Intermittent timeout to Google
-
I'm not exactly sure when this started, but periodically none of the machines on my LAN get a timeout when loading google.com. The workaround is to reboot the pfSense machine. What puzzles me is it only occurs on Google and no other web sites. Email (Outlook w/POP3), Dropbox, Zoolz etc. aren't affected, just Google. Very strange indeed. Has anyone else seen this?
-
Bad subnet mask somewhere?
Are you using Squid?
Also check: https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html
Steve
-
I'm not using Squid but I am using Snort and have a paid oinkcode. I did notice some log entries for sites such as PayPal, Facebook, the Amazon cloud etc that are being blocked. I'm trying to determine which rule set it triggering the blocks so if anyone can help me with this it would be appreciated.
I also went through the steps in the link and the only thing I had to change was disable firewall scrub.
-
Ok, well firstly set Snort to non-blocking mode, if it is blocking currently, and clear the blocked IPs table. Re-test.
If that is the problem then find out which rule is triggering the alert and disable it.
Steve
-
@nipstech said in Intermittent timeout to Google:
I'm not using Squid but I am using Snort and have a paid oinkcode. I did notice some log entries for sites such as PayPal, Facebook, the Amazon cloud etc that are being blocked. I'm trying to determine which rule set it triggering the blocks so if anyone can help me with this it would be appreciated.
I also went through the steps in the link and the only thing I had to change was disable firewall scrub.
If you have never administered an IDS/IPS such as Snort or Suricata before, then you should ALWAYS start off running the package for at least two weeks (and a month is even better!) with blocking disabled. This gives you a chance to see what kinds of alerts are going to be triggered on your network. You can then take the time analyze and research the alerts to see if they are just false positives. Rules frequently generating false positives in your network environment can then be disabled. To install Snort or Suricata and immediately turn on blocking mode is a recipe for a giant headache (such as you are experiencing now with seemingly random blocks).
So go to the BLOCKS tab in Snort and click the button to clear all blocked hosts. Then go to the INTERFACE SETTINGS tab and edit the interface (or interfaces) where you have Snort running and turn off the Block Offenders option. Save the change and restart Snort on the affected interfaces. Let Snort run in IDS-only mode (just alerts without the corresponding blocks) for quite some time while you study the alerts generated. Look at the ALERTS tab one or more times per day as you study the alerts. I suggest doing this at least two weeks, and more like a month if you are new to IDS/IPS administration. Once you have analyzed the traffic and alert patterns, you can make decisions about which rules to disable for your environment. Remember that any alert you see would have been blocked traffic and thus some kind of network interruption for the hosts involved in that conversation.
Finally, this word of advice. When you add third-party packages to pfSense such as Snort, pfBlockerNG, Squidguard, etc., always suspect and check those packages first as the source of any strange behavior like "not loading websites", problems with DNS resolution, or any other traffic interruptions. Disable those packages and see if the problem goes away. If so, then add them back one at the time to see which one is the cause.
-
@stephenw10 said in Intermittent timeout to Google:
Bad subnet mask somewhere?
What would the subnet mask have to do with it? All that does is determine whether an address is within the local network or not. The only possible issue was if the mask was too long and overlapping another network. It would have no effect on remote web sites and certainly not if NAT was used on the LAN.
-
@JKnott
We have seen users with a subnets set to /2 or /1 where large parts of the internet are unreachable.Steve
-
@stephenw10 said in Intermittent timeout to Google:
@JKnott
We have seen users with a subnets set to /2 or /1 where large parts of the internet are unreachable.Steve
Yep! Never ever underestimate the ability of a user to not just shoot their foot off, but to obliterate the entire leg! .
-
@stephenw10 said in Intermittent timeout to Google:
@JKnott
We have seen users with a subnets set to /2 or /1 where large parts of the internet are unreachable.That would affect just about everything, not just Google. The OP said other sites weren't affected. A little testing, perhaps with trace route might help.
BTW, I have plenty of experience with users causing their own problems.