Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Youtube Performance Issues

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      okanobi
      last edited by

      Wasn't sure where to post since it's a combo Firewall/Snort issue. Anyways, for a while now I've been trying to resolve horrible Youtube performance in my home (intermittent to non-existent connection). Youtube will either fail to load or partially load…on mobile devices it's the same thing. Only additional packages I'm running is Snort in blocking mode and pfBlockerNG. Still learning pfSense and Snort so bare with me.

      Upon viewing the Firewall logs:
      I have several records being blocked to a series of 216.58.216.X addresses these resolve to:

      ord31s21-in-f14.1e100.net
      ord30s21-in-f14.1e100.net

      These address are registered to Google.

      Upon viewing the Snort Logs:
      I have several records being blocked in 216.58.216.X address range.
      Typical entry in log for these addresses;

      Pri: 2 Class: Attempted Information Leak Source: <ext_ip>Destination: <my_ext_ip>SID: 122:21 Description: "(portscan) UDP Filtered Portscan"

      Any particular reason why these are showing up as port scans?

      Assumption: I need those above addresses to work if I want to even dream of Youtube working…the extra security pfSense provides has definitely caused me many headaches and I'm trying to sort through them instead of giving up (or the family killing me first) any assistance the community could provide would be appreciated. Thanks

      Things I've tried…

      1. Firewall: Using "Easy Rule: Pass this traffic" button on those specific IP's
          – Results = Still unable to connect, so removed easy rules went to next step

      2. Snort: Unchecked "Block Offenders" box (Would rather not do this)
          -- Results = Intermittent and slow performance but able to view now (most likely culprit)
        If I wanted to restore blocking would I just use the "Add this alert to suppress List and track by src_IP" button?

      3. When I switch back to my consumer router or via cellular on my mobile devices it works awesome
          -- Results = Able to connect fine literally night and day difference.</my_ext_ip></ext_ip>

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Make sure that on the PREPROCESSORS tab for your WAN interface in Snort you have the Portscan Sensitivity setting set for LOW.  Save the change and restart Snort on the interface.  The portscan preprocessor is sensitive and appears to be easily tripped up these days by some innocent activity.  Web sites that attempt several connection streams can trigger the portscan alert if the sensitivity is set to MEDIUM or HIGH.

        If changing sensitivity does not help, you can disable that particular preprocessor rule without really weakening your security all that much.  On the ALERTS tab click the X icon beside the alert row in the GID:SID column to disable that rule.  You will get no more alerts from it.

        Bill

        1 Reply Last reply Reply Quote 0
        • O
          okanobi
          last edited by

          Thanks for the reply, with blocking turned off everything started working great a couple of hours after. I will continue to tweak to get it right eventually.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post