Connection Issues - Some sites work while others do not.
-
Here is my configuration
OPT2 - PPPOE Connection to my ISP is on re0_vlan6
LAN - re2
WAN - re1I can access the internet just fine. Google and other various websites load perfectly. However, when we go to our company websites hosted by an ISP the sites take forever to load if they load at all.
I thought it might be our ISP/Routes/etc to where the servers are located but that isn't the problem. Ping/MTR shows no packet loss. It's not the server either since we have remote monitoring configured on the server and its not tripping any errors. When I visit these sites from my cable provider at home it works fine, Just not at the office. I tried replacing the pfsense box with the provided router and everything works fine. It appears to be an issue with the pfsense box and these websites.
Any ideas on what the issue might be would be greatly welcomed. I'd be happy to answer any questions/do any diagnostics that are required to get the root of the problem.
Everything was working fine for about a month and it was only on a few days ago that we started to have these issues.
-
-NOT SURE AT ALL-
This could possibly be a DNS timeout issue. Maybe the first DNS doesn't work fine with your setup and it takes a while to find a second one returning the IP address of the server.
Just an idea, tell me if it's dumb. -
@S(y)nack:
-NOT SURE AT ALL-
This could possibly be a DNS timeout issue. Maybe the first DNS doesn't work fine with your setup and it takes a while to find a second one returning the IP address of the server.
Just an idea, tell me if it's dumb.I thought that too, initially. The DHCP server assigns google's public DNS servers to the machines on the network. I've tried public dns servers as well as the dns forwarder pfsense comes with. Unfortunately that didn't solve the issue.
Not sure if this helps but here is my network configuration:
/etc/rc.banner
[2.0.2-RELEASE][admin@pfSense.localdomain]/var/etc(19): /etc/rc.banner; ifconfig
*** Welcome to pfSense 2.0.2-RELEASE-pfSense (i386) on pfSense ***WAN (wan) -> re1 -> NONE
LAN (lan) -> re2 -> 192.168.2.1
OPT1 (opt1) -> re0 -> NONE
OPT2 (opt2) -> pppoe0 -> PUBLIC_IP (PPPoE)ifconfig:
re0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether a0:98:05:01:af:73
media: Ethernet autoselect (10baseT/UTP <half-duplex>)
status: no carrier
re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether a0:98:05:01:af:74
inet6 fe80::a298:5ff:fe01:af74%re1 prefixlen 64 scopeid 0x2
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether a0:98:05:01:af:75
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::a298:5ff:fe01:af75%re2 prefixlen 64 scopeid 0x3
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=41 <up,running>metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33200
re1_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether a0:98:05:01:af:74
inet6 fe80::a298:5ff:fe01:af73%re1_vlan6 prefixlen 64 scopeid 0x8
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 6 parent interface: re1
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
inet PUBLIC_IP –> PUBLIC_GATEWAY netmask 0xffffffff
inet6 fe80::a298:5ff:fe01:af73%pppoe0 prefixlen 64 scopeid 0x9
nd6 options=43<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></promisc></up,running></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></half-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></broadcast,simplex,multicast> -
I've tried the suggestion in this thread as it describes exactly what it is I am experiencing but it didn't help the situation.
The site(s) which do not work actually do work for the first 5 minutes or so. After that they take ages to load (if they load at all).
-
Here is my configuration
OPT2 - PPPOE Connection to my ISP is on re0_vlan6
LAN - re2
WAN - re1Did you mean "PPPOE Connection to my ISP is on re1_vlan6". (there is no re0_vlan6 listed in your ifconfig output).
What does your pfSense WAN interface connect to? (I don't know it is a problem, but normally the pfSense WAN interface would be the one connected to the ISP).
Everything was working fine for about a month and it was only on a few days ago that we started to have these issues.
Are you aware of anything "significant" happening "a few days ago"? (pfSense confguration change? ISP configuration change? serer security configuration change? etc)
I can access the internet just fine. Google and other various websites load perfectly. However, when we go to our company websites hosted by an ISP the sites take forever to load if they load at all.
Does it make a difference if you use an IP address (rather than a hostname) in the URL?
Have you taken a packet trace on the access attempt?
Ping/MTR shows no packet loss.
Have you tried pings of different sizes (up to say 1600)?
It's not the server either since we have remote monitoring configured on the server and its not tripping any errors.
Does the server log the access attempt? Does the server (or any upstream firewall) ignore access attempts from particular IP addresses?
-
Did you mean "PPPOE Connection to my ISP is on re1_vlan6". (there is no re0_vlan6 listed in your ifconfig output).
What does your pfSense WAN interface connect to? (I don't know it is a problem, but normally the pfSense WAN interface would be the one connected to the ISP).You are indeed correct. It is infact re1_vlan6. The reason I had to go with this configuration is because there is currently no way to assign a vlan tag to the pppoe connection. Telefonica has their internet on vlan6.
Are you aware of anything "significant" happening "a few days ago"? (pfSense confguration change? ISP configuration change? serer security configuration change? etc)
As far as I know, nothing new has happened in the last couple of days.
Does it make a difference if you use an IP address (rather than a hostname) in the URL?
It does not make a difference if I use the IP or Hostname. The end result is still the same.
Have you taken a packet trace on the access attempt?
I have but I was not entirely sure how to read the results I got. :(
Have you tried pings of different sizes (up to say 1600)?
I have. There was no packet loss when I tried.
Does the server log the access attempt? Does the server (or any upstream firewall) ignore access attempts from particular IP addresses?
That is a good question. I will look in to it and see if it does!
-
Did you add NAT rules (port forwarding) some time before the issue appeared?
-
Did you add NAT rules (port forwarding) some time before the issue appeared?
Now that you mentioned it, I did, however, after this incident I removed said rules. The problem did not go away. I had actually forwarded FTP to a inside machine and had no issues with that. It was not too long after i forwarded SSH connections that the issue popped up. I figured it was just a coincidence.
-
I did see that mpd5 does support VLan configuration. The config file option is "set pppoe iface vlan0". However, there isn't a way to set it via pfsense and I'm not sure how to make the vlan tag persistent though reboots.
-
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here. -
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.I've tried that. The connection times out :(
-
However, when we go to our company websites hosted by an ISP
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.I've tried that. The connection times out :(
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
-
However, when we go to our company websites hosted by an ISP
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.I've tried that. The connection times out :(
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
So far you are correct.
What makes it odd is that every once in a while I can connect to those servers. If I set up a proxy on a outside network and use that I can connect to the website without problems.
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
-
So far you are correct.
I don't know how to interpret this. I asked a number of questions, most of which didn't receive a specific answer.
-
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
Sorry, this is a stupid question, but…you didn't happen to accidently set up OS fingerprinting in your "LAN->any" rule?
Sorry, I do not want to imply stupidity on your end. Especially since the default/standard Lan->any rule doesn't allow setting of this option. But if you you have a set of non-standard pass rules (for example for some sort of filtering or traffic shaping), this could have happend. Um, probably not really accidently, since it requires like three clicks or so, but perhaps someone else got curious while you took a coffee break and the WebGUI was still open?
-
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You are absolutely correct. The website I am trying to access is downstream of the pfSense box. The websites does redirect but it redirects to the a different URI on the same domain which I am trying to access.
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
That is the assumption that I made as well but it could also be something on our end blocking the connections.
Now for some additional information:
We have unifi APs. If I use windows laptops I am able to connect to the website without issue. I have a freebsd box on the local network. If I set up a proxy server and use that then I can also connect to the website. My ubuntu desktop and the macs are the ones which seem to be having the issues connecting. That is why I do not believe that it is a problem of the ISP or the website itself but rather something strange which is going on with pfSense. I should also tell you that the Macbook Airs can't connect either (over wifi). -
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
Sorry, this is a stupid question, but…you didn't happen to accidently set up OS fingerprinting in your "LAN->any" rule?
Sorry, I do not want to imply stupidity on your end. Especially since the default/standard Lan->any rule doesn't allow setting of this option. But if you you have a set of non-standard pass rules (for example for some sort of filtering or traffic shaping), this could have happend. Um, probably not really accidently, since it requires like three clicks or so, but perhaps someone else got curious while you took a coffee break and the WebGUI was still open?
We all make stupid mistakes every now and then but this time I don't believe it is user error creating the problem ;) I've never configured OS Fingerprinting. Infact, I've never seen such an option for that. My rules are pretty simple. I am forwarding 21 to the inside freebsd server. There are also 2 rules which pfSense set up by default and which I cannot remove.
Thanks for the suggestion thought!
-
A factory reset and reconfigure of everything solved the problem.
-
A factory reset and reconfigure of everything solved the problem.
Interesting. Do you have a backup of your old configuration, so you can compare it to your new config?
-
A factory reset and reconfigure of everything solved the problem.
Interesting. Do you have a backup of your old configuration, so you can compare it to your new config?
I do but I found some more optimal ways of configuring the network so I am not entirely sure how relevant comparing configs would be?