Various sites and services being blocked - how to fix?
-
Now I'm even more confused. I was hunting through the GUI, and checking logs and such, and ran across these entries from today:
_
Given that my LAN rules look like this, what gives?
I don't think those blocks are specifically to the FireTV, but they definitely shouldn't be there, since the only active LAN is rule "allow all". What "default deny rule"?I swear, I'm just about at the end of my rope on this. My wife is telling me to pull the plug on this firewall and go back to the old ISP router. I'm half inclined to agree with her.
If I didn't need it so badly for my work, I probably would.Hey, check it out, my image uploads are working!
Oh, and I've also confirmed that it's 100% not the FireTV that's causing the problem. It also exists on the TV itself (separate OS, also wifi), my wife's laptop (still wifi) and her iPad (yep, wifi).
See a pattern here...? I do have some sites that don't load on my wired desktop, though, so I don't think it's totally a wifi thing. -
Not to pile on too much here (too late, I know), but I ran across this thread that seems like it may be related: https://www.reddit.com/r/PFSENSE/comments/f8j1gi/pfsense_blocking_connection_it_shouldnt/
I wonder if my trouble may have something to do with the fact that we had to set up a VLAN to get my DSL to connect? I know exactly nothing about VLANs, or how they should be configured, so could maybe the info in the last comment of that thread be relevant? -
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html -
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
-
@heper said in Various sites and services being blocked - how to fix?:
@elmojo have you tried to lower your mtu?
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.htmlI'm trying now... but I'm not sure I'm doing it right.
I'm in the WAN interface screen, and I've calculated my max MTU to be 1492 for PPPoE. Do I just enter that number in the MTU field and "apply"? The doc seemed to indicate that I should use the MSS field instead, but I'm not sure how. Does the pfsense require a reboot afterwards? Nothing mentions that it does, but I don't see any improvement after making that change, so... ?@serbus said in Various sites and services being blocked - how to fix?:
Check the states on the blocks - TCP:A, TCP:RA, TCP:PA
https://forum.netgate.com/topic/132592/tcp-ra-tcp-a-tcp-pa-blocked
John
I read through that thread, but it's all Greek to me. I didn't really see any "do this" or "change this setting" direction in there. Did I miss it? It seemed to be mostly a discussion of how that (complicated) network wasn't set up properly. lol
-
Rejoice! We have partial success!
(The bolding is mostly for me when I need this info later lol)
I put the value of 1492 directly in the MTU field of the WAN interface, ignoring the MSS field for now. We can always come back to that if it's best practice or whatever.
That resulted in the FireTV having full connectivity, including Netflix and Home screen!
I can also access the previously blocked apps on my phones, so this is definitely a huge improvement. I wish I had tried the suggested MTU change earlier, when @Gertjan mentioned it. That's what I get for trusting my stupid ISP. I should really know better by now.However, I'm still having issues on my desktop with some sites not working properly. It seems to be mostly sites that require additional security checks. I'm pretty sure it's that issue noted in the link that @serbus serbus shared, I just don't know how to fix it.
Here's what I see when I filter my firewall logs for blocking, LAN, and that one IP for my desktop PC:
Also, here's my current network map, as best as I can draw it out.
It's not totally complete, but it should be close enough for this discussion.I'm wondering if my TP-link managed switch (model T1600G-28PS v3.0) might be causing the asymmetric routing, or whatever is happening? I don't have anything special set up in there, like VLANs or anything. I only use it for the POE currently, but I was thinking I may need some of the other features eventually. Could there be a default setting in the switch that's conflicting with the pfsense box? How would I even begin to look for such a conflict?
-
There was a link to the Netgate docs in the post I referenced that had some good troubleshooting info, but that link appears to be broken.
Here is the current link :
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
It may help you explore the state issues.
John
-
@serbus Yeah, I read that page previously.
I'm pretty sure my issue is asymmetric routing, but I haven't found anything yet that explains it in a way I can understand, or says how to actually fix it. The link on that troubleshooting page says there's an "automatic fix", which I've tried, without success. I don't have any static routes in place, so that option doesn't seem to apply anyway. Perhaps adding static routes is the answer, but I don't know what that is or how to invoke it.I'm really hoping someone can help me track this down.
I'm so close to a working network here, but as it stands at the moment, I still can't access certain critical things I need, some of which (eg. my copier GUI) are within my LAN. -
Your Desktop PC CADZilla uses a cable connection. Has it also Wifi ? And if so : de activate it.
-
@gertjan No, it's wired connection only.
-
@elmojo, Merry Christmas, sorry not to be able to enter earlier, I agree that I am going to send your contact information to verify your pfsense, is everything ready? or even need help.
-
@silence Good morning! I think you are offering remote help, right?
What sort of access to my network would you have? I don't mean to sound untrusting, but because of the work I do, I'm not allowed to give any outside person or entity access to any of my systems or internal network. I can allow access to the pfsense system, if that's what you are suggesting. How would we do it? What sort of connection or software?
I would really appreciate any help! -
@elmojo, anydesk.
-
@silence Sorry, that would give you access to my desktop and network. I can't allow that. :(
Thanks so much for the offer, though. I'm so close to getting this sorted out! -
@elmojo, If you want you can allow access only in pfsense (creating a rule in your wan like this for example) Firewall> rules> Wan> Permit 190.166.216.65
-
@silence What would that "permit"? Is that 190.166 address your public IP, or just an example?
I'm sorry, I don't follow what that rule would do. I'm game to try it if it gives you access to only the pfsense box, but I don't see how it would work. Sorry, it's Monday and I'm slow. Besides, I'm learning all this from scratch. Please be patient with me. -
@elmojo, yes my WAN IP PUBLIC !
Only Acess Remote to you pfsense (website)
I would need you to create a user just to monitor your firewall logs.
-
@silence Ok, cool. Let's give it a shot. One minute, let me set up the rule.
-
@elmojo, take a screenshot of the new username and password for me but don't send me the link.
-
@silence sorry for the delay, was on the phone with my office.
I have no idea if I did the user right. Let me know.