Rule works for ping but not for http
-
Hi friends - I have a firewall rule at the top of my LAN (well, technically under anti-lockout) that routes any traffic under any protocol to an alias list a specific gateway, and logs everything through that rule for tracking. The gateway is a different gateway than my default; my default gateway is a gateway group with a list of VPNs, and this special gateway is a gateway group with only one VPN. The alias list is a mix of URLs and IPs. When I ping from an endpoint to one of the targeted URLs, I can see the firewall rule is applied and the traffic is routed through the special gateway specified in the rule. But when I visit the website in question in the browser, the rule typically does not get applied. It works sometimes for some URLs and never for others. I tried setting it up as a floating rule instead of a LAN rule (thinking there might be some conflict with pfBlockerNG + DNS Resolver) but it makes no difference.
I know it is customary to explain my entire setup, but before doing that, can someone help me understand why the rule would only work occasionally for browser traffic but work perfectly for cmd line pings?
-
@mdt
How does the concerned rule looks like exactly? -
@viragomann
Action: Pass
Interface: LAN
Protocol: Any
IPv4 only
Source: Any
Destination: Alias_LIst
State type: Keep
Gateway: SingleVPNGroup -
@mdt
Remember that most websites requests date from different resources in the internet. Possibly not all are included within your destination alias.
Try "any" for testing. -
@viragomann Any works; is there another approach to routing traffic to specific sites that might be more reliable?
-
@mdt
So you will have to review the rule.
Maybe you can limit it to certain source IPs or destination ports or a combination of both.Otherwise you would have to expand the destination alias to cover all requested resources.
-
@mdt Aliases resolve hostnames every 5 minutes by default.
pfBlocker can create aliases using ASNs (company) if that fits your need.
-
@mdt said in Rule works for ping but not for http:
ping uses the protocol ICMP.
'http' uses TCP.edit :
"http" or TCP traffic from a (nearly always) random source port to (always !!) port 80 destination is actually rarely used, as http server are being taken down by the millions. That is : they do still exist for one reason : redirect you to the port 443 or 'https' equivalent, as today everybody uses https (TLS). -
I was able to get it to work by adding the ASN to the alias table that powered the rule, but not it's not working. Why would the rule simply not work when the domain, IP, and ASNs all match the destination website? Even if the website uses resources from other domains, this website is explicctly showing that my IP is my default gateway IP and not the custom gateway I have set for this domain. The rule works for other domains, just not one specific domain.
-
@mdt and what domain is that? It's really hard to solve a puzzle when most of the pieces are missing.
Are you saying when you go to this whatever fqdn it doesn't go out your specific gateway? Do you have a state already there? A common issue I have noticed is users don't understand that states are evaluated before rule.. If you open a state to xyz, and then create a rule that says hey block this or send this traffic out gateway B.. Not going to take effect because there is already a state there that says send it out gateway A, or allow it, etc.
-
@johnpoz To clarify, the state would be closed once I close the tab to that FQDN in my browser, is that right? This rule has been in place for a while, through pfsense box restarts, etc. It's to a top 10 domain.
-
@mdt I be would think, if you close the browser. Or wait 5? minutes.
-
@mdt if its a top 10 domain, why not say it - do not want people knowing your going to p0rn hub or something.
Just had something like other day with user having alias for reddit.com, guess what happens when you go to reddit.com - it sends you to www.reddit.com which completely different IPs, and no wouldn't be in the alias for reddit.com
As to stated closing on browser tab? You would hope that client would send a fin sure when you close a tab.. But can not be sure - check your states..
You can also run into issue where client using dns that is different than pfsense is using when it populates the alias - most of these sites, for sure a big one is served off CDNs - so there going to be lots of different IPs, with short ttls, etc.
Without some details, its like you are giving us 200 pieces of a 1000 piece puzzle and asking us to complete it..
-
@johnpoz That thread solved it, added other IPs and CDNs in addition to the ASN. For future reference, it appears that for top websites, adding the ASN and IPs that resolve at any given point in time is insufficient. You have to really find the variety of CDNs and other resources used, www and non-www, etc.
-
@mdt keep in mind when you block or redirect ASNs - you are most likely going to end up blocking or redirecting stuff you don't really want to block/redirect..
