After upgrade, problems loading certain websites
-
Hello everyone!
After I upgraded to the last version, I've been having problems with certain websites. I can't log in to Microsoft webpages or accounts. I can sometimes get in but they don't load properly. I have the same issue with the Wall Street Journal. Sometimes I can get it to load, other times I get the error as if I'm not connected to the internet, like something is killing that connection. What's the easiest way to track this down and fix it? Thanks!
-
We will need a little more information.
-
Do you have any packages installed on the firewall such as pfBlockerNG, DNSBL, Snort, Suricata, Squid or Squidguard?
-
This sounds like it might possibly be a MSS issue. What type of WAN interface addressing scheme do you have? Is it PPPoE or DHCP or statically-assigned?
-
When you say "upgraded to latest version", which pfSense branch are you referring to: RELEASE or DEVEL?
-
Post the exact pfSense version you currently have installed (it shows on the main page that comes up after you login to the firewall).
-
-
Sorry for the vagueness: I'm running 2.4.4-RELEASE-p2, it should be the RELEASE version. My WAN IPvX Configuration type is set to DHCP/DHCP6. I am currently running Snort in Blocking mode. I don't believe Snort is the issue though, because I can usually get the pages to load after a couple refreshes, except on MS pages where they partially load.
-
Are you sure that your ISP is providing you a proper IPv6 set up? If your ISP does not support IPv6, then that box on your WAN needs to be set to "none". If your ISP does support and provide you an IPv6 address, you need to verify all of that is working properly. Most browsers and operating systems today will automatically prefer IPv6 over IPv4, but if the IPv6 setup has issues then web pages won't load properly and other weird things happen.
With DHCP, MSS should not really be an issue. My guess is either a lot of packet loss or perhaps IPv6 is only partially working, but the browser is preferring it over IPv4.
I do seem to recall some reports by other users of strange problems with some ISPs and IPv6 operation on the last release of pfSense. Check the IPv6 sub-forum here to see if anything there might apply to your situation.
-
Thanks bmeeks! My ISP is Google Fiber, they have a preference for IPv6. Since I saw your response this morning I decided to open up the Element Editor to see if I could see anything when having the problem with a webpage. I got this:
CONSOLE21301: serviceWorker.getRegistrations is rejected due to unsecure context or host restriction in ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=0.
In the element itself, it's also saying "dnserror.js (20). Could it be something with DNS?Edit: Although I am using MS Edge at the moment, this problem persists no matter which browser I use. And still only applies to certain websites, mostly the WSJ and Microsoft websites.
-
Are you using any adblocker plugins for your browsers? That could cause something like this.
I also just did a quick Google search using this phrase:
serviceWorker.getRegistrations is rejected due to unsecure context or host restriction
and got a lot of hits. Do that and read through the various reports and see if any might apply to your situation.
Oh, and just to be sure it's not a Snort block, stop Snort on all your interfaces and then go to the BLOCKED tab and remove all blocks (there is a button on that tab for clearing blocks). Then test again. If it works, turn Snort back on and watch the ALERTS tab to see what rule (or rules) are triggering blocks. Suppress or disable those rules.
-
Thanks! I'll Google and see what I can figure out. I've got a feeling it might be an adblocker or something
-
@skee9679 said in After upgrade, problems loading certain websites:
this problem persists no matter which browser I use
So, it can't be this :
@skee9679 said in After upgrade, problems loading certain websites:
I've got a feeling it might be an adblocker or something
Where the add blocker is a plugin for a web browser.
(or you have all your web browser using identical add blocker plugins ...)FIRST : do not keep pfSense 2.4.4 p2. Goto p3 right away.
You are using the Resolver on pfSense ? Switch to a higher level of logging, and check it out.
De-activate DNSSEC for some time.
You're not using the Resolver as a forwarder, right ? -
Gertjan,
Yes, I am using the resolver on pfSense but not as a forwarder. I took your advice and deactivated DNSSEC. Testing now to see if that fixed it. I will upgrade to p3 this afternoon. If this does fix it, what settings can I change for DNSSEC that will allow me to use it but still get to those websites. Thanks!
-
I'm using myself the Resolver, with DNSSEC activated. That setting never failed on me.
Your Resolver - and probably settings are the same for you and me.
If you have many DHCP clients on your LAN, I advise you to disable this one :
(because on every DHCP lease unbound will get will restarted - which could explain temporary outages. The cache is thrown away also.)
-
Thank you Gertjan. That DNSSEC setting seems to have been what was causing the issue. That makes sense too given the errors I was seeing about DNS when I inspected the elements in the browsers. I have several DHCP clients on my LAN, although I guess my question is what counts as many? I've normally got between 6 and 9 clients on my LAN. I will look into changing that setting though and see if disabling that and reenabling DNSSEC works. Thanks again for your help!
-
@skee9679 said in After upgrade, problems loading certain websites:
I guess my question is what counts as many?
What I know is :
When a "new DHCP device" pops up in the network, it request an IP (using DHCP DISCOVER operation). The new lease will be written in a file, that unbound (the Resolver) uses.unbound is not capable of detecting the "file change" and reading it in again, unbound has to be restarted (stopped, and started) so that the new lease is taken in account.
That's why I advise you to remove the check for "DHCP Registration".If you want a device to be "known" on your network by it's host name, put in place a Static DHCP mapping on the DHCP server page. This way, unbound case resolve somethining like your-local LAN based printer.your-pfsense.tld to an IP.
These devices never change their IP (== they always get the same IP from the DHCP server) so use that method :
unbound not starting means also : it's cache becomes actually usefull (and you ask unbound to refresh cache items by itself when they time out - see below). This way the Resolver becomes also a good DNS cache ==> speeding up DNS treatment.
DNSSEC : normally, DNSSEC should be totally transparent for you / your device / browser.
DNSSEC will (or could, or shall, I don't know) give issues when a DNSSEC info is wrong or missing. If you have a doubt, use this site : http://dnsviz.net to test the domain in question.Btw : I've also set these on the Services => DNS Resolver => Advanced Settings page :
The last two options enforce DNSSEC handling, which means (to me) : if DNSSEC is wrong, then I can't visit that site. Not a problem for me, because sites admins that use DNSSEC better have settings correct. If not, their site will dissapaer from the net, for those who use DNSSEC for what it meant to be : getting correct DNS info - or nothing else ("domain not found error").
DNSSEC info is just like classic DNS info, although, because of the much bigger info records, the traffic - DNS requests and/or answers , will go TCP instead of UDP. (you permit DNS over TCP, right ?! DNS isn't only UDP port 53).
Option "Prefetch Support" explains itself : it keeps my cache up to date - as I mentioned above.
Use this site https://dnssec.vs.uni-due.de/ to test and see if DNSSEC functions correctly for you.
This site also mentions other test sites - see bottom of the page.
