25.07.1: aspx login page no longer loads, did in 24.11
-
Access to this webpage worked in 24.11, but not 25.07.1, need help please...
https://portal.wespath.org/loginpage.aspx
For networks without pfsense in use, it loads a full login page. On my two systems with pfsense 25.07.1, I only get the word "Wespath" and nothing else. This webpage worked on my Netgate 2100 back in 24.11, rules haven't changed since the upgrade to 25.07.1 this past Sunday. It also won't load with my Netgate 1100 either. Stared at the syslogs, nothing blocked. Turned on logging for 80 and 443, no clue there either. Did a quick tcpdump (attached) from my local system (192.168.1.5; cleo.home.arpa is the firewall) to the webpage and stared at it with wireshark. I get a blast of red in wireshark at the end, see screengrab. Any ideas what is going on and how to fix?
Netgate 1100 and Netgate 2100, latest pfsense+ version
-
I was all set to say "that can't be" but I see the same thing. However Firefox's network panel shows multiple connections to localhost for 590x (VNC?) and 3389 (RDP). Maybe the site is infected? Not sure how the router software version can be relevant to that though.
-
@SteveITS On a Mac, latest OS. With Firefox 142.0, I see the attached info with Web Dev Tools->Network. Where do you see ports 3389 or 590x in your output?? I see zilch in the way of loopback traffic, and I also see zero in the way of port information on my network info in Firefox. Seeing port info beyond 80/443 would be nice. It is the same picture with Safari (version 18.6) under Web Inspector->Network.
FYI, I don't allow either port 3389 or 590x traffic in my firewall rules.
-
@beerguzzle This part:
Seemed odd for it to be doing anything with localhost. I didn't screen cap the 127.0.0.1:3389 but it was in the list.
I didn't specify but I had pulled it up on another PC+location first and didn't see the partial page load, though didn't view the network tab there. Maybe it's hitting different web servers? (speculation)
-
I would love to hear from any of our other readers what happens when they try to connect to this URL. Full page load with login/password stuff, or just an isolated "Wespath" logo? Diagnostic info, if it failed, would also be appreciated.
Netgate 1100 and Netgate 2100, latest pfsense+ version
-
@beerguzzle
Only the isolated "Wespath" text. I see these errors in the javascript console.
-
@beerguzzle here is what I see
This is blocked by my pihole
Found 2 adlists exactly matching 'cdn.split.io'. - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (block) - cdn.split.io - https://raw.githubusercontent.com/blocklistproject/Lists/master/basic.txt (block) - cdn.split.ioAnd then that benefitaccess.org is blocked by ublock origin
Yeah all I get is that wespath black gray logo or whatever... If I turn off ublock.. I get a bunch of crap to loopback on bunch of different ports
This isn't a pfsense issue that is for sure.
-
@beerguzzle said in 25.07.1: aspx login page no longer loads, did in 24.11:
just an isolated "Wespath" logo?
Chrome, Edge all the same — just logo. Do you have pfBlocker enabled?
-
@beerguzzle said in 25.07.1: aspx login page no longer loads, did in 24.11:
https://portal.wespath.org/loginpage.aspx
Looks fine to me :
They probably had some cleaning to do ?
-
@beerguzzle only logo on Firefox/macOS 142.0/aarch and piHole. Same as for johnpoz, cdn.split.io blocked. content.benefitsaccess.org blocked by upstream DNS (Control D, StevenBlack Unified list)
-
Thanks to all the boffins here who gave me some more clues as to what was going on. This was a pfblockerng setting/issue.
I run pfblockerng, with StevenBlack ADs in my DNSBL feeds. Via command line in /var/db/pfblockerng, doing a "find . -type file -print | xargs grep cdn.split.io" there it was in his list. So I went to pfBlockerNG/DNSBL, went down to DNSBL Whitelist and added cdn.split.io there. Then force reloaded, and checked that the site resolved on my firewall. Then cleared the DNS cache on my Mac, and voila the webpage loaded correctly.
I consider having to whitelist cdn.split.io an ugly fix to my problem. But it is a fix.
In Firefox, using the developer tools->Network, when loading this page I do not see the loopback traffic with odd port numbers that some of you saw. Some setting in the firefox dev tools?
Netgate 1100 and Netgate 2100, latest pfsense+ version
-
@beerguzzle could be your running some app the site is looking for that we are not.. that connection refused could just be generic label because our boxes not listening on it, etc.
Could be something different in our firefox settings? Could be a dns related where we resolved something to loopback and you are not. Lots of things that could cause that. Firefox does use loopback to talk to itself,
[firefox.exe] TCP 127.0.0.1:32193 127.0.0.1:32192 ESTABLISHED [firefox.exe] TCP 127.0.0.1:32194 127.0.0.1:32195 ESTABLISHED [firefox.exe] TCP 127.0.0.1:32195 127.0.0.1:32194 ESTABLISHED [firefox.exe] TCP 127.0.0.1:53567 0.0.0.0:0 LISTENINGBut since site is working for you now, and I have no desire or need to ever go there.. not something worth looking into myself. Its not a pfsense thing.. Could be something in pihole resolve something to that.
-
@beerguzzle said in 25.07.1: aspx login page no longer loads, did in 24.11:
I run pfblockerng, with StevenBlack ADs in my DNSBL feeds. Via command line in /var/db/pfblockerng, doing a "find . -type file -print | xargs grep cdn.split.io" there it was in his list. So I went to pfBlockerNG/DNSBL, went down to DNSBL Whitelist and added cdn.split.io there. Then force reloaded, and checked that the site resolved on my firewall. Then cleared the DNS cache on my Mac, and voila the webpage loaded correctly.
I consider having to whitelist cdn.split.io an ugly fix to my problem. But it is a fix.
I use the Stevens list to, and did't had to whitelist what so ever.
Yes, "cdn.cdn.split.io" is in Stevens list, I found it.But it'a also in the top Tranco TOP1M that I sue :
so that explains why I didn't had any issues. "cdn.cdn.split.io" is auto whitelisted for me as I don't want to have deal with :
The TOP1M feed can be used to whitelist the most popular Domain names to avoid false positives.
When I searched in line 8476 (a very long line, thousands of hosts (10791 !) are listed in there, I found "cdn.cdn.split.io". So it was filtered out, among 106 others - see image.
@beerguzzle said in 25.07.1: aspx login page no longer loads, did in 24.11:
I consider having to whitelist cdn.split.io an ugly fix to my problem. But it is a fix.
Not ugly.
When you chose a list, you take it as a whole. If any false positives exits in it, you have to white list them all.
The perfect list for you ... can only be created (and maintained) by .... you ;) -
@johnpoz I thought about that but here the two ports I noticed as the page loaded were 3389 and 5900 (counting up). Which seems not so random. I didn't let it run very long. I was just trying to see if something wasn't loading.
And FWIW the 27.07 router I have does have pfBlocker blocking ads, and the other doesn't, but I wasn't going to try it on the other one again.
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
Upvote 👍 helpful posts! -
@SteveITS yeah those ports do stick out for sure.. And do seem odd for sure.. You wouldn't run your own app on those ports - those are for sure for rdp and vnc..
Wespath is some church run investment something.. I would never in a million years have any desire to do any business with them ever..
-
@SteveITS Since the Netgate 2100 is at the Methodist local church and I support the firewall, this was a real user issue. They access the site monthly to do retirement account contributions for the church employees. Fortunately the login mechanism (once you can see it) requires two-factor authentication. Glad for that.
