Various sites and services being blocked - how to fix?
-
@gertjan
Thanks so much! Let me see if I can work through your comments/questions in order...
Netflix:
Correct, does not work on TV.
Does not work on my phone on wifi , does work on phone on LTE.
Does work on my desktop PC in a browser. I don't have the app.On the TV, other streaming apps, such as Amazon Prime Video and Youtube seem to work fine. I haven't tried any others, but it seems that FireTV home and Netflix are the 2 that aren't working right now.
Sites that don't work, even on my desktop PC:
- This forum (works mostly okay, but I can't upload images and often can't edit posts)
- Verizon (can see login page, but cannot get into my account. Hangs at "please wait" after entering credentials)
- A steam gaming forum (Hangs a "Security check, please wait")
- My credit union/bank (works on some pages, but not others)
- My copier GUI (no error, just loads a blank white screen. I can still print to it no problem)
Before I switched over from my ISP's router/modem to the pfsense, I took photos of how everything was configured in the modem. It shows an MTU of 1500. I don't know if it would be wise to change it at this point, unless you think that is likely to be the cause of this specific issue of certain sites being inaccessible.
-
So I've been continuing to struggle with this, and it occurs to me that most (but not all) of the issues are on wireless clients.
As I noted before, I'm really not sure if I set up the wireless APs correctly or not. I was expecting there to be a setup process for adding it, but I just plugged it in and it worked.
My system is a TP-Link Deco mesh wifi, set to AP mode. I've been using it for about a year now, and it works great.
I have the "main" Deco node plugged into NIC port 3 (igb3) on the pfsense box. All 3 deco units are pulling local IPs (11.x range) and all appear to be working generally okay, at least for basic internet browsing. The FireTV, for example, is connected to one of the Deco nodes, and it reports a good connection, so I know it's working at least somewhat.
However, in my mass of searching an reading, I ran across this doc, which seems to indicate that there's a better way to add an AP.
Specifically, it mentions these 2 passages that caught my eye...
"To keep wireless and wired networks on the same IP subnet and broadcast domain while also increasing control over wireless clients, add an OPT interface to the firewall for the access point and bridge the OPT interface to the LAN interface."
AND
"Note:
A configuration with the bridge assigned as LAN is optimal here, rather than only having the OPT bridged to the existing wired LAN."Okay, cool. I'd love to try that, but I don't know how to go about doing the things mentioned there.
How exactly does one "Add an OPT interface" or "bridge the OPT interface to the LAN interface"?
Also, what is meant by having the "bridge assigned as LAN"?
It's possible that none of this has anything to do with my site/service blocking issues, but it seems worth looking into, just for the purposes of having the wifi set up correctly if nothing else.EDIT: it thinks my post is spam? say what now?!
-
Now I'm even more confused. I was hunting through the GUI, and checking logs and such, and ran across these entries from today:
_
Given that my LAN rules look like this, what gives?
I don't think those blocks are specifically to the FireTV, but they definitely shouldn't be there, since the only active LAN is rule "allow all". What "default deny rule"?I swear, I'm just about at the end of my rope on this. My wife is telling me to pull the plug on this firewall and go back to the old ISP router. I'm half inclined to agree with her.
If I didn't need it so badly for my work, I probably would.Hey, check it out, my image uploads are working!
Oh, and I've also confirmed that it's 100% not the FireTV that's causing the problem. It also exists on the TV itself (separate OS, also wifi), my wife's laptop (still wifi) and her iPad (yep, wifi).
See a pattern here...? I do have some sites that don't load on my wired desktop, though, so I don't think it's totally a wifi thing. -
Not to pile on too much here (too late, I know), but I ran across this thread that seems like it may be related: https://www.reddit.com/r/PFSENSE/comments/f8j1gi/pfsense_blocking_connection_it_shouldnt/
I wonder if my trouble may have something to do with the fact that we had to set up a VLAN to get my DSL to connect? I know exactly nothing about VLANs, or how they should be configured, so could maybe the info in the last comment of that thread be relevant? -
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html -
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
-
@heper said in Various sites and services being blocked - how to fix?:
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.htmlI'm trying now... but I'm not sure I'm doing it right.
I'm in the WAN interface screen, and I've calculated my max MTU to be 1492 for PPPoE. Do I just enter that number in the MTU field and "apply"? The doc seemed to indicate that I should use the MSS field instead, but I'm not sure how. Does the pfsense require a reboot afterwards? Nothing mentions that it does, but I don't see any improvement after making that change, so... ?@serbus said in Various sites and services being blocked - how to fix?:
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
I read through that thread, but it's all Greek to me. I didn't really see any "do this" or "change this setting" direction in there. Did I miss it? It seemed to be mostly a discussion of how that (complicated) network wasn't set up properly. lol
-
Rejoice! We have partial success!
(The bolding is mostly for me when I need this info later lol)
I put the value of 1492 directly in the MTU field of the WAN interface, ignoring the MSS field for now. We can always come back to that if it's best practice or whatever.
That resulted in the FireTV having full connectivity, including Netflix and Home screen!
I can also access the previously blocked apps on my phones, so this is definitely a huge improvement. I wish I had tried the suggested MTU change earlier, when @Gertjan mentioned it. That's what I get for trusting my stupid ISP. I should really know better by now.However, I'm still having issues on my desktop with some sites not working properly. It seems to be mostly sites that require additional security checks. I'm pretty sure it's that issue noted in the link that @serbus serbus shared, I just don't know how to fix it.
Here's what I see when I filter my firewall logs for blocking, LAN, and that one IP for my desktop PC:
Also, here's my current network map, as best as I can draw it out.
It's not totally complete, but it should be close enough for this discussion.I'm wondering if my TP-link managed switch (model T1600G-28PS v3.0) might be causing the asymmetric routing, or whatever is happening? I don't have anything special set up in there, like VLANs or anything. I only use it for the POE currently, but I was thinking I may need some of the other features eventually. Could there be a default setting in the switch that's conflicting with the pfsense box? How would I even begin to look for such a conflict?
-
There was a link to the Netgate docs in the post I referenced that had some good troubleshooting info, but that link appears to be broken.
Here is the current link :
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
It may help you explore the state issues.
John
-
@serbus Yeah, I read that page previously.
I'm pretty sure my issue is asymmetric routing, but I haven't found anything yet that explains it in a way I can understand, or says how to actually fix it. The link on that troubleshooting page says there's an "automatic fix", which I've tried, without success. I don't have any static routes in place, so that option doesn't seem to apply anyway. Perhaps adding static routes is the answer, but I don't know what that is or how to invoke it.I'm really hoping someone can help me track this down.
I'm so close to a working network here, but as it stands at the moment, I still can't access certain critical things I need, some of which (eg. my copier GUI) are within my LAN. -
Your Desktop PC CADZilla uses a cable connection. Has it also Wifi ? And if so : de activate it.
-
@gertjan No, it's wired connection only.
-
@elmojo, Merry Christmas, sorry not to be able to enter earlier, I agree that I am going to send your contact information to verify your pfsense, is everything ready? or even need help.
-
@silence Good morning! I think you are offering remote help, right?
What sort of access to my network would you have? I don't mean to sound untrusting, but because of the work I do, I'm not allowed to give any outside person or entity access to any of my systems or internal network. I can allow access to the pfsense system, if that's what you are suggesting. How would we do it? What sort of connection or software?
I would really appreciate any help! -
@elmojo, anydesk.
-
@silence Sorry, that would give you access to my desktop and network. I can't allow that. :(
Thanks so much for the offer, though. I'm so close to getting this sorted out! -
@elmojo, If you want you can allow access only in pfsense (creating a rule in your wan like this for example) Firewall> rules> Wan> Permit 190.166.216.65
-
@silence What would that "permit"? Is that 190.166 address your public IP, or just an example?
I'm sorry, I don't follow what that rule would do. I'm game to try it if it gives you access to only the pfsense box, but I don't see how it would work. Sorry, it's Monday and I'm slow. Besides, I'm learning all this from scratch. Please be patient with me. -
@elmojo, yes my WAN IP PUBLIC !
Only Acess Remote to you pfsense (website)
I would need you to create a user just to monitor your firewall logs.
-
@silence Ok, cool. Let's give it a shot. One minute, let me set up the rule.