Various sites and services being blocked - how to fix?
-
@silence said in Various sites and services being blocked - how to fix?:
@elmojo, How does the wifi connection to firetv from pfsense get to some other router?
I checked for updates yesterday, as part of this whole troubleshooting thing. It's all up to date.
I'm not sure what you mean. What other router? My FireTV is connected to my AP, as I mentioned earlier. The AP is connected directly to the pfsense, via igb1 on the NIC.
I've also tried it with the AP connected to through my wired switch, which also works (for basic internet), but does not fix the issues with Netflix and such.
Is that what you mean? -
@elmojo said in Various sites and services being blocked - how to fix?:
I've also tried it with the AP connected to through my wired switch, which also works (for basic internet), but does not fix the issues with Netflix and such.
He should have said this from the beginning, so as not to waste time.
It is more than clear that your firetv is the problem (it is not a network problem) Resetting the firetv could solve it.
-
@silence No one ever asked. The FireTV has to be wireless. It doesn't have a wired connection. How else would it be connected?
Why would it work perfectly all this time, and suddenly go belly up the second I bring the pfsense online? That seems like an awful coincidence not to be the fault of the pfsense box.And by the way, I did say this earlier. I'm sorry you missed it.
@elmojo said in Various sites and services being blocked - how to fix?:
It does occur to me that they are mostly on my wireless AP. I wonder if there's something funky going on there? I was expecting to have to do some configuration, but I just plugged it into one of the other ports on my NIC, and it started working, so I haven't thought much about it.
Is it possible that I need to make some interface assignment or set up a rule or something to give the AP access beyond what it already has? -
@elmojo, Don't worry, it's just a coincidence the thing happens example: once I connect my pfsense and I ran out of internet right at the same time, I thought it was pfsense but just my isp tube cut fiber right at the same time.
the thing happen ...!
-
@silence
I would agree, except that the FireTV/Netflix isn't the only thing that isn't working right since I've installed the pfsense. As I mentioned way back in the OP, there are several web sites that won't load right, and some apps on my phone that don't work. This is still the case. There's no way they all just happened to fail right at the same time. It has to be the pfsense. -
@elmojo, I see no problem in your pfsense, but you can give me remote access and I could re-configure everything
-
@silence I may very well try that, if you're willing.
In the meantime, I'm going to burn this box back to bare defaults and totally start over.
I'll use the information I've gained from this thread and others to set it back up only as much as I have to in order to connect to my DSL, and leave everything else as it comes.
If that doesn't work, I may ask for your kindness it remotely fixing things. At least you'll have a fairly clean setup to work with.
Right now, I'm going to find some dinner. I've been dealing with this more than 4 hours, and my brain hurts. :) -
@elmojo, no problem when you are ready you can post your contact information to do so.
-
@elmojo said in Various sites and services being blocked - how to fix?:
PPPoE credentials and VLAN (required to make my DSL connection work, but problem existed on DHCP also)
If you don't use the default DHCP, then yeah, set up PPPOE.
@elmojo said in Various sites and services being blocked - how to fix?:
IP of the pfsense box changed to match my network subnet
Ok, why not.
I saw 192.168.11.1 - the mask is still /24 ?
And you have checked the DHCP LAN server page - and changed everything from 192.168.1.x stuff to your 192.168.11.x (check pool).What you told here, is a bit (a small bit) beyond a vanilla setup.
@elmojo said in Various sites and services being blocked - how to fix?:
As for your statement about not changing network settings on devices,....
What I meant to say - and I agree, I didn't write that, is that a default out of the box setup works.
I have no problem with devices using static IP setup as long as we do not discober that the gateway wasn't set up correcly - or the DNS was wroing, or the mask was set to /32 - stuff like that.
"every has to sing DHCP in harmony" first. Add devices one by one. Then you can set up / change with only the sky as a limit.
Btw : Most of my LANs devices use DHCP - and pfSense has a static MAC lease for them. This way I don't have to admin these devices, can give them a host name I choose and they work out of the box. I can reset them, and they will work me doing nothing.@elmojo said in Various sites and services being blocked - how to fix?:
on my network that aren't working correctly are on DHC
And what did they receive as IP mask DNS and gateway ?
Check these devices.
Check the DHCP server log ? You see the DISCOVER ? the REQUESTS ? the OFFERS ? You can recognize the devices by their MAC addresses.Are the issues LAN and/or Wifi LAN based ? Your AP is truly an AP and it doesn't have DHCP activated ?
The Wifi devices receive (use) the same 192.168.11.x / 24 IP and have 192.168.11.1 as a gateway ? DNS points to 192.168.11.1 (or, why not - bypass pfSense and have them pointing to 8.8.8.8 ;) )@elmojo said in Various sites and services being blocked - how to fix?:
My follow-up Q is related to all those 'block' entries I'm seeing. Should I be concerned
That's probably the default invisible firewall rule on all interfaces that logs the blocks.
Disable :
on Status SystemLogs Settings
Or leave it checked, and place yourself a firewall rule on the WAN interface that doesn't log, and blocks everything.@silence said in Various sites and services being blocked - how to fix?:
127.0.0.1 is wrong
Correct - I have not that address entered no where.
I havewhich is the default setting.
My dashboard says :if that's wrong, then the default set up (chosen by Netgate) is wrong ?
I'm not saying 8.8.8.8 is bad. Hey, what the heck, if more then a billion people believe in facebook, then I wish them a nice time. I'm just not a member of the club.
I do like Google though ...
The thing is : using the big resolvers can imply other issues. So lets make the network work first.
When the Internet was created, a DNS system was needed, as people hate typing numbers.
The root servers were activated and since then everything works fine. So why not tapping into them ?@elmojo said in Various sites and services being blocked - how to fix?:
but if we block all WAN traffic, won't that block pretty much all incoming data?
That question means that you ignore what statefull firewall is.
I'll re phrase :
All incoming traffic on the LAN interface that goes to some host on the Internet will create a 'state. The host that replies back over that state - should I say 'channel' can talk back.
Every other device on the Internet that (tries to) talks to you visible WAN interface won't have a state => it gets dropped (and as you saw : logged) That's is what is called the Internet back ground noise.
When the channel is closed (example : the web page was loaded) the states is removed.
Read for example Firewalling Fundamentals - and don't stop there. Have some good Youtube stories about the subject.Btw : pfSense isn't really special here. All firewalls work like this.
@elmojo said in Various sites and services being blocked - how to fix?:
I'm just guessing, since it won't tell me anywhere in the FireTV GUI, but I think it's 192.168.11.106. This is based on the hostnames on the DHCP lease page.
Ah .... close. But the TV should have some GUI where it shows all this info (again : IP mask gateway DNS).
If you want to set up static IP settings for that TV,, you would need that screen to set things up.
While looking at the TV, look at the back : there should be a sticker with the MAC address. Did you saw this MAC addresses in the DHCP leases page ? In the DHCP logs ?That's the perfect rule ;)
I use myself :
Rule 1 : the anti lock out rule (GUI setting) : I need it because I fool around a lot, and do make mistakes.
Rule 2+3 : I'm using pfBlockerNG-devel right now to try some things out.
Rule 4+5: IPv4 and IPv6 - IPv6 is only needed ... if you need it.
All that matters is rule 4 : it's the rule you've found when you installed the system.edit : hummm, my bad, a lot was said already.
-
@Gertjan Think it is a pfsense issue?
for me it only points to firetv. -
@silence
As I said before, I would totally agree that it was a problem with the FireTV, except that several other sites/services/apps also do not work correctly since turning on the pfsense, not just the FireTV and Netflix.@Gertjan Thanks so much for that detailed post. There was far too much in there for me to try to respond to any of it directly.
Since my last post, I have gone back to the very start. I reset the pfsense to factory defaults, and only set up the few things I needed (like DSL PPPoE stuff) and changed the IP range to match my network. I have an internet connection again, but nothing is really better.
I have checked the FireTV, and it reports that I have a good internet connection (it said this before also), but still no home screen or Netflix. There is no way to set any of the network settings directly, it's pure DHCP only. I can view a status screen and confirm the IP address (11.106), gateway (11.1) subnet mask (/24), DNS (11.1) and MAC address, but none of these things are selectable or changeable. -
So I just noticed something. How is it that the 'Gateway' IP is different that the WAN IP?
Screenshot here
The gateway says DHCP because I had to set it up that way at first, until I could create the VLAN and make the assignments for the DSL PPPoE to connect. I haven't figured out how to change the name, or if I can just disable it. I don't think this is the cause of the issue, because it wasn't this way before the wipe and reconfig, but it can't be helping, I'm sure, and it looks very strange. -
@elmojo said in Various sites and services being blocked - how to fix?:
I have checked the FireTV, and it reports that I have a good internet connection (it said this before also), but still no home screen or Netflix. There is no way to set any of the network settings directly, it's pure DHCP only. I can view a status screen and confirm the IP address (11.106), gateway (11.1) subnet mask (/24), DNS (11.1) and MAC address, but none of these things are selectable or changeable.
Ok, that looks fine.
This info also gives a strong indication that the intermediate devices : the cable from pfSense to the Access Point, the AP itself and the wifi work well.About Netflix :
Doesn't work on TV.
But does it work on your phone ? (== wifi)
Is it working on your PC ? (== cable direct)Can you use other other stream apps on your TV and do they work ? Like Youtube.
Can you gibe an examples of sites that that do not work ?
You are using PPPoE.
This means that the MTU really needs to be verified, and most probably the default value (1500) isn't good.Throw this serach phrase into Google : pppoe what MTU to set up ?
and look at the answers proposed : they come from SonixWall, Junper, Cisco OpenWRT etc.
So the question is a very known one.Because
It is generally recommended that the MTU for a WAN interface connected to a PPPoE DSL network be 1492. In fact, with auto MTU discovery, 1492 is discovered to be the maximum allowed MTU. However, having an MTU of 1452 is most optimal.
Test with these two values 1492 or even 1452.
Set "1492" into the MTU field, confirm and save, break the WAN connection (rip out the cable) and wait for a bit, have the connection rebuild and test.
Do the same thing with "1452". -
@gertjan
Thanks so much! Let me see if I can work through your comments/questions in order...
Netflix:
Correct, does not work on TV.
Does not work on my phone on wifi , does work on phone on LTE.
Does work on my desktop PC in a browser. I don't have the app.On the TV, other streaming apps, such as Amazon Prime Video and Youtube seem to work fine. I haven't tried any others, but it seems that FireTV home and Netflix are the 2 that aren't working right now.
Sites that don't work, even on my desktop PC:
- This forum (works mostly okay, but I can't upload images and often can't edit posts)
- Verizon (can see login page, but cannot get into my account. Hangs at "please wait" after entering credentials)
- A steam gaming forum (Hangs a "Security check, please wait")
- My credit union/bank (works on some pages, but not others)
- My copier GUI (no error, just loads a blank white screen. I can still print to it no problem)
Before I switched over from my ISP's router/modem to the pfsense, I took photos of how everything was configured in the modem. It shows an MTU of 1500. I don't know if it would be wise to change it at this point, unless you think that is likely to be the cause of this specific issue of certain sites being inaccessible.
-
So I've been continuing to struggle with this, and it occurs to me that most (but not all) of the issues are on wireless clients.
As I noted before, I'm really not sure if I set up the wireless APs correctly or not. I was expecting there to be a setup process for adding it, but I just plugged it in and it worked.
My system is a TP-Link Deco mesh wifi, set to AP mode. I've been using it for about a year now, and it works great.
I have the "main" Deco node plugged into NIC port 3 (igb3) on the pfsense box. All 3 deco units are pulling local IPs (11.x range) and all appear to be working generally okay, at least for basic internet browsing. The FireTV, for example, is connected to one of the Deco nodes, and it reports a good connection, so I know it's working at least somewhat.
However, in my mass of searching an reading, I ran across this doc, which seems to indicate that there's a better way to add an AP.
Specifically, it mentions these 2 passages that caught my eye...
"To keep wireless and wired networks on the same IP subnet and broadcast domain while also increasing control over wireless clients, add an OPT interface to the firewall for the access point and bridge the OPT interface to the LAN interface."
AND
"Note:
A configuration with the bridge assigned as LAN is optimal here, rather than only having the OPT bridged to the existing wired LAN."Okay, cool. I'd love to try that, but I don't know how to go about doing the things mentioned there.
How exactly does one "Add an OPT interface" or "bridge the OPT interface to the LAN interface"?
Also, what is meant by having the "bridge assigned as LAN"?
It's possible that none of this has anything to do with my site/service blocking issues, but it seems worth looking into, just for the purposes of having the wifi set up correctly if nothing else.EDIT: it thinks my post is spam? say what now?!
-
Now I'm even more confused. I was hunting through the GUI, and checking logs and such, and ran across these entries from today:
_
Given that my LAN rules look like this, what gives?
I don't think those blocks are specifically to the FireTV, but they definitely shouldn't be there, since the only active LAN is rule "allow all". What "default deny rule"?I swear, I'm just about at the end of my rope on this. My wife is telling me to pull the plug on this firewall and go back to the old ISP router. I'm half inclined to agree with her.
If I didn't need it so badly for my work, I probably would.Hey, check it out, my image uploads are working!
Oh, and I've also confirmed that it's 100% not the FireTV that's causing the problem. It also exists on the TV itself (separate OS, also wifi), my wife's laptop (still wifi) and her iPad (yep, wifi).
See a pattern here...? I do have some sites that don't load on my wired desktop, though, so I don't think it's totally a wifi thing. -
Not to pile on too much here (too late, I know), but I ran across this thread that seems like it may be related: https://www.reddit.com/r/PFSENSE/comments/f8j1gi/pfsense_blocking_connection_it_shouldnt/
I wonder if my trouble may have something to do with the fact that we had to set up a VLAN to get my DSL to connect? I know exactly nothing about VLANs, or how they should be configured, so could maybe the info in the last comment of that thread be relevant? -
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html -
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
-
@heper said in Various sites and services being blocked - how to fix?:
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.htmlI'm trying now... but I'm not sure I'm doing it right.
I'm in the WAN interface screen, and I've calculated my max MTU to be 1492 for PPPoE. Do I just enter that number in the MTU field and "apply"? The doc seemed to indicate that I should use the MSS field instead, but I'm not sure how. Does the pfsense require a reboot afterwards? Nothing mentions that it does, but I don't see any improvement after making that change, so... ?@serbus said in Various sites and services being blocked - how to fix?:
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
I read through that thread, but it's all Greek to me. I didn't really see any "do this" or "change this setting" direction in there. Did I miss it? It seemed to be mostly a discussion of how that (complicated) network wasn't set up properly. lol