Various sites and services being blocked - how to fix?

Elmojo

My pfsense box is now up and running, and appears to be doing its job.
This is an absolutely default setup, with zero rules defined (beyond the basic WAN/LAN rules that are created during the setup process) and no packages installed.
I use Google's public DNS, 8.8.8.8 and 8.8.4.4 (I've also tried Cloudflare's public DNS (1.1.1.1) with no change)
Most things are working okay, but I'm noticing that various sites and services are either blocked entirely or don't work properly.
For example, the FireTV in my bedroom can't access the "Home" screen, nor can it access Netflix. I do have full Plex access, which is of course on my LAN. The Amazon app doesn't work on my phone, and I can't access certain web sites on my desktop PC, which require a challenge-response security entry, such as my Verizon account.

Another example is a forum site I visit often that uses a "security check" of some sort. I have no idea of what it's doing in the background, I just know that when I get a notice of a thread update in my email, and click it, it opens my browser (Firefox by default) and goes to a black screen that says "Security check, please wait...".
It used to just pause there for a second or two, but now it stalls on that page indefinitely.

I'm certain there's a fairly simple way to whitelist or unblock these (and other) sites and services from within the pfsense GUI, I just don't have a clue where to begin looking. When I check the logs, all I see are lots of scary-looking block entries from outside IPs that can't be resolved.

Can anyone walk me through how to do this, or at least where to read up on how to learn how to do it?

Gertjan

@elmojo said in Various sites and services being blocked - how to fix?:

This is an absolutely default setup

Make it even more default :
Undo this :

I use Google's public DNS,

and your pfSense will be truly default, and no more issues.

Btw : it is of course very possible that you redirect all DNS requests to some DNS server of your choice.
I'm pretty sure that 'Google' isn't doing to you what it actually can do very well : deciding what you can resolve == what you can access (can 'see'), you must have changed more then just 'switch to forwarding' to 'break' things.

@elmojo said in Various sites and services being blocked - how to fix?:

I just don't have a clue where to begin looking

That's a very good reason to use pfSense default DNS settings.

@elmojo said in Various sites and services being blocked - how to fix?:

When I check the logs

What logs ? What log page ?

@elmojo said in Various sites and services being blocked - how to fix?:

where to read up

Keep this for reference : Youtube : Netgate
There are thousands of pfSense video's out there.
You can also use "What is DNS" as a search phrase in Youtube, and have a look at the first 10 video's you find. Just to get a global idea.
Never ever underestimate the users manual.

Elmojo

@gertjan
Very helpful, thanks!

I was under the impression (from the user manual and several videos I watched) that choosing a DNS server was mandatory. So I can just leave it blank?

For the logs, I'm looking at Status>System Logs>Firewall>Normal View

I'll try to go back and watch some of those videos, thanks.
I've viewed a few similar ones in the past, but they all seem to either be so overly technical that I can't follow them, or so rambling that I lose interest about 3 minutes in. lol
I've watched some of Tom Lawrence's videos also, but I just can't follow his style. He assumes that I know far more than I do. And his "lab setups" are so confusing....

EDIT: So I wiped out all DNS entries, and it's working, but you knew that. lol
My follow-up Q is related to all those 'block' entries I'm seeing. Should I be concerned, or is that pfsense just doing its job? Any way I can track down those entries to see if they're anything legit that I should be allowing?

Elmojo

Well....crap.
I thought things were fixed, and they are indeed better, but not fixed.
I'm now able to access a few sites that I couldn't before, but the main issues (my FireTV, Netflix, and certain secure sites) are all still inaccessible.
What should I try next?
Is there such a thing as an "OFF" switch for the pfsense, so I can test to see if it really is the cause of my issues? I can't imagine what else it could be, but I'd like to be thorough.

Gertjan

@elmojo said in Various sites and services being blocked - how to fix?:

I was under the impression (from the user manual and several videos I watched) that choosing a DNS server was mandatory. So I can just leave it blank?

And you're not the only one.
In the past, when ISPs became popular, the ISP routers used a centralized 'ISP' DNS resolver. The forwarding process running in the ISP router is far more simple as a real resolver. Compare the code foot print of dnsmasq (the forwarder, still present in pfSense) and unbound (the resolver, now default).

You actually have a choice : you can use the "source" 'see also this page.
Note that pfSense already had to chose for you : Netgate (pfSense) can not / will not / should not 'point' to a DNS resolver like Google, or some more neutral 1.1.1.1 etc.
pfSense uses the 13 DNS root servers. The IPv4 (and IPv6) addresses of these 13 root servers are hard coded into the executable.
I advise you to look at some random Youtube videos so you can see what a resolver is. The main advantage is : it works always 'out of the box'.
There is no need to use the DNS server of your ISP, or some other one.

It's ok if you want to hand over all your DNS search requests to some company's DNS. They are glad to help you, for free.

@elmojo said in Various sites and services being blocked - how to fix?:

What should I try next?

Take this for a fact (but please, do the checking your self) : pfSense is a router/firewall.
Use some other firewall routers available out there. Throw even the ISP router in the comparison. If you can get your hands on some high end Cisco device, the test will be even better.
You will discover that all these dices are all basically the same. They only differ when you compare the functionalities offered.

A pfsense router, set up with a LAN and WAN interface, using 99,99 default settings (not 100 % as you had to change the password !) will have like your ISP router : it works.
So, I repaet :
Assign WAN (the default DHCP will most often do just fine)
Assign LAN - accept default settings)
Cahnge password.
Done.
Your network is up and "Internet"works.

If it doesn't work ? Ok tell us what you changed and I tell you to undo that.

I do presume you did not change any "LAN device settings" (yor TV, Phone, PC etc), like switching from DHCP to static IP etc. You should never change network settings of devices, they always work out of the box.

Elmojo

@gertjan said in Various sites and services being blocked - how to fix?:

A pfsense router, set up with a LAN and WAN interface, using 99,99 default settings (not 100 % as you had to change the password !) will have like your ISP router : it works.
So, I repaet :
Assign WAN (the default DHCP will most often do just fine)
Assign LAN - accept default settings)
Cahnge password.
Done.
Your network is up and "Internet"works.
If it doesn't work ? Ok tell us what you changed and I tell you to undo that.
I do presume you did not change any "LAN device settings" (yor TV, Phone, PC etc), like switching from DHCP to static IP etc. You should never change network settings of devices, they always work out of the box.

I'm not totally sure I follow you, but I'm trying, please bear with me...
I think you're saying that if I set things to defaults in pfsense, they should "just work".
To the best of my knowledge, I'm pretty much there! All I've changed from initial install is:

1. admin password
2. PPPoE credentials and VLAN (required to make my DSL connection work, but problem existed on DHCP also)
3. IP of the pfsense box changed to match my network subnet
4. default firewall rules setup by wizard (anti-lockout, LAN allow any v4/v6)
5. that's it!

As for your statement about not changing network settings on devices, I just can't agree with that, sorry. There are lots of reasons why individual devices can and should have their network settings edited. Static IP assignments for cameras are the most obvious that pop into my mind, but there are lots of others. Regardless, the devices on my network that aren't working correctly are on DHCP, and don't have any special settings applied.

It does occur to me that they are mostly on my wireless AP. I wonder if there's something funky going on there? I was expecting to have to do some configuration, but I just plugged it into one of the other ports on my NIC, and it started working, so I haven't thought much about it.
Is it possible that I need to make some interface assignment or set up a rule or something to give the AP access beyond what it already has?

A Former User

@elmojo, you can post a screenshot of your dasboard.

Elmojo

This post is deleted!

Elmojo

This is weird. I can post, but I can't edit. I just get these generic "error" messages.

Anyway, I remembered that I had saved this document from the Netgate docs
It seems to be describing what I want to do, but doesn't say how to do it. It assumes I know far more about how to configure the system than I actually do. I appreciate the optimism, but I could use a bit more hand-holding...

As for the screenshot of my dashboard, not sure how that'll help, but sure, here you go!
Okay, scratch that. I get an "error parsing server response" when I try to upload.

A Former User

@elmojo, The best way to help you is to see what you see.

A Former User

@elmojo, which shows your firewall logs for example

Elmojo

@silence
I wish I could, but the site isn't working for me, sorry.
I think this site must be one of those that's being partially blocked for some reason.
When I try to upload the screenshot, I just get an error: "something went wrong while parsing server response"
And anytime I try to edit a post, it fails with a simple "error" popup.
I've tried it on both FireFox and Chrome, both do the same thing.

A Former User

@elmojo, You can try uploading the screenshot to a cloud service like google or something similar?

Elmojo

@silence
I could I guess.
Please tell me what you'd like to see specifically, so I can do it all at once to save time.
You mentioned the dashboard, but also the firewall logs?
Those are on different screens, right?

A Former User

@elmojo, Status > System logs > Firewall

and System information in dasboard

Elmojo

@silence Album Link: https://ibb.co/album/rGsxLQ
I'll add to this if needed as we discuss...
Thanks!

A Former User

@elmojo, System > General Setup > DNS SERVER SETTINS > DNS SERVER = 8.8.8.8

A Former User

@elmojo, Firewall> Rules> Wan and send screenshot

And Firewall> Rules> Lan and send screenshot

A Former User

@elmojo, Status> System logs> Firewall and then share new logs

Elmojo

@silence
I'm sorry, I don't understand what you're saying.
If you're telling me to set my DNS to Google's 8.8.8.8, then no.
I just got that fixed earlier in this thread with @Gertjan's help. Having a DNS specified in my settings we preventing most anything from working.
Removing the DNS entry entirely and using the default setting has got it working to this point.

As for the other screenshots, I'll add them to the album shortly.

EDIT: Album updated.