Connection Issues - Some sites work while others do not.
-
Did you mean "PPPOE Connection to my ISP is on re1_vlan6". (there is no re0_vlan6 listed in your ifconfig output).
What does your pfSense WAN interface connect to? (I don't know it is a problem, but normally the pfSense WAN interface would be the one connected to the ISP).You are indeed correct. It is infact re1_vlan6. The reason I had to go with this configuration is because there is currently no way to assign a vlan tag to the pppoe connection. Telefonica has their internet on vlan6.
Are you aware of anything "significant" happening "a few days ago"? (pfSense confguration change? ISP configuration change? serer security configuration change? etc)
As far as I know, nothing new has happened in the last couple of days.
Does it make a difference if you use an IP address (rather than a hostname) in the URL?
It does not make a difference if I use the IP or Hostname. The end result is still the same.
Have you taken a packet trace on the access attempt?
I have but I was not entirely sure how to read the results I got. :(
Have you tried pings of different sizes (up to say 1600)?
I have. There was no packet loss when I tried.
Does the server log the access attempt? Does the server (or any upstream firewall) ignore access attempts from particular IP addresses?
That is a good question. I will look in to it and see if it does!
-
Did you add NAT rules (port forwarding) some time before the issue appeared?
-
Did you add NAT rules (port forwarding) some time before the issue appeared?
Now that you mentioned it, I did, however, after this incident I removed said rules. The problem did not go away. I had actually forwarded FTP to a inside machine and had no issues with that. It was not too long after i forwarded SSH connections that the issue popped up. I figured it was just a coincidence.
-
I did see that mpd5 does support VLan configuration. The config file option is "set pppoe iface vlan0". However, there isn't a way to set it via pfsense and I'm not sure how to make the vlan tag persistent though reboots.
-
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.
-
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.
I've tried that. The connection times out :(
-
However, when we go to our company websites hosted by an ISP
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.
I've tried that. The connection times out :(
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
-
However, when we go to our company websites hosted by an ISP
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You can use telnet to verify you can connect to a particular web browser, for example```
telnetOnce the connection completes type a line of text and see if the web server responds with HTML. Post the output here.
I've tried that. The connection times out :(
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
So far you are correct.
What makes it odd is that every once in a while I can connect to those servers. If I set up a proxy on a outside network and use that I can connect to the website without problems.
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
-
So far you are correct.
I don't know how to interpret this. I asked a number of questions, most of which didn't receive a specific answer.
-
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
Sorry, this is a stupid question, but…you didn't happen to accidently set up OS fingerprinting in your "LAN->any" rule?
Sorry, I do not want to imply stupidity on your end. Especially since the default/standard Lan->any rule doesn't allow setting of this option. But if you you have a set of non-standard pass rules (for example for some sort of filtering or traffic shaping), this could have happend. Um, probably not really accidently, since it requires like three clicks or so, but perhaps someone else got curious while you took a coffee break and the WebGUI was still open?
-
Just to clarify the configuration: you are accessing the company websites from computers downstream of a pfSense box. Are the webservers donstream of the same pfSense box? Do the offending web pages redirect to a web site downstream of the pfSense box or source anything from downstream of the pfSense box?
You are absolutely correct. The website I am trying to access is downstream of the pfSense box. The websites does redirect but it redirects to the a different URI on the same domain which I am trying to access.
That suggests the web server is not accepting your connecting and not rejecting it. Some intervening firewall is quietly blocking it? The server itself is ignoring the connection attempt?
That is the assumption that I made as well but it could also be something on our end blocking the connections.
Now for some additional information:
We have unifi APs. If I use windows laptops I am able to connect to the website without issue. I have a freebsd box on the local network. If I set up a proxy server and use that then I can also connect to the website. My ubuntu desktop and the macs are the ones which seem to be having the issues connecting. That is why I do not believe that it is a problem of the ISP or the website itself but rather something strange which is going on with pfSense. I should also tell you that the Macbook Airs can't connect either (over wifi). -
What I even more strange is that I can connect to the website using windows laptops but cannot on the Mac books, Mac computers, or my Ubuntu desktop. I setup tiny proxy on a FreeBSD machine at the office and I can connect to the website through that as well.
Sorry, this is a stupid question, but…you didn't happen to accidently set up OS fingerprinting in your "LAN->any" rule?
Sorry, I do not want to imply stupidity on your end. Especially since the default/standard Lan->any rule doesn't allow setting of this option. But if you you have a set of non-standard pass rules (for example for some sort of filtering or traffic shaping), this could have happend. Um, probably not really accidently, since it requires like three clicks or so, but perhaps someone else got curious while you took a coffee break and the WebGUI was still open?
We all make stupid mistakes every now and then but this time I don't believe it is user error creating the problem ;) I've never configured OS Fingerprinting. Infact, I've never seen such an option for that. My rules are pretty simple. I am forwarding 21 to the inside freebsd server. There are also 2 rules which pfSense set up by default and which I cannot remove.
Thanks for the suggestion thought!
-
A factory reset and reconfigure of everything solved the problem.
-
A factory reset and reconfigure of everything solved the problem.
Interesting. Do you have a backup of your old configuration, so you can compare it to your new config?
-
A factory reset and reconfigure of everything solved the problem.
Interesting. Do you have a backup of your old configuration, so you can compare it to your new config?
I do but I found some more optimal ways of configuring the network so I am not entirely sure how relevant comparing configs would be?
-
I believe I may have found what was causing this issue. When I have IPSec enabled I seem to have issues connecting to the company website. With IPSec disabled things seem to be normal. Has anyone encountered something like this?