pfSense Blocking MAF... any idea why and how???
-
I've searched around and cannot find any other discussion of this topic in this forum or the Internet at large. Could be I'm not looking for the right keywords, or could be there's something odd with my network.
Problem is I cannot access a number of commercial Multi-Factor Authentication (MAF) challenges that I attempt to reach. There seems to be a pattern, but I"m not knowledgeable enough about MAF's to be able to identify what type I can't access. What occurs is this... 1) login to a website (e.g. health insurance company); 2) browser refreshes the page and at this point, would normally display a question asking me how I want to receive a MAF challenge... normally the options would be via cell phone text message or email. The problem is, I never see step 2. I get a blank page and no amount of refreshing will change that.
I've been able to determine it is caused by something on my network... and the only common denominator is pfSense. I've tried to reach the same site on 4 different web browsers and 3 different devices on my network (desktop, laptop, smart phone). Every one of has the same user experience, described above.
Next, I tried accessing one of the sites with my smart phone after disabling WiFi and forcing it to connect via wireless. Works perfectly.
Change the device back to WiFi on my LAN and try again, and again it fails to function properly.
I have disabled every package (only thing I have except Cron is pfBlocker)... no change. Turned off my DNS NAT that forces Secure DNS so I can avoid my ISP's DNS snooping... still no workie.
The only clue I've been able to derive is it may possibly be showing up in the Firewall log as a dropped TCP:S with destination of my public IP address. pfSense reports the drop with "Default deny rule IPv4" in the Firewall log. However, I can't tell for sure. Most of those entries are clearly junk sites probing, and it may have nothing to do with the problem I'm trying to solve.
Any suggestions?
-
pfSense itself does nothing that might interfere with that.
Block TCP:SYN traffic arriving at your WAN is expected unless you are forwarding that to an internal server.
It pretty much has to be pfBlocker so check the alerts listed there.
If you're forwarding all DNS traffic to an external service that filters responses that could be a cause.
Steve
-
@stephenw10 thanks for your reply.
I suspected pfBlocker, but when I attempt to disable in (via its settings), the problem persists.
My network setup consists of a pass-through to an AT&T gateway router. I'm starting to wonder if something could have changed with regards to that. When I get a chance, I may attempt plugging a laptop directly into the gateway and then test. If that works, I suppose uninstalling pfBlocker may be in the cards.
-
Really you need to determine exactly what is failing here.
Try using the browser debug tools to see what it's trying and failing to open.
We don't yet know if it's a blocked IP or DNS failing to resolve.
Steve
-
@stephenw10 appreciate your thoughts and comments.
I've now been able to determine it's not a network issue - as you said - but appears to be narrowed down to my Windows 10 workstations. Snooping some of the forms not displaying correctly to the end user, they share some characteristics:
-
iframe
-
JavaScript calling a 3rd party site for MFA
It's odd. I'm now wondering if the culprit could be BitDefender or some issue with the Win 10 build. The problem exists on all browsers tested on the same workstations.
I'll keep digging, but thank you for your suggestions that allowed me to confirm I can get the access to work on non-Win 10 devices over the network, so at least I know for sure it's not pfSense.
-
-
@longhorn said in pfSense Blocking MAF... any idea why and how???:
@stephenw10 appreciate your thoughts and comments.
I've now been able to determine it's not a network issue - as you said - but appears to be narrowed down to my Windows 10 workstations. Snooping some of the forms not displaying correctly to the end user, they share some characteristics:
-
iframe
-
JavaScript calling a 3rd party site for MFA
Security software might do things like that.
-