Various sites and services being blocked - how to fix?
-
@Gertjan Think it is a pfsense issue?
for me it only points to firetv. -
@silence
As I said before, I would totally agree that it was a problem with the FireTV, except that several other sites/services/apps also do not work correctly since turning on the pfsense, not just the FireTV and Netflix.@Gertjan Thanks so much for that detailed post. There was far too much in there for me to try to respond to any of it directly.
Since my last post, I have gone back to the very start. I reset the pfsense to factory defaults, and only set up the few things I needed (like DSL PPPoE stuff) and changed the IP range to match my network. I have an internet connection again, but nothing is really better.
I have checked the FireTV, and it reports that I have a good internet connection (it said this before also), but still no home screen or Netflix. There is no way to set any of the network settings directly, it's pure DHCP only. I can view a status screen and confirm the IP address (11.106), gateway (11.1) subnet mask (/24), DNS (11.1) and MAC address, but none of these things are selectable or changeable. -
So I just noticed something. How is it that the 'Gateway' IP is different that the WAN IP?
Screenshot here
The gateway says DHCP because I had to set it up that way at first, until I could create the VLAN and make the assignments for the DSL PPPoE to connect. I haven't figured out how to change the name, or if I can just disable it. I don't think this is the cause of the issue, because it wasn't this way before the wipe and reconfig, but it can't be helping, I'm sure, and it looks very strange. -
@elmojo said in Various sites and services being blocked - how to fix?:
I have checked the FireTV, and it reports that I have a good internet connection (it said this before also), but still no home screen or Netflix. There is no way to set any of the network settings directly, it's pure DHCP only. I can view a status screen and confirm the IP address (11.106), gateway (11.1) subnet mask (/24), DNS (11.1) and MAC address, but none of these things are selectable or changeable.
Ok, that looks fine.
This info also gives a strong indication that the intermediate devices : the cable from pfSense to the Access Point, the AP itself and the wifi work well.About Netflix :
Doesn't work on TV.
But does it work on your phone ? (== wifi)
Is it working on your PC ? (== cable direct)Can you use other other stream apps on your TV and do they work ? Like Youtube.
Can you gibe an examples of sites that that do not work ?
You are using PPPoE.
This means that the MTU really needs to be verified, and most probably the default value (1500) isn't good.Throw this serach phrase into Google : pppoe what MTU to set up ?
and look at the answers proposed : they come from SonixWall, Junper, Cisco OpenWRT etc.
So the question is a very known one.Because
It is generally recommended that the MTU for a WAN interface connected to a PPPoE DSL network be 1492. In fact, with auto MTU discovery, 1492 is discovered to be the maximum allowed MTU. However, having an MTU of 1452 is most optimal.
Test with these two values 1492 or even 1452.
Set "1492" into the MTU field, confirm and save, break the WAN connection (rip out the cable) and wait for a bit, have the connection rebuild and test.
Do the same thing with "1452". -
@gertjan
Thanks so much! Let me see if I can work through your comments/questions in order...
Netflix:
Correct, does not work on TV.
Does not work on my phone on wifi , does work on phone on LTE.
Does work on my desktop PC in a browser. I don't have the app.On the TV, other streaming apps, such as Amazon Prime Video and Youtube seem to work fine. I haven't tried any others, but it seems that FireTV home and Netflix are the 2 that aren't working right now.
Sites that don't work, even on my desktop PC:
- This forum (works mostly okay, but I can't upload images and often can't edit posts)
- Verizon (can see login page, but cannot get into my account. Hangs at "please wait" after entering credentials)
- A steam gaming forum (Hangs a "Security check, please wait")
- My credit union/bank (works on some pages, but not others)
- My copier GUI (no error, just loads a blank white screen. I can still print to it no problem)
Before I switched over from my ISP's router/modem to the pfsense, I took photos of how everything was configured in the modem. It shows an MTU of 1500. I don't know if it would be wise to change it at this point, unless you think that is likely to be the cause of this specific issue of certain sites being inaccessible.
-
So I've been continuing to struggle with this, and it occurs to me that most (but not all) of the issues are on wireless clients.
As I noted before, I'm really not sure if I set up the wireless APs correctly or not. I was expecting there to be a setup process for adding it, but I just plugged it in and it worked.
My system is a TP-Link Deco mesh wifi, set to AP mode. I've been using it for about a year now, and it works great.
I have the "main" Deco node plugged into NIC port 3 (igb3) on the pfsense box. All 3 deco units are pulling local IPs (11.x range) and all appear to be working generally okay, at least for basic internet browsing. The FireTV, for example, is connected to one of the Deco nodes, and it reports a good connection, so I know it's working at least somewhat.
However, in my mass of searching an reading, I ran across this doc, which seems to indicate that there's a better way to add an AP.
Specifically, it mentions these 2 passages that caught my eye...
"To keep wireless and wired networks on the same IP subnet and broadcast domain while also increasing control over wireless clients, add an OPT interface to the firewall for the access point and bridge the OPT interface to the LAN interface."
AND
"Note:
A configuration with the bridge assigned as LAN is optimal here, rather than only having the OPT bridged to the existing wired LAN."Okay, cool. I'd love to try that, but I don't know how to go about doing the things mentioned there.
How exactly does one "Add an OPT interface" or "bridge the OPT interface to the LAN interface"?
Also, what is meant by having the "bridge assigned as LAN"?
It's possible that none of this has anything to do with my site/service blocking issues, but it seems worth looking into, just for the purposes of having the wifi set up correctly if nothing else.EDIT: it thinks my post is spam? say what now?!
-
Now I'm even more confused. I was hunting through the GUI, and checking logs and such, and ran across these entries from today:
_
Given that my LAN rules look like this, what gives?
I don't think those blocks are specifically to the FireTV, but they definitely shouldn't be there, since the only active LAN is rule "allow all". What "default deny rule"?I swear, I'm just about at the end of my rope on this. My wife is telling me to pull the plug on this firewall and go back to the old ISP router. I'm half inclined to agree with her.
If I didn't need it so badly for my work, I probably would.Hey, check it out, my image uploads are working!
Oh, and I've also confirmed that it's 100% not the FireTV that's causing the problem. It also exists on the TV itself (separate OS, also wifi), my wife's laptop (still wifi) and her iPad (yep, wifi).
See a pattern here...? I do have some sites that don't load on my wired desktop, though, so I don't think it's totally a wifi thing. -
Not to pile on too much here (too late, I know), but I ran across this thread that seems like it may be related: https://www.reddit.com/r/PFSENSE/comments/f8j1gi/pfsense_blocking_connection_it_shouldnt/
I wonder if my trouble may have something to do with the fact that we had to set up a VLAN to get my DSL to connect? I know exactly nothing about VLANs, or how they should be configured, so could maybe the info in the last comment of that thread be relevant? -
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html -
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
-
@heper said in Various sites and services being blocked - how to fix?:
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.htmlI'm trying now... but I'm not sure I'm doing it right.
I'm in the WAN interface screen, and I've calculated my max MTU to be 1492 for PPPoE. Do I just enter that number in the MTU field and "apply"? The doc seemed to indicate that I should use the MSS field instead, but I'm not sure how. Does the pfsense require a reboot afterwards? Nothing mentions that it does, but I don't see any improvement after making that change, so... ?@serbus said in Various sites and services being blocked - how to fix?:
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
I read through that thread, but it's all Greek to me. I didn't really see any "do this" or "change this setting" direction in there. Did I miss it? It seemed to be mostly a discussion of how that (complicated) network wasn't set up properly. lol
-
Rejoice! We have partial success!
(The bolding is mostly for me when I need this info later lol)
I put the value of 1492 directly in the MTU field of the WAN interface, ignoring the MSS field for now. We can always come back to that if it's best practice or whatever.
That resulted in the FireTV having full connectivity, including Netflix and Home screen!
I can also access the previously blocked apps on my phones, so this is definitely a huge improvement. I wish I had tried the suggested MTU change earlier, when @Gertjan mentioned it. That's what I get for trusting my stupid ISP. I should really know better by now.However, I'm still having issues on my desktop with some sites not working properly. It seems to be mostly sites that require additional security checks. I'm pretty sure it's that issue noted in the link that @serbus serbus shared, I just don't know how to fix it.
Here's what I see when I filter my firewall logs for blocking, LAN, and that one IP for my desktop PC:
Also, here's my current network map, as best as I can draw it out.
It's not totally complete, but it should be close enough for this discussion.I'm wondering if my TP-link managed switch (model T1600G-28PS v3.0) might be causing the asymmetric routing, or whatever is happening? I don't have anything special set up in there, like VLANs or anything. I only use it for the POE currently, but I was thinking I may need some of the other features eventually. Could there be a default setting in the switch that's conflicting with the pfsense box? How would I even begin to look for such a conflict?
-
There was a link to the Netgate docs in the post I referenced that had some good troubleshooting info, but that link appears to be broken.
Here is the current link :
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
It may help you explore the state issues.
John
-
@serbus Yeah, I read that page previously.
I'm pretty sure my issue is asymmetric routing, but I haven't found anything yet that explains it in a way I can understand, or says how to actually fix it. The link on that troubleshooting page says there's an "automatic fix", which I've tried, without success. I don't have any static routes in place, so that option doesn't seem to apply anyway. Perhaps adding static routes is the answer, but I don't know what that is or how to invoke it.I'm really hoping someone can help me track this down.
I'm so close to a working network here, but as it stands at the moment, I still can't access certain critical things I need, some of which (eg. my copier GUI) are within my LAN. -
Your Desktop PC CADZilla uses a cable connection. Has it also Wifi ? And if so : de activate it.
-
@gertjan No, it's wired connection only.
-
@elmojo, Merry Christmas, sorry not to be able to enter earlier, I agree that I am going to send your contact information to verify your pfsense, is everything ready? or even need help.
-
@silence Good morning! I think you are offering remote help, right?
What sort of access to my network would you have? I don't mean to sound untrusting, but because of the work I do, I'm not allowed to give any outside person or entity access to any of my systems or internal network. I can allow access to the pfsense system, if that's what you are suggesting. How would we do it? What sort of connection or software?
I would really appreciate any help! -
@elmojo, anydesk.
-
@silence Sorry, that would give you access to my desktop and network. I can't allow that. :(
Thanks so much for the offer, though. I'm so close to getting this sorted out!