Outgoings connection are blocked but no logs are shown?!
-
Hi All,
I'm having a little problem.
Usually when I had an application that didn't work behind the firewall, I could check the logs and could see which ports were blocked.
Nowadays, I get applications timing out, telling me they cannot get internet and no logs whatsoever.
Here's a list of some applications that don't work.
- Itunes timing out while trying to connect to Apple Store
- Kaspersky Antivirus Security 2011 timing out while trying to activate.
- Kaspersky Antivirus Security 2011 timing out while trying to update databases.
- Symantec Antivirus timing out while not updating.
- Stacraft 2 not updating
- Radiotracker timing out
- Windows Update timing out
- Internet Explorer not connecting
What's funny is that I still can do a lot. Here are some examples:
- Firefox works unlike IE !? (nope, no strange proxies, etc, no viruses)
- Steam is working fine (Half-life, etc)
- Skype is working fine
- uTorrent is working fine
I even get thoses problems under linux (tried ubuntu): for example tried the kaspersky antivirus live cd which is linux and could not update the antivirus database but could use Firefox.
Note that I have 3 computers behind that firewall and they all have the same symptoms.
Also note that everything works fine when plugin in directly into the modem.
I had problem in the past with packages such as Country Block and IP-Blocklist that killed my internet connection. I uninstalled them. Maybe they are still corrupting my rules or something.
I might try reinstalling a stock pfSense…
Here's my /tmp/rules.debug (edited) if that can help:
$ cat /tmp/rules.debug
System Aliases
loopback = "{ lo0 }"
lan = "{ vr2 }"
wan = "{ vr3 }"
enc0 = "{ enc0 }"User Aliases
AllHosts = "{ AAA.AAA.AAA.100 AAA.AAA.AAA.101 AAA.AAA.AAA.102 }"
BlizzardDownloader = "{ 1119 3724 4000 6112:6114 6881:6999 }"
FBIPs = "{ BBB.BBB.BBB.BBB }"
FBPrintServer = "{ 9100 }"
Growl = "{ 23053 }"
Kaspersky = "{ 7022 7024 2001 }"
NewsLeecher = "{ 23 80 119 }"
NewsLeecherIPs = "{ 199.187.125.171 199.187.125.172 }"
NewsgroupsSSL = "{ 563 }"
SVN = "{ 3690 }"
Starcraft2 = "{ 1119:1120 }"
Steam = "{ 27000:27039 1200 7024 }"
SteamPing = "{ 2400:2600 27005 }"
host0 = "{ AAA.AAA.AAA.100 }"
host2 = "{ AAA.AAA.AAA.102 }"
host3 = "{ AAA.AAA.AAA.101 }"
pfSense = "{ AAA.AAA.AAA.254 }"
uTorrentIncoming = "{ 12345 }"
uTorrentOutgoing = "{ 12345:12346 }"set loginterface vr3
set loginterface vr2
set optimization normalset skip on pfsync0
scrub all random-id fragment reassemblenat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"FTP proxy
rdr-anchor "pftpx/*"
Outbound NAT rules
nat on $wan from AAA.AAA.AAA.0/24 port 500 to any port 500 -> (vr3) port 500
nat on $wan from AAA.AAA.AAA.0/24 port 5060 to any port 5060 -> (vr3) port 5060
nat on $wan from AAA.AAA.AAA.0/24 to any -> (vr3) port 1024:65535#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor - slbd updates
rdr-anchor "slb"
FTP Proxy/helper
table <vpns>{ }
no rdr on vr2 proto tcp from any to <vpns>port 21
rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021NAT Inbound Redirects
rdr on vr3 proto { tcp udp } from any to III.III.III.III port { 12345 } -> AAA.AAA.AAA.100
rdr on vr3 proto tcp from any to III.III.III.III port { 23053 } -> AAA.AAA.AAA.100IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/*"
anchor "firewallrules"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"Block all IPv6
block in quick inet6 all
block out quick inet6 allloopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from III.III.III.III to any keep state
NAT Reflection rules
allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to AAA.AAA.AAA.254 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from AAA.AAA.AAA.254 port = 67 to any port = 68 label "allow access to DHCP server on LAN"allow our DHCP client out to the WAN
anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to AAA.AAA.AAA.0/24 port = 68 label "block dhcp client out wan"LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for vr2
anchor "spoofing"
block anything from private networks on WAN interface
anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"block bogon networks
http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table <bogons>persist file "/etc/bogons"
block in log quick on $wan from <bogons>to any label "block bogon networks from wan"pass traffic from firewall -> out
anchor "firewallout"
pass out quick on vr3 all keep state label "let out anything from firewall host itself"
pass out quick on vr2 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on vr2 from any to AAA.AAA.AAA.254 keep state label "anti-lockout web rule"SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"User-defined aliases follow
table <pfsense>{ AAA.AAA.AAA.254 }
table <host0>{ AAA.AAA.AAA.100 }User-defined rules follow
pass in quick on $lan proto { tcp udp } from <pfsense>to any port = 53 keep state label "USER_RULE: Allow outgoing DNS for pfSense DNS forwarder"
block in log quick on $lan proto { tcp udp } from any to any port = 53 label "USER_RULE: Block outgoing DNS in case of rogue DNS servers"
pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 80 keep state label "USER_RULE: Allow HTTP"
pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 443 keep state label "USER_RULE: Allow HTTPS"
pass in quick on $lan proto { tcp udp } from <host0>to any keep state label "USER_RULE: Allow all outgoing traffic for host0"VPN Rules
pass in quick on vr2 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr3 inet proto tcp from port 20 to (vr3) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"enable ftp-proxy
IMSpector
anchor "imspector"
uPnPd
anchor "miniupnpd"
#---------------------------------------------------------------------------
default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"</host0></pfsense></host0></pfsense></sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout> -
Sounds like it could be an MTU issue, try lowering your WAN MTU a bit, see if it clears up
-
Hi jimp,
Thanks for the fast reply.
I tried the following MTUs: 1500, 1495, 1492, 1460 and same problem. I rebooted pfsense and disabled/activated my NIC between the tests to be sure.
I think my problem can be summarized as follows:
I try to connect to google.com using different browsers, not software firewall, antivirus or proxies enabled whatsoever
Firefox is working as intended. Opens instantly the web page.
Internet Explorer is trying to connect forever. Waiting for an answer from the web, then timeout.
Chrome same problem as IE.
Opera working same as Firefox.Thanks god for Firefox and Opera! :D
Tried with address ips in the url bar, same problem.
Also, I can ping any website without probem.
-
Checked the browser proxy settings in IE? Some other apps key off of that.
-
Yes, no proxies in the proxy tab.
-
Then you'll probably have to do a packet capture (Diagnostics > Packet Capture) on WAN and LAN for a request that works and a request that fails to compare them and see what might be going wrong.
-
jimp,
I captured the packets as you suggested:
Did the test on IE and Firefox separately connecting to pfsense.org (69.64.6.21)
Here are the results:
IE
Firefox
The IE capture is talking about something called wpad. I searched google and it seems that's Web Proxy Autodiscovery Protocol. Not sure what that's for but will read the wiki to understand (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol)
Another funny thing, while trying to upload the images on http://imageshack.us/. Upload did not work with the standard upload on the main webpage (ajax?) http://imageshack.us/ but worked when using the upload function when clicking on the link "Can't Upload? Try This" (http://imageshack.us/?no_multi=1). That's the same problem that's my network is having.
-
Something is announcing itself as a proxy, and IE is set for autoconfigure, and happily using those settings.
Uncheck the box in IE's proxy settings for automatic
-
Yep it's working now for both IE and Chrome (since it's using IE proxy parameters)
Great!
Anyway, what do you think can announce itself as a proxy?
A badly uninstalled squid or havp? I tried them before and uninstalled them.
-
It would have to be explicitly setup in DNS to respond to "wpad.<your domain="" name="">" (or some variations, check the wikipedia doc).
It's not something that can be done accidentally.</your>