Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG-Devel Troubleshooting mobile apps and sites not appearing under Reports

    pfBlockerNG
    1
    2
    506
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      booshwa
      last edited by

      Hi all,
      Admittedly I am new to pfSense and troubleshooting beyond the GUI, so please excuse if I'm missing something obvious.

      The issue I'm experiencing: The mobile app, Snapchat, fails to function properly due to an unbeknownst Feed in pfBlockerNG-Devel, Reports does not give any clue to which feed is causing the issue.

      When I search the source's address in Reports > Alert, nothing obviously close to Snapchat or it's CDN appears. If I go to www.snapchat.com, it appears as expected under DNSBL block Feed/Group EladKarako_BD/DNSBL_Malicious2. Unfortunately removing this group and attempting a reload via Update > Reload + DNSBL does not allow the app to load (typical iOS cache clearing was performed), although the webpage then functions properly.

      My troubleshooting so far:
      Removed EladKarako_BD from feeds and reloaded

      Added .snapchat.com to DNSBL whitelist, which allows the webpage to load but does not affect the app's functionality (CDN or different servers?)

      I've played the "click red lock until something works" game, but that seems inefficient and didn't work.

      Diagnostics > Tables > pfB_PRI1,2,3,4_v4 shows IP addresses, but I have no clue what IP address belongs to the server I need to communicate with.

      Status > Server > Restarted pfb_filter

      Firewall > pfBlockerNG > Logs > dnbsl.log shows Snapchat from browsing to webpage from my computer, nothing for mobile though.

      Status / System Logs / Firewall / Dynamic View (filtered by mobile device) > Nothing besides 17.0.0.0/8 and local

      Question: In scenarios where a blocked app does not appear in reports, how can I track down the causing feed or necessary servers/IPs to whitelist an application/webpage such as Snapchat

      Hardware: SG-5100 w/ 16GB RAM, 6.7GB disk space left (this was never upgraded from what the device ships with)

      Software: pfSense 21.05.1-RELEASE (amd64), pfBlockerNG-Devel 3.1.0_1
      Other packages installed: Avahi, snort (I checked snort as well but 99.9% of the time it reports nothing)

      This page mentions turning on Python mode and Null Block (logging) (Global) but I don't think my device can supported it due to the small hard drive.

      Screen Shot 2022-01-31 at 6.54.30 PM.png

      B 1 Reply Last reply Reply Quote 0
      • B
        booshwa @booshwa
        last edited by

        Stress and tiredness had gotten the best of me but this is resolved. Wildcarding .snapchat.com in DNSBL whitelist did in fact resolve the issue.

        I have a raspberry pi running pi-hole and was able to see what queries were being made when the app loaded. From there I was able to confirm the requests being made and since pi-hole blocks out a few analytics, wildcarding in DNSBL did not seem like a horrible thing.

        Hope the steps above and the initial post helps someone else and keeps their SO from complaining :)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post