Amazon and LinkedIn Android apps do not go through PFSense router
-
A quick test is to put at the top of your lan rules an any rule that you disable but turn on to prove something important is not getting blocked.
Worth changing protocol TCP to any in your test rule too.
With phones I always ask are your sure what is actually going on... Also with APs these can NAT if they are in the wrong mode often - do all the things that may provide WiFi have different SSIDs so you know which one you are actually connected to?phone -> WiFi AP (Is this in bridge / Access point mode not router mode?)-> pfSense -> home network (any other WiFi?) -> ISP Router (WiFi?) -> InternetI assume the above is possibly your phones route to the internet?
-
@kmarston Hi - Thanks for the quick reply.....totally lost...
Looked in the interfaces and couldnt see what you were getting at...then looked in the Rules and still couldnt see what you were telling me to look for...
With regards to the AP....ive got one EnGenius Ap that does the wireless (soon to be 2) as i need a bit more coverage.
As for the phone - no, not really too sure whats going on...but, thats why im here..! :)
-
It's probably something DNS related or IPv6.
How are you handling DNS on the firewall? The default is to pass the interface IP to client to use via dhcp which then use Unbound (the resolver) running on the firewall. Somethings are hard coded to use, for example, 8.8.8.8 abd will fail if you're blocking that without re-directing it.
Do you have IPv6 at all? Some things will always try to use it if they have a v6 IP even if the connection is invalid/misconfigured.
Steve
-
Hi - thanks for the reply - i was using 1.1.1.1 (trying to stay away from google) but ill try 8.8.8.8 - see what happens....thanks for the suggestion...
Oh - no im not using IPV6
-
@comfy Just tried - still the same...good idea though...
-
How are you setting that DNS server though?
By setting any external server directly you may be overriding whatever they are trying to reach.
Steve
-
@stephenw10 Hi - im was setting 1.1.1.1 but then did try 8.8.8.8 and it was still the same. Go with me here (as im next to useless with networking) but if you set DNS server "A" and not "B" then it should still be able to make it to where its going...or am i wrong ( i suspect i am)....
-
Where are you setting that address for DNS?
-
@stephenw10 Services>DHCP server and then in there....currently set to 1.1.1.1
-
Ok. Are you blocking access to other DNS?
Something there may be hardcoded and failing.
-
@stephenw10 If i am im not sure where im doing that (blocking DNS) - where do i look to see if i am.?
Just to add (and i dont know if it helps) the app will briefly load up then error...not sure if that helps....ie i briefly saw my orders then got the "oops" message...
-
You would have to be blocking it deliberately in the LAN side firewall rules or redirecting it as shown here:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlCan you set another client to use a different DNS server and test that?
Are you sure there is no IPv6 on the clients hitting this?
Steve
-
@stephenw10 ok- went through and added the rule (im not really sure what im doing at this point but doing a monkey see monkey do) but its still the same....amazon on my laptop works fine though....
So, just tried it on my wifes Ipad and it works on there so, it could be my phone S9+ its not been rooted or reflashed but ill just try an app reinstall....strange that it does work on the 4g connection though....
-
@comfy Same with a reinstall....works on 4g no dice on the Lan
-
Using that redirect rule would more likely break this. I was pointing out you have to have that in place to break other DNS servers. You should remove it if you don't need that.
What if you don't pass any alternative DNS servers to the client and allow it to use the Resolver in pfSense?
If there's no change it's probably not DNS in which case my second best suspect is still IPv6. Check the phone does not have an IPv6 address.
Steve
-
@stephenw10 yeah = once i found out it didnt work i removed the rule....i did look on the phone and couldnt find any connectivity for ipv6 - would it just be easier to disable ipv6 on the pfsense.?
-
Yes you can. It will only hand out v6 if it has anything to hand out though.
Checking the phone verifies that.
Steve
-
@stephenw10 ok - wheres that setting on the PF ? i did go looking earlier on...as im new to it theres a multitude of settings...!
-
Services > DHCPv6 Server & RA.
With that disabled you can set the LAN interface IPv6 to 'none' rather than track WAN. Then you can set the WAN v6 to none.
Steve
-
@stephenw10 Thats it....disabled ipv6 but couldnt see the track wan option but, its working...brilliant! thanks very much for the help.
