Some websites are not opening from LAN side of firewall
-
I installed new firewall on a 6 user site for a friend.
After a week of running they are reporting various issues.One issue is a small few internet websites do not load on mobile or Windows 10 PC browsers on the internal network
Example sites not loading:
https://www.eircode.ie/, https://www.idrive.com/, https://app.xink.io/Note:
The sites that do not load, do respond to a ping and resolve a trace route.
The websites load if mobiles use 3G\4G and laptops also load the sites if Hotsport from mobile.System Netgate 7100
Firmware 01.00.00.20
pfSense 22.01-RELEASE
DNS server(s) 1.1.1.1, 8.8.8.8, 9.9.9.9Installed Packages
aws-wizard 0.10
ipsec-profile-wizard 1.0_4
Netgate_Firmware_Upgrade 0.51
openvpn-client-export 1.6_4Outbound NAT Mode: Hybrid
I could realy do with a hand trouble shooting this, please.
-
@versionboy Are there any rules blocking traffic on the LAN interface?
Any chance it's an IPv6 issue? Is IPv6 configured and working? Doesn't seem like www.idrive.com has an AAAA record though.
Interesting you say ping works, since I can't ping that one either.
Pinging www.idrive.com [148.66.234.46] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out. -
@steveits
There is a rule from the LAN to allow all ipv4 traffic anywhere.
There is also a rule on the LAN to block all IPv6 traffic.States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions IPv6 * LAN net * * * * none Default Block LAN IPv6 to any rule IPv4 * LAN net * * * * none Default allow LAN to any rule
Apoligies, I had ping the other two sites but not idrive.
Your results match mine.I have just used the Diagnostics \ Port Test to do a 443 test to the destination site on IPv4 and it worked.
IPv6 is off on the firewall. At least I believe it is disabled
Is it worth trying to reenable IPv6?Regards
-
@steveits Thanks for the advice and to look @ IPv6
Just wanted to let you all know I reenabled IPv6 on the firewall and the sites that would not load are now loading on mobiles and PC's.
Can anyone explain how this resolved the issue when the local network does not use IPv6?
Also why did this only affect the loading of a small number of websites.Regards
-
@versionboy How did you disable/enable it? Something like, it’s resolving the AAAA record and the PC has an IPv6 address so tries to connect, but traffic is blocked on LAN that could do it. The drive site didn’t seem to have AAAA though.
-
@steveits On the WAN interface I set "IPv6 Configuration Type" to none.
I had not changed the LAN IPv6 config default.So I would have to disable IPv6 on all devives inside the network too I suppose!
Thanks for the advice. I'm still fairly new to pfsense and Netgates.
Regards
-
@versionboy If the PCs still had an IPv6 address assigned that hadn’t expired yet that might still try to use it?
At this point if you have 6 available I would just keep it active. :)