Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The firewall appears to be blocking outgoing text messages from my phone ...

    Scheduled Pinned Locked Moved Firewalling
    127 Posts 19 Posters 36.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott @lifespeed
      last edited by

      @lifespeed

      As I mentioned, my cell company provides initial support for the phones they sell. If necessary, it then goes to the manufacturer. While Samsung may not listen to individuals, they're likely to pay more attention to major carriers.

      However, if you don't try, nothing will happen.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      L 1 Reply Last reply Reply Quote 0
      • L
        lifespeed @JKnott
        last edited by lifespeed

        @JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:

        @lifespeed

        As I mentioned, my cell company provides initial support for the phones they sell. If necessary, it then goes to the manufacturer. While Samsung may not listen to individuals, they're likely to pay more attention to major carriers.

        However, if you don't try, nothing will happen.

        I already used Verizon support. Once you mention wifi they don't care. If it works on the cell tower, and it does, it's not their problem.

        Let me tell you something I've learned about software bugs, which you're probably well aware of. When you buy a device with a bug, there is no guarantee when or even if it will be fixed. If you can't live with the bug, don't buy the product based on promises of a future fix. If you already have the device, and the bug is intolerable (which it is, in this case), your only sure solution is to ditch the product.

        It may seem like I have a poor attitude towards this, and maybe I do. But my attitude has been shaped by these exact experiences of crap support. You seem pretty optimistic about the whole tech support process.

        JKnottJ 1 Reply Last reply Reply Quote 1
        • JKnottJ
          JKnott @lifespeed
          last edited by JKnott

          @lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

          I already used Verizon support. Once you mention wifi they don't care. If it works on the cell tower, and it does, it's not their problem.

          You might not recall but, a year ago, I had a similar sort of problem. IPv6 was failing on my Internet connection. I was able to demonstrate the problem to tier 2 support, but the people responsible for maintaining the network refused to look at it because I was using my own router (pfSense), despite the fact that I could even identify the failing system by name (thanks to Wireshark). Only by constantly pushing, even calling the office of the president, was I able to get them moving. a senior tech showed up at my home, with his own modem, and saw it also failed. He then took his modem to the head end, where it worked on 3 other systems, but failed on the one I was connected to and had identified. The responsible people then accepted it was their problem. So, if you make enough noise, things happen. Since you're clearly not the only one having the issue, make noise about it. Maybe someone in the right place will notice.

          Also, isn't Verizon one of those companies that uses WiFi, via customer modems, to provide service to other customers? If so, then it's no longer just your problem. It will likely affect any customer that uses WiFi calling, even when away from home.

          BTW, crap support happens because too many people let it happen.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • L
            lifespeed
            last edited by lifespeed

            From my Ubiquiti Unifi controller monitoring their 10Gb SFP+ switch and wireless access point:

            Client Galaxy-Note9 is having trouble resolving a domain name to an IP address (DNS timeout).
            
            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @lifespeed
              last edited by

              @lifespeed

              Can you do a packet capture of that? With a managed switch, you should be able to set up port mirroring, so that you can use Wireshark.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              L 1 Reply Last reply Reply Quote 0
              • L
                lifespeed @JKnott
                last edited by

                @JKnott I have a 1Gb Netgear GS716Tv3 (managed) uplinked to a 10Gb Ubiquiti US-16-XG (unmanaged). The WAP could be moved to the Netgear for port mirroring.

                Do I plug a Wireshark laptop into the mirrored port and let it capture for a few hours until this event occurs?

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @lifespeed
                  last edited by JKnott

                  @lifespeed

                  Yes, you configure the mirror port so that it copies the traffic from the AP to the computer running Wireshark. You can set up filters to narrow down the captures. for example, you could have something like ether host <MAC address> and port 53. This will capture all DNS packets to/from the phone's MAC address, whether IPv4 or IPv6.

                  You could probably do the same with the pfSense Packet Capture, but I find Wireshark is better to work with.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    lifespeed @JKnott
                    last edited by

                    @JKnott

                    Wireshark is awful. The Samsung Note9 IPv6 ends in 75a0, here is a capture while a wifi call was received (successfully) by Note9.

                    No.	Time	Source	Destination	Protocol	Length	Info
                    10262	4.084411	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x9e25 AAAA settings.crashlytics.com
                    10265	4.101972	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	167	Standard query response 0x9e25 AAAA settings.crashlytics.com CNAME crashlytics.l.google.com AAAA 2607:f8b0:4005:809::2003
                    10267	4.105301	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x8ebc A settings.crashlytics.com
                    10277	4.118522	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	155	Standard query response 0x8ebc A settings.crashlytics.com CNAME crashlytics.l.google.com A 172.217.6.35
                    11872	4.618443	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	97	Standard query 0xc948 AAAA e.crashlytics.com
                    11943	4.636643	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	273	Standard query response 0xc948 AAAA e.crashlytics.com CNAME events-endpoint-i-1172912053.us-east-1.elb.amazonaws.com SOA ns-1119.awsdns-11.org
                    11983	4.641550	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	97	Standard query 0x526e A e.crashlytics.com
                    12011	4.658921	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	292	Standard query response 0x526e A e.crashlytics.com CNAME events-endpoint-i-1172912053.us-east-1.elb.amazonaws.com A 54.227.236.206 A 54.235.102.234 A 54.235.130.173 A 54.235.139.111 A 54.235.145.134 A 54.235.153.229 A 54.225.77.36 A 54.225.80.137
                    12454	4.789122	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0xaf22 AAAA analytics.localytics.com
                    12457	4.806773	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	225	Standard query response 0xaf22 AAAA analytics.localytics.com CNAME queuer-prod-elb.53.localytics.com SOA ns-1150.awsdns-15.org
                    12458	4.811377	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x788e A analytics.localytics.com
                    12485	4.853485	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	265	Standard query response 0x788e A analytics.localytics.com CNAME queuer-prod-elb.53.localytics.com A 52.204.176.87 A 52.204.205.76 A 34.232.55.250 A 34.234.107.175 A 34.234.135.110 A 34.239.78.187 A 52.71.187.57 A 52.72.139.236
                    31900	18.065314	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	105	Standard query 0xe763 AAAA lh3.googleusercontent.com
                    31901	18.080418	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	162	Standard query response 0xe763 AAAA lh3.googleusercontent.com CNAME googlehosted.l.googleusercontent.com AAAA 2607:f8b0:4005:807::2001
                    31903	18.083509	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	105	Standard query 0xf396 A lh3.googleusercontent.com
                    31905	18.083534	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	171	Standard query response 0xf396 A lh3.googleusercontent.com CNAME googlehosted.l.googleusercontent.com A 172.217.6.65
                    
                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @lifespeed
                      last edited by

                      @lifespeed

                      Wireshark is a very useful tool. However, as it is fairly complex, there is a bit of a learning curve. However, that crashlytics serverr is actually Google.

                      I just see DNS query response pairs. Are there any failures there?

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        lifespeed @JKnott
                        last edited by

                        @JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:

                        I just see DNS query response pairs. Are there any failures there?

                        I guess not, will have to wait for it to fail and the spend an hour muddling through wireshark.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User
                          last edited by A Former User

                          i just recently posted in 'wifi calling being blocked?' here's a copy paste of my response and how i got not only wifi calling, but all sms, mms as well. hope this helps
                          edit additional: i believe this would also affect the carrier's video calling feature as well, the baked into android phone app not like google duo or hangouts etc etc.:

                          "ok yea this is almost a year later however:

                          had this issue - 2.4.5RC packages installed or not didn't matter, wifi calling and MMS would not work

                          was using solely cloudflare dns. yes dnssec ssl/tls

                          added google and quad9 dnssec tls/ssl

                          (i dont think enabling the checkbox for dnssec or all of the other dnssec extras matter as i had the issue before setting it up as well)

                          success

                          for me, the problem is the mobile carrier proxy being an RFC 1918 address, pfsense allows this out from what i could tell, even with the rfc 1918 and bogon blocking enabled on the wan not lan (as expected), but i suspect cloudflare might also have these blocked in such a way - which could explain why the return trip would timeout (see next).

                          for the return trip, it did not return from their internal proxy but rather their external facing 'exit point' (i verified this by running traceroute from my phone while on cell service with hetools to my wan ip address)

                          added their hostnames to whitelist to be safe.

                          if i should post this new elsewhere or something, would someone kindly let me know? thanks"

                          L 1 Reply Last reply Reply Quote 0
                          • L
                            lifespeed @A Former User
                            last edited by

                            @sparkyMcpenguin thanks for sharing. I also had Cloudflare as the sole DNS lookup, but have now added DNSwatch and Quad9. I don't think I'm set up for DNSsec, not sure where that is in pfSense. Will report back if the problem goes away. It is hit or miss so could take a few days.

                            ? 2 Replies Last reply Reply Quote 0
                            • ?
                              A Former User @lifespeed
                              last edited by A Former User

                              @lifespeed what I did after changing settings was just reload unbound, pfblockerng, dnsbl, and snort. No need to restart or wait too long. Cron update as well is what I did. Hope it works!

                              Edit additional: I checked my phone APN settings, added their "mmsc" and "proxy" to the whitelist in dnsbl, host name and IP (excessive, but this was only added AFTER verifying it working adding additional DNS servers)

                              Also, I do not "allow upstream DNS" the forwarding setting. pfsense first, then cloudflare, quad9, Google

                              Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

                              L 1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User @lifespeed
                                last edited by A Former User

                                @lifespeed as for dnssec uh general setup under system and then the DNS resolver or forwarder had another checkbox I think. Check out dnsprivacy.org

                                1 Reply Last reply Reply Quote 0
                                • L
                                  lifespeed @A Former User
                                  last edited by

                                  @sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

                                  Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

                                  I had avoided the Gogle Empire, but I'll add it to the end of the list.

                                  ? 2 Replies Last reply Reply Quote 0
                                  • ?
                                    A Former User @lifespeed
                                    last edited by A Former User

                                    @lifespeed
                                    i tried too, but that's why i went from just the 1, to 3 for lack of a better term "a RAID 50 DNS connection" raid 5 cause 3 dns make it 50 because dnssec.

                                    if someone takes over all three and screws up my pfsense, there's far bigger problems 🖖 edit: maybe 60, cause technically i have 5, the two backups for cloudflare and google included. i only have the 'secure' quad9 i didn't want to use the 'insecure' secure one lol

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User @lifespeed
                                      last edited by A Former User

                                      @lifespeed
                                      side note: using cloudflare dns (without adding TLS hostname) will use the DoH standard as per the explanation on their site. i believe google does as well. i dont remember about quad9, but from my understanding of the pfsense documentation, if you enter the TLS hostname, it will use both depending on whatever situation or browser being used. as for the 'insecure' secure quad9, that just means it doesn't have their complimentary 'we have ad blocker and ips/ids stuff too guys let us play..." heh

                                      edit let me make this easier:

                                      widget: widget.png

                                      general setup: general setup.png

                                      current base system: currentbasesystem.png

                                      the way i have this set up, and with my knowledge of networking (need to renew my Network+ or just.. not.. ripcomptia) i understand it to work this way with a clean slate and no dns cached entries:

                                      if 127.x.x.x doesn't have record, query dns server list. because i don't 'allow override' ISP can't give me the DNS result cause it's technically blocked (or at least just dropped at the adapter level?) edit: or actually not even seen by them duh

                                      oh this reminds me i have ASN set to one hour, not 24 hours...

                                      sorry for the here and there edits i keep reminding myself of something
                                      "Enable DNSSEC Support" checkbox in DNS resolver settings: dnsreswhole.png

                                      custom options (2 part cause of scroll bar): litllebox1.png
                                      littlebox2.png

                                      L 1 Reply Last reply Reply Quote 0
                                      • L
                                        lifespeed
                                        last edited by

                                        Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

                                        ? 3 Replies Last reply Reply Quote 0
                                        • ?
                                          A Former User @lifespeed
                                          last edited by

                                          @lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

                                          Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

                                          self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

                                          ? 1 Reply Last reply Reply Quote 0
                                          • ?
                                            A Former User @A Former User
                                            last edited by

                                            @sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

                                            @lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

                                            Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

                                            self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

                                            this 8 dollar domain also was just for name resolution (ya i could've acme but eh)

                                            technically i didn't need it for these purposes, i was just preparing for later on when i added openvpn, so that name resolution could be supplemental on my DDNS (residential IP)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.