Not able to connect to some website
-
That is very odd. I just tested it on my end (I don't have IPv6 where I am currently, but via IPv4 it definitely connects via TLSv1.3 to archlinux.org). I am not aware of what pfSense being "in the middle" of this connection could possibly have to do with your browser's choice of TLS level, or the way the server "sees" your connection capabilities, unless there was some MITM going on. But I assume you are not running any kind of proxy (snort, haproxy etc) that could be tampering with these packets, right? Maybe someone else has some idea...
-
if you look at the ssl test for archlinux.org - they do not support 1.0 or 1.1 so no if your client isn't able to do atleast 1.2 then your not going to connect
Unless you were running some sort of mitm setup pfsense would do nothing with your tls connection, what your client is capable of would come from the client.. You can look in the handshake to see what your client offers, etc.. In your sniff.
Here is an example handshake.. and what my client is saying it supports
You can read up on how the handshake works here
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
But again pfsense out of the box would have no way to mess with that handshake..
I would go here - what does it show for what your browser supports?
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
-
@johnpoz
Here is a screenshot about my browser. Seams all good.
Below is a screenshot about what TSL version MyPC support. (From the same sniffs above.) Both with and without pfSense, MyPC reports it support TSLv1.2 and 1.3 in both.
This results are consistent on my every device, windows, android, etc.
As for MITM, I can't not recall I did anyting like it, or I just don't realize what I did. My pfSense is quite vanilla, no other addon package.
Some weird thing I did is that I bridged LAN, OPT2, OPT3 together (as bridge0) but not assign bridge0, instead I assign each interface. I setup 3 DHCP server on LAN, OPT2, OPT3, tracking WAN on LAN, set RA assisted, no IPv6 configuration on OPT2 and OPT3. (MyPC is under LAN.) I can't get more interface to track WAN since my ISP gives me /64 prefix. Under this configuration, I can get IPv6 and IPv6 connectivity form every port which is kinda weird.
If I assign bridge0, and configure bridge0 IPv6 to track WAN interface, IPv6 just doesn't work, no ip, no connection. I suspect is due to some limitation or lack of proper switch chip. -
@jeff_wuyo said in Not able to connect to some website:
I setup 3 DHCP server on LAN
huh? But you bridged them?
my ISP gives me /64 prefix
Yeah you got some weirdness setup there for sure.
If your wanting to use IPv6 behind pfsense, but your ISP does not do delegation of a prefix to use behind a router. Prob better to just get a IPv6 tunnel from hurricane electric. Here you can get a /48 to use how you wish. On your different segments behind pfsense.
I am not exactly clear what your doing with your bridging - but can tell you for sure if what you want is switch, then get a switch vs doing anything with a bridge.
-
@jeff_wuyo WAN interface MTU + MSS entered correctly?
e.g.
-
@nonick said in Not able to connect to some website:
@jeff_wuyo WAN interface MTU + MSS entered correctly?
I think you shouldn't reduce the value of MSS, it is done by pfSense, see the explanation under it.
-
@bob-dig said in Not able to connect to some website:
I think you shouldn't reduce the value of MSS, it is done by pfSense, see the explanation under it.
Unfortunately not, it's a bug in pfSense.
Netgate 6100
-
@nonick said in Not able to connect to some website:
Unfortunately not, it's a bug in pfSense.
And where is the redmine to that? I sure do not need to edit my mtu or mss values? Are you on some sort of say PPPoE connection or something where standard mtu does not work?
Unless your on some isp connection that requires something lower, there should be no need to edit those.
-
@nonick said in Not able to connect to some website:
Unfortunately not, it's a bug in pfSense.
Maybe it is fixed? That's why I think it is.
-
@johnpoz said in Not able to connect to some website:
but can tell you for sure if what you want is switch
Yes, what I want is indeed switch. I also want to have different subnet, or rather different network to manage other device. Perhaps I should get a managed switch.
huh? But you bridged them?
Yeah, it's the way I figure out how to make all port have IPv6 connectivity. The way I do it is against my knowledge about how router and switch work, it just looks wrong. The machine which pfSense runs on has 4 ports, thus I want to make it works as router/switch. But if I bridged them and assign bridge0, only IPv4 worked, no IPv6 connectivity. Assigning bridge to me is more correct way to do it, but I'll lose IPv6.
@nonick said in Not able to connect to some website:
WAN interface MTU + MSS entered correctly?
No. I leave it blank, which would be default. I'm not fully understand MTU and MSS, thus I ignore it for now.
-
@jeff_wuyo said in Not able to connect to some website:
Perhaps I should get a managed switch.
Doesn't have to be a full managed switch, you can get a 8 port gig smart switch (does vlans) and some other limited features of a fully managed switch. For very reasonable price, there are many on the market in the $40 price range.
But yes if your goal is to segment your network - a vlan capable switch is going to be be helpful ;) Next would be a access point that can also do vlans. If you want your wireless clients to be on different networks as well.
While a bridge does have use cases, trying to turn interfaces into switch ports is not really a good use for a bridge. You can fry up a hamburger patty and "call" it steak - but its not a very "good" steak ;)
-
@johnpoz said in Not able to connect to some website:
trying to turn interfaces into switch ports is not really a good use for a bridge
That's true. I'm asking pfSense for too much lol.
The topic is altered.
Is the bridge-thingy I did causing my TLS connection to change? Hard to tell I think. I might reset pfSense and test again eventually. For now, I think I can still tinkering around. -
@jeff_wuyo said in Not able to connect to some website:
I'm asking pfSense for too much lol
Not so much that - but bridging is not switching. While it may mimic a switch in some aspects. Its not really switching..
There are some valid use cases where sure bridging is the solution - but wanting switch ports is not one of them ;)
-
@bob-dig
I set my MTU 6000 on both WAN and LAN. The reason I chose big MTU is I always see some lost fragment package, and according to how IPv6 handle package exceed MTU, I assume that the package is large. I could be totally wrong, if so, please do correct me.
Beside the adjustment above, I didn't bridge any interface together this time.
For the sake of convenience, I just prepare the data I sniffed. Please use wireshark for more detail.- File1
I was able to connect to archlinux, the handshake was successful, but not able load the site properly.
In this case, IPv6 for archlinux.org is [2a01:4f9:c010:6b1f::1] - File2 is too large to upload, I put it at google drive.
In this example, I connect to multiple site, youtube.com [2404:6800:4012:2::200e], archlinux.org [2a01:4f9:c010:6b1f::1], and ipv6-test.com [multiple IPv6]. Only archlinux.org could not establish connection. Occasionally seeing pfSense complain to MyPC that the package is too large.
It seems like I always losing package from archlinux.org, as least that's what I saw on wireshark. Maybe wireshark is interpret the information wrong. Due to the lack of knowledge, I can't tell anymore form the data. I hope someone can point out a thing or two.
- File1
-
@jeff_wuyo The maximum MTU for WAN-Interface is 1500 bytes (Ethernet maximum MTU size). With PPPoE connections, the PPPoE header increases the frame size by 8 bytes, so must lower the MTU to 1492.
You can test it with it, if it still doesn't work then set the MSS value additionally to 1452 or 1432.Netgate 6100
-
Nope, didn't work. I set MTU to 1492 on WAN, MyPC just falls back to IPv4. Pure IPv6 site e.g. v6.facebook.com just can't connect. I can't ping using IPv6. Setting MSS to 1452 or 1432 doesn't help either.
Here's some test I run.
@nonick said in Not able to connect to some website:
The maximum MTU for WAN-Interface is 1500 bytes
If that's so, why am I seeing package length way over 1500 when I setup my network as Modem/Router? Is wireshark just showing sum of multiple packages? (I should mention the Modem/Router is provided by my ISP, it's using PPPoE as well.) Here is an example.
-
@jeff_wuyo said in Not able to connect to some website:
I set my MTU 6000 on both WAN and LAN.
Well no wonder your having issues.. That is just borked..
-
@jeff_wuyo said in Not able to connect to some website:
I set my MTU 6000 on both WAN and LAN.
While you can do what you want on your own LAN, you should go with what your ISP requires on the WAN side.
-
@nonick said in Not able to connect to some website:
(Ethernet maximum MTU size)
Not any more. That ended with frame expansion in the late '90s and these days jumbo frames of several KB are possible.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott said in Not able to connect to some website:
jumbo frames of several KB are possible.
While this is true - I highly doubt all his devices on his lan are using jumbo of 6000.. Devices like printer and for sure any iot normally have zero support for jumbo.
And typical nics/drivers support only a couple of sizes..
What I will say is pulling some arbitrary number like 6000 out of the air and setting your mtu to that is going to cause you grief that is for sure..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11
