PfSense causing half of the websites not to load

nxgenguy · May 8, 2018, 5:29 AM

Current Situation

Modem (TP-Link / TC-7620) - pfSense Firewall - TP-Link Router (AC1750)
This setup has worked for over a year.

Suddenly traffic is slow, some websites load some do not. Example yahoo never fully loads, spectrum.net never loads, speedtest.net never loads, facebook does load fine.

My g/f was using the tp-link app on her phone to reboot the router which she did on accident. She says she is not sure (fawk).

It could be coincidence but ever since she did that I been experiencing issues.

Now if I connect the modem to router everything works fine :D (just no pfSense firewall)

Now if I connect the modem to pfSense firewall then directly to my laptop (which I then give it a assigned static IP address) the internet works fine.

The only problem is when it is modem to pfSense to router. Not fine.

It would seem the problem is between the pfSense firewall and the router.

Any ideas on how to fix?

Jailer · May 8, 2018, 10:39 AM

Why are you using two routers. Get rid of one of them, you only need one.

Hellfish · May 8, 2018, 11:34 AM

Are you running a proxy on the pfsense?
Traffic for both http, https, DNS is allowed to exit the firewall (and other stuff like ssh if needed)?

johnpoz · May 8, 2018, 12:44 PM

You would hope he is just using the AC1750 as Access Point? But his use of "router" and no mention of AP mode, etc.. points to prob a double nat setup sure.

If so then prob using dns off his AC1750 which for sure could be flaky..

Unless your running pfblocker, IPS or proxy pfsense can not tell 1 website from another website. It just looks at port and dest to be allowed or not. Since the rules out of the box are any any… Issue with loading different websites most likely dns related or your ISP having problem talking to these networks.

Need more info to help you track down your problem

nxgenguy · May 8, 2018, 8:41 PM

The only package I have installed is OpenVPN-Client-Export Version 1.4.12
Package dependencies are: openvpn-client-export-2.4.4, openvpn-2.4.4._1, zip-3.0.1, p7zip-16.02_1

This is what shows up in the “installed Packages”
I did not want to install a bunch of stuff I was not familiar with till I did more research.
I only wanted PF Sense and Open VPN installed. Mind you I had both of these installed and running since day 1 for a year.
I did update my PFSense to the latest STABLE build. I only do stable.

I use OpenVPN so I can remote into one of my servers.

Could this be causing the problem?

jahonix · May 8, 2018, 8:54 PM

What's the TP-Link Router (AC1750) doing in your setup? pfSense is a way more capable router and firewall than TP-Link.
If you need WiFi then get a decent AccessPoint (I prefer Ruckus or XclaimWireless, others have had success with Ubiquity).
If money is a concern then get a used Ruckus ZoneFlex 7372 or 7982 on eBay or such. Will be approx. $50 if you need it immediately, cheaper if you can wait. There's really no excuse for not using a decent AP these days.
Your problems should be gone with that equipment if they are not upstream.

nxgenguy · May 8, 2018, 9:10 PM

Thank you again for the help!

The TP-Link Router (AC1750)
I am using this solely as a DHCP Server and for my wireless connections.
I made sure the NAT service is disabled on it

I mean this setup has worked for a year flawlessly till this last Sunday.
A week before or more I did a PFSense update.
I was on 2.3.2 and updated to 2.3.4-Release-p1

Facebook loads, speedtest.net still does not, spectrum does not

Is there a setting on my TP-Link that is causing the issue?
Something I missed I did a factory reset in the hopes that solved my issue on Sunday night.
I am wondering if that made things worse.

When I connect to the PFSense box directly and assign a static IP address everything works great.
When I connect to my TP-Link then that connects to the PFSense box that is when it all goes to hell.

jahonix · May 8, 2018, 9:16 PM

@nxgenguy:

When I connect to my TP-Link then that connects to the PFSense box that is when it all goes to hell.

Get yourself a decent AP and dump the TP-Link. Obviously does more harm than good.
Don't forget to activate the DHCP server in pfSense…

johnpoz · May 8, 2018, 9:54 PM

"I made sure the NAT service is disabled on it"

But your using it dhcp – WHY?? This not how you setup a wifi router to be an AP..

What port on it do you have connected to your network..

TURN off dhcp on your AC1750... Set its lan IP to be on the network your connecting it to. Connect one of its lan interfaces to your network.. Done!!!

stephenw10 · May 8, 2018, 11:21 PM

Yes, this is probably some setting on your TP-Link device breaking stuff. If you switch to using it purely as a wireless access point it will probably all start working again.
https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

But what happens when you ping one of the failing sites? Does it resolve to an IP? Does it try to connect and fail?

Steve