Webpage Load Delays for Specific Sites
-
The top half of the resolver options are all at their defaults.
Port: 53
Network Interfaces: All
Outgoing Network Interfaces: All
System Domain Local Zone Type: TransparentThe rest of the settings do not list their defaults. My system has:
DNSSEC: Enabled
DNS Query Forwarding: Disabled
DHCP Registration: Enabled
Static DHCP: Enabled
OpenVPN Clients: Disabled...And there it is.
Custom Options: server:include: /var/unbound/pfb_dnsbl.*confWhich contains over 39K websites to block. Took that out and the websites like papjohns load normally. Those few websites must be trying to load ad or tracking websites that were blocked. Googleadservices works too.
Thanks Gertjan!
-
Wait !
Your first image, the Allow trove rule (third rule) is that a rule that is part of a NAT rule (show your NAT rules please).
If not, delete it. No game server on the net needs incoming connections to a device on your LAN.
The exception might be : the web server, as your device 192.168.100.200 on your LAN.Next image : LAN rules 3 and 4 are the same as the final/hidden default pass rule. Rule counters for rule 4 show clearly that you have no IPv6 connection.
DNS : instead of resolving, you pass all DNS requests to Google. That's ok, up to you if you want to tell Google all about what you are doing. And loosing DNSSEC while doing so.
pfBlockerNG has a new, experimental version, see here that behaves better. True is, every time the resolver (unbound) restarts, everything is read again, cache is flushed, etc. This can take seconds, if not minutes. During that moment, the DNS is "out".
I advice you to :
Uncheck "DHCP Registration" on the Resolver settings page.
and
Give all your devices a Static DHCP Lease using their MAC address - see at the bottom of the Services => DHCP Server => LAN page. -
Are you using an old router for the Wi-Fi ?
-
pfSense works out of the box. If you're having issues, might be best to start over and make each change one at a time.
-
Harvy66, it's working well now that it's not blocking those 39K sites, thanks.
NogBadTheBad, the router is 2 or 3 years old. It's an AC tri-band with 6 antennas located above the kitchen cupboards which is in the middle of the house. The coverage is good except for one far corner of the basement. All is well now that those sites are not blocked.
Gertjan, I have deleted the rule for Trove.
I do not recall manually creating LAN rules 3 and 4 and am not sure how they got there. I have disabled them to see what happens. UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.
Thanks.
-
@gerardhebert said in What are Common FW Rules for Home Use?:
The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.
8.8.8.8/4.4.4.4 : Depends how you set it up:
As said here : System => General Setup=> DNS Servers :Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled.
So, if the Resolver is still in resolving mode, your LAN clients are still Resolving, and not using these IP's (DNS).
User the Forwarder, or the Resolver in forwarding mode to use these IP's for your clients. -
DNS Query Forwarding is not enabled.
Thanks for everyone's help.
-
@gertjan said in Webpage Load Delays for Specific Sites:
None on LAN (except for the "fo not lock me out" safety net rule).
Huh? The default rule, out of the box will be Any Any.. You kind of need that rule so confused to your NONE statement.. If the user wants internet they need rules to pass traffic. Out of the box this is an any any rule.. If they do not want that then sure they can change it, add others, etc. to only allow the traffic they want. But saying that lan needs NONE is not correct.
-
I mend : No user entered rules, so "None"
The "all pass" rule already present when setting up pfSense shouldn't be modified or deleted.True, I could have been more clear.
-
Your statement is why he deleted those rules I think ;)
UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.
And with this
except for the "fo not lock me out" safety net rule).
I sure read it as no rules are needed on lan..
-
Oops.
Some mix-up between WAN and LAN and my comments.
Even some bllsht about hidden rules on LAN : this default rule isn't hidden at all. All interfaces have a default (hidden !) block rule.
I'll edit my post.