1/24
DC03 - 172.100.0.52

DC01 and DC02 sit behind a Cradlepoint that handles all outbound traffic. The Cradlepoint on LAN1 has an IP directly attached to the LAN2 pfSense network. There are no rules between the Cradlepoint and the pfSense. The LAN2 pfSense has a site-to-site VPN connection to LAN3 AWS. The connection to AWS is using BGP.

I keep having the "Default Deny Rule" blocking traffic between DC01/02 and DC03. Specifically, it is blocking TCP:A/RA/etc packets. I have the firewall rules permitting all traffic. I have reviewed other posts that suggest enabling the State Type of Sloppy and the packets are still being blocked. I have also checked System > Advanced > Firewall & NAT > Static Route Filtering (bypass firewall rules...)

The replication will work for a brief period and then will stop. This was working flawlessly for about two weeks and now just recently the AD replication has stopped. Upon reviewing the firewall, the Default Deny Rule began blocking the packets again.

Does anyone have any insight?

Would it be better to bring another port up on the pfSense and place it directly in the LAN1 192.168.0.0/24 network?

Thanks.

adelaide_guy

@b_rad11

I am no expert, just trying to understand your setup so I can learn more.

I notice that you mention:

"The Cradlepoint on LAN1 has an IP directly attached to the LAN2 pfSense network."

Base on your IP address breakdown LAN1 of Cradlepoint has "192.168.0.0/24" IP network but on Pfsense LAN2 it has 192.168.1.0/29. I don't think they will see each other having the following IP address settings unless it is typo error when your writing this post.

b_rad11

@adelaide_guy

The Cradlepoint has 192.168.1.3 on a second interface, which is how they talk.

Sorry if I didn’t correctly identify that.

SteveITS

@b_rad11 it’s not this?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

b_rad11

@SteveITS

I appreciate the link, although I’m still having traffic blocked and can see that by the replication not working and the packets being blocked.

What is very odd is that it worked for a period of time and then stopped randomly. “It” working is verifying the replication status of my DC via “repadmin /replsummary”. The delta for my AWS DC is nearly two days.

I’m also finding that browsing file shares between the two locations is not going through either. \DC03 from DC01 or vice verse.