[SOLVED] Strange firewall behaviour

Hello,

We’ve got a network with two separated offices (10.0.0.0/24, DC = 10.0.0.3 and 10.0.1.0/24, DC = 10.0.1.3).
Both of them use RB915G-2HnD as main gateways (10.0.0.254 and 10.0.1.254) and offices are connected via EoIP Tunnel.

A few days ago we added new domain controller 10.0.0.1 to first office and we’ve got a replication problem with the 10.0.1.3.
After some investigation we found that 10.0.0.1 is completely inaccessible from 10.0.1.0/24 network while all the other computers (old DC 10.0.0.3, 10.0.0.5, 10.0.0.7, etc) are accessible (ping, RDP, network shares etc).
The solution was to add the outgoing rule (accept - forward - src: 10.0.0.1 - dst: 10.0.1.0/24) and everything (AD replication and all the services) started working.

Could you please help me to understand why router processes packets from 10.0.0.1 in completely different way than all the other 10.0.0.XXX computers?

Possibly due to your specific ip firewall settings.

Please post

/export hide-sensitive=yes

I’ve made a few tests and found the source of the problem.
When I apply 255.255.254.0 as subnet mask for the new DC then it becomes visible from the other office network.
And using subnet mask 255.255.255.0 limits the computer visibility so we need to apply the firewall rules to ensure the interoffice connection.