HTTPS - some sites load, 90% sites time out - [SOLVED]
-
SOLUTION: Checked the setting for "Clear invalid DF bits instead of dropping the packets" in System > Advanced > Firewall/NAT tab.
Took hint from:
http://markmaunder.com/2009/10/20/routers-treat-https-and-http-traffic-differently/Original issue:
We have a 3-WAN multiwan setup with squid enabled. With 2 newer of our 4 ISPs the HTTPS sites load perfectly no matter whether that ISP is used as WAN1, 2 or 3. But for other two ISPs, there's always consistent issue in loading HTTPS sites as follows:
Some HTTPS sites load without any issue (in some cases a delay happens), but most other sites simply don't load (for example: https://www.trigger.io or https://www.stripe.com). For some sites, only the text loads without any formatting at all (for example: https://www.crowdtilt.com/). All Google sites (docs/drive/gmail) work nicely in these two WANs.
Port 443 is indeed open for outward access (through failover gateway group) in the LAN tab of the firewall rules and there's no issue in establishing the HTTPS connection with some sites. However, 90% of HTTPS sites time out.
This happens with Squid enabled or disabled - in either situations.
pfSense version is:
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6Any clue?
-
Please note that those two problematic ISP connections load all HTTPS pages correctly when connected directly through regular wifi routers.
Also, HTTPS ports (443 and 444) are going out through gateway with failover configuration, not loadbalancer.
BTW, the HTTPS sites that the two ISPs can't load through pf can be loaded with all pf settings unchanged but just by reconfiguring either of these WANs with the other 2 ISPs.
The 2 ISPs which has no issue loading all HTTPS sites are known not to use any transparent proxy on their side while whether the ISPs that fail to load the sites through pfSense uses transparent proxy, is not known.
The pf install otherwise is working perfectly with multiwan loadbalancing and transparent proxying.
EDIT: added clarifications.
-
Port 443 is indeed open for outward access in the LAN tab of the firewall rules and there's no issue in establishing the HTTPS connection with some sites. Half of the sites we try will not connect.
What do you mean by this? You shouldn't have to create an outgoing LAN rule for any ports with the default setup.
-
I meant 443 is going out through failover gateway group by policy routing rule.