The firewall appears to be blocking outgoing text messages from my phone ...

JKnott

As I mentioned, my cell company provides initial support for the phones they sell. If necessary, it then goes to the manufacturer. While Samsung may not listen to individuals, they're likely to pay more attention to major carriers.

However, if you don't try, nothing will happen.

lifespeed

@JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:

@lifespeed

As I mentioned, my cell company provides initial support for the phones they sell. If necessary, it then goes to the manufacturer. While Samsung may not listen to individuals, they're likely to pay more attention to major carriers.

However, if you don't try, nothing will happen.

I already used Verizon support. Once you mention wifi they don't care. If it works on the cell tower, and it does, it's not their problem.

Let me tell you something I've learned about software bugs, which you're probably well aware of. When you buy a device with a bug, there is no guarantee when or even if it will be fixed. If you can't live with the bug, don't buy the product based on promises of a future fix. If you already have the device, and the bug is intolerable (which it is, in this case), your only sure solution is to ditch the product.

It may seem like I have a poor attitude towards this, and maybe I do. But my attitude has been shaped by these exact experiences of crap support. You seem pretty optimistic about the whole tech support process.

JKnott

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

I already used Verizon support. Once you mention wifi they don't care. If it works on the cell tower, and it does, it's not their problem.

You might not recall but, a year ago, I had a similar sort of problem. IPv6 was failing on my Internet connection. I was able to demonstrate the problem to tier 2 support, but the people responsible for maintaining the network refused to look at it because I was using my own router (pfSense), despite the fact that I could even identify the failing system by name (thanks to Wireshark). Only by constantly pushing, even calling the office of the president, was I able to get them moving. a senior tech showed up at my home, with his own modem, and saw it also failed. He then took his modem to the head end, where it worked on 3 other systems, but failed on the one I was connected to and had identified. The responsible people then accepted it was their problem. So, if you make enough noise, things happen. Since you're clearly not the only one having the issue, make noise about it. Maybe someone in the right place will notice.

Also, isn't Verizon one of those companies that uses WiFi, via customer modems, to provide service to other customers? If so, then it's no longer just your problem. It will likely affect any customer that uses WiFi calling, even when away from home.

BTW, crap support happens because too many people let it happen.

lifespeed

From my Ubiquiti Unifi controller monitoring their 10Gb SFP+ switch and wireless access point:

Client Galaxy-Note9 is having trouble resolving a domain name to an IP address (DNS timeout).

JKnott

@lifespeed

Can you do a packet capture of that? With a managed switch, you should be able to set up port mirroring, so that you can use Wireshark.

lifespeed

@JKnott I have a 1Gb Netgear GS716Tv3 (managed) uplinked to a 10Gb Ubiquiti US-16-XG (unmanaged). The WAP could be moved to the Netgear for port mirroring.

Do I plug a Wireshark laptop into the mirrored port and let it capture for a few hours until this event occurs?

JKnott

@lifespeed

Yes, you configure the mirror port so that it copies the traffic from the AP to the computer running Wireshark. You can set up filters to narrow down the captures. for example, you could have something like ether host <MAC address> and port 53. This will capture all DNS packets to/from the phone's MAC address, whether IPv4 or IPv6.

You could probably do the same with the pfSense Packet Capture, but I find Wireshark is better to work with.

lifespeed

@JKnott

Wireshark is awful. The Samsung Note9 IPv6 ends in 75a0, here is a capture while a wifi call was received (successfully) by Note9.

No.	Time	Source	Destination	Protocol	Length	Info
10262	4.084411	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x9e25 AAAA settings.crashlytics.com
10265	4.101972	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	167	Standard query response 0x9e25 AAAA settings.crashlytics.com CNAME crashlytics.l.google.com AAAA 2607:f8b0:4005:809::2003
10267	4.105301	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x8ebc A settings.crashlytics.com
10277	4.118522	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	155	Standard query response 0x8ebc A settings.crashlytics.com CNAME crashlytics.l.google.com A 172.217.6.35
11872	4.618443	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	97	Standard query 0xc948 AAAA e.crashlytics.com
11943	4.636643	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	273	Standard query response 0xc948 AAAA e.crashlytics.com CNAME events-endpoint-i-1172912053.us-east-1.elb.amazonaws.com SOA ns-1119.awsdns-11.org
11983	4.641550	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	97	Standard query 0x526e A e.crashlytics.com
12011	4.658921	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	292	Standard query response 0x526e A e.crashlytics.com CNAME events-endpoint-i-1172912053.us-east-1.elb.amazonaws.com A 54.227.236.206 A 54.235.102.234 A 54.235.130.173 A 54.235.139.111 A 54.235.145.134 A 54.235.153.229 A 54.225.77.36 A 54.225.80.137
12454	4.789122	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0xaf22 AAAA analytics.localytics.com
12457	4.806773	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	225	Standard query response 0xaf22 AAAA analytics.localytics.com CNAME queuer-prod-elb.53.localytics.com SOA ns-1150.awsdns-15.org
12458	4.811377	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	104	Standard query 0x788e A analytics.localytics.com
12485	4.853485	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	265	Standard query response 0x788e A analytics.localytics.com CNAME queuer-prod-elb.53.localytics.com A 52.204.176.87 A 52.204.205.76 A 34.232.55.250 A 34.234.107.175 A 34.234.135.110 A 34.239.78.187 A 52.71.187.57 A 52.72.139.236
31900	18.065314	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	105	Standard query 0xe763 AAAA lh3.googleusercontent.com
31901	18.080418	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	162	Standard query response 0xe763 AAAA lh3.googleusercontent.com CNAME googlehosted.l.googleusercontent.com AAAA 2607:f8b0:4005:807::2001
31903	18.083509	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	2601:646:8c03:52a0:225:90ff:febb:bf0c	DNS	105	Standard query 0xf396 A lh3.googleusercontent.com
31905	18.083534	2601:646:8c03:52a0:225:90ff:febb:bf0c	2601:646:8c03:52a0:e0b9:xxxx:xxxx:75a0	DNS	171	Standard query response 0xf396 A lh3.googleusercontent.com CNAME googlehosted.l.googleusercontent.com A 172.217.6.65

JKnott

@lifespeed

Wireshark is a very useful tool. However, as it is fairly complex, there is a bit of a learning curve. However, that crashlytics serverr is actually Google.

I just see DNS query response pairs. Are there any failures there?

lifespeed

@JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:

I just see DNS query response pairs. Are there any failures there?

I guess not, will have to wait for it to fail and the spend an hour muddling through wireshark.

A Former User

i just recently posted in 'wifi calling being blocked?' here's a copy paste of my response and how i got not only wifi calling, but all sms, mms as well. hope this helps
edit additional: i believe this would also affect the carrier's video calling feature as well, the baked into android phone app not like google duo or hangouts etc etc.:

"ok yea this is almost a year later however:

had this issue - 2.4.5RC packages installed or not didn't matter, wifi calling and MMS would not work

was using solely cloudflare dns. yes dnssec ssl/tls

added google and quad9 dnssec tls/ssl

(i dont think enabling the checkbox for dnssec or all of the other dnssec extras matter as i had the issue before setting it up as well)

success

for me, the problem is the mobile carrier proxy being an RFC 1918 address, pfsense allows this out from what i could tell, even with the rfc 1918 and bogon blocking enabled on the wan not lan (as expected), but i suspect cloudflare might also have these blocked in such a way - which could explain why the return trip would timeout (see next).

for the return trip, it did not return from their internal proxy but rather their external facing 'exit point' (i verified this by running traceroute from my phone while on cell service with hetools to my wan ip address)

added their hostnames to whitelist to be safe.

if i should post this new elsewhere or something, would someone kindly let me know? thanks"

lifespeed

@sparkyMcpenguin thanks for sharing. I also had Cloudflare as the sole DNS lookup, but have now added DNSwatch and Quad9. I don't think I'm set up for DNSsec, not sure where that is in pfSense. Will report back if the problem goes away. It is hit or miss so could take a few days.

A Former User

@lifespeed what I did after changing settings was just reload unbound, pfblockerng, dnsbl, and snort. No need to restart or wait too long. Cron update as well is what I did. Hope it works!

Edit additional: I checked my phone APN settings, added their "mmsc" and "proxy" to the whitelist in dnsbl, host name and IP (excessive, but this was only added AFTER verifying it working adding additional DNS servers)

Also, I do not "allow upstream DNS" the forwarding setting. pfsense first, then cloudflare, quad9, Google

Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

A Former User

@lifespeed as for dnssec uh general setup under system and then the DNS resolver or forwarder had another checkbox I think. Check out dnsprivacy.org

lifespeed

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

I had avoided the Gogle Empire, but I'll add it to the end of the list.

A Former User

@lifespeed
i tried too, but that's why i went from just the 1, to 3 for lack of a better term "a RAID 50 DNS connection" raid 5 cause 3 dns make it 50 because dnssec.

if someone takes over all three and screws up my pfsense, there's far bigger problems edit: maybe 60, cause technically i have 5, the two backups for cloudflare and google included. i only have the 'secure' quad9 i didn't want to use the 'insecure' secure one lol

A Former User

@lifespeed
side note: using cloudflare dns (without adding TLS hostname) will use the DoH standard as per the explanation on their site. i believe google does as well. i dont remember about quad9, but from my understanding of the pfsense documentation, if you enter the TLS hostname, it will use both depending on whatever situation or browser being used. as for the 'insecure' secure quad9, that just means it doesn't have their complimentary 'we have ad blocker and ips/ids stuff too guys let us play..." heh

edit let me make this easier:

widget:

general setup: general setup.png

current base system:

the way i have this set up, and with my knowledge of networking (need to renew my Network+ or just.. not.. ripcomptia) i understand it to work this way with a clean slate and no dns cached entries:

if 127.x.x.x doesn't have record, query dns server list. because i don't 'allow override' ISP can't give me the DNS result cause it's technically blocked (or at least just dropped at the adapter level?) edit: or actually not even seen by them duh

oh this reminds me i have ASN set to one hour, not 24 hours...

sorry for the here and there edits i keep reminding myself of something
"Enable DNSSEC Support" checkbox in DNS resolver settings:

custom options (2 part cause of scroll bar):

lifespeed

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

A Former User

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

this 8 dollar domain also was just for name resolution (ya i could've acme but eh)

technically i didn't need it for these purposes, i was just preparing for later on when i added openvpn, so that name resolution could be supplemental on my DDNS (residential IP)