pfSense

Updating my OpenVPN host from pfSense 2.4.4-p3 to 2.4.5 broke 802.1x WPA2-Enterprise WiFi at the remote sites. The problem seems possibly related to the RADIUS handshake / connectivity. Reverting the OpenVPN host (main site) to 2.4.4-p3 restores functionality. Remote site can remain on 2.4.5 though and it works again so long as the main site is 2.4.4-p3 or older.

The setup is as follows:
- OpenVPN is setup as site-to-site tunnel, routable between sites. I can directly connect between PCs at sites.
- Firewalls set to allow all traffic over OpenVPN tunnel.
- All sites have UniFi UAP access points, talking to single RADIUS server at main site.
- RADIUS server is a Windows Server 2012R2 domain controller + DNS + NPS (etc.).
- Clients are primarily domain-joined Windows PCs, authenticating with a computer certificate. Phone clients use username/password and that seems to break too.

I have 2 remote sites, one running 2.4.4-p3 and the other 2.4.5. Both exhibit the same behavior, and only the main site (host) pfSense version seems to matter.

When the host is on 2.4.4-p3, everything works fine. When I update it to 2.4.5 WiFi authentication fails, and laptops try to connect over and over with no logged error (thanks Microsoft). I do see RADIUS connectivity in the states tables of both host and remote pfSense. I also see RADIUS activity start (but never succeed or fail) in the server log. I can SSH in to the AP and ping the RADIUS server, and ping the AP from the RADIUS server regardless of pfSense version. I suspect some packets are being routed differently, dropped, or modified on the latest version that the previous version didn't touch. Or vice versa??

No config changes were made to get this working again, just revert the main site to 2.4.4-p3 and 802.1x works again at the remote sites.

I can provide more config details as needed. It is difficult to test because the sites are geographically remote and my family isn't super tech savvy.