specific website suddenly unreachable

KOM

@the_2pc No idea. Take a packet capture of traffic to/from that IP address and then look at it in wireshark to see what's going on.

the_2PC

@kom

I'm not very good with wireshark, and I'm not sure what I'm looking for in this case. Could you take a look at the capture if I upload the file?

the_2PC

Here's the info from the capture pertaining to my desktop. There was lots of other data from the PCs that are mining and it all looked normal. I'll look more into it to understand what this is telling me, but does anything obvious stick out to you?

KOM

@the_2pc That snippet looks like it's sending a SYN to initiate a connection but not getting a SYNACK back, so it keeps trying to start the handshake over and over.

AKEGEC

@the_2pc after the terror attack in Belgium some of my clients have the same problems. Try to edit your hosts file.

Gertjan

@the_2pc said in specific website suddenly unreachable:

A few days ago the website prohashing.com became unreachable. The site is not down, and I can reach it from anything not connected to my pf router. I can reach it if I connect directly to my modem and my ISP has confirmed they are not blocking it in any way. I can ping the site from my desktop and it returns the right IP, however the website remains completely unreachable. I've done the basic troubleshooting (reboots and such) but still nothing. I've got some computers that are mining (using prohashing pool) and they can access whatever prohashing resources just fine. It appears the website is the only thing not working as far as I can tell.

Any suggestions on what my problem could be?
Thanks

What about asking asking pfSense what's up ?

dig @127.0.0.1 prohashing.com

Also : use any site like https://zonemaster.net/domain_check and use it often.
In case of doubt, have it analysed.

Don't use these :

@the_2pc said in specific website suddenly unreachable:

1.1.1.1
9.9.9.9
1.0.0.1
208.67.222.222

The resolver (unbound) is a resolver. When you transform it into a dumb forwarder, you just add more things in the queue that can go wrong.

Btw : before you ask : no : pfSense doesn't know what "prohashing.com" is, who it is, whatever.
pfSense uses IP addresses. There are some DNS facilities on board, so humans can interface with the connected networks.
pfSense itself doesn't care less about domain names.

the_2PC

@akegec said in specific website suddenly unreachable:

@the_2pc after the terror attack in Belgium some of my clients have the same problems. Try to edit your hosts file.

Unfortunately this did not work :/

@gertjan said in specific website suddenly unreachable:

@the_2pc said in specific website suddenly unreachable:

A few days ago the website prohashing.com became unreachable. The site is not down, and I can reach it from anything not connected to my pf router. I can reach it if I connect directly to my modem and my ISP has confirmed they are not blocking it in any way. I can ping the site from my desktop and it returns the right IP, however the website remains completely unreachable. I've done the basic troubleshooting (reboots and such) but still nothing. I've got some computers that are mining (using prohashing pool) and they can access whatever prohashing resources just fine. It appears the website is the only thing not working as far as I can tell.

Any suggestions on what my problem could be?
Thanks

What about asking asking pfSense what's up ?

dig @127.0.0.1 prohashing.com

; <<>> DiG 9.12.2-P1 <<>> @127.0.0.1 prohashing.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;prohashing.com.			IN	A

;; ANSWER SECTION:
prohashing.com.		366	IN	A	50.220.121.209

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 05 18:15:31 UTC 2021
;; MSG SIZE  rcvd: 59

@gertjan said in specific website suddenly unreachable:

Also : use any site like https://zonemaster.net/domain_check and use it often.
In case of doubt, have it analysed.

	CONNECTIVITY
0	CONNECTIVITY	INFO	Nameserver dns1.registrar-servers.com/156.154.132.200 accessible over UDP on port 53.
1	CONNECTIVITY	INFO	Nameserver dns1.registrar-servers.com/2610:a1:1024::200 accessible over UDP on port 53.
2	CONNECTIVITY	INFO	Nameserver dns2.registrar-servers.com/156.154.133.200 accessible over UDP on port 53.
3	CONNECTIVITY	INFO	Nameserver dns2.registrar-servers.com/2610:a1:1025::200 accessible over UDP on port 53.
4	CONNECTIVITY	INFO	Nameserver dns1.registrar-servers.com/156.154.132.200 accessible over TCP on port 53.
5	CONNECTIVITY	INFO	Nameserver dns1.registrar-servers.com/2610:a1:1024::200 accessible over TCP on port 53.
6	CONNECTIVITY	ERROR	Nameserver dns2.registrar-servers.com/156.154.133.200 not accessible over TCP on port 53.
7	CONNECTIVITY	INFO	Nameserver dns2.registrar-servers.com/2610:a1:1025::200 accessible over TCP on port 53.
8	CONNECTIVITY	INFO	At least two IPv4 addresses of the authoritative nameservers are announce by different AS sets. A merged list of all AS: (19905, 397213, 397218, 397228, 397232, 397235, 397238, 397242).
9	CONNECTIVITY	INFO	At least two IPv6 add

	DNSSEC
0	DNSSEC	NOTICE	There are neither DS nor DNSKEY records for the zone.
1	DNSSEC	NOTICE	The zone is not signed with DNSSEC.

I'm not smart enough to know what I need to do with the information I've found here.

@gertjan said in specific website suddenly unreachable:

Don't use these :

@the_2pc said in specific website suddenly unreachable:

1.1.1.1
9.9.9.9
1.0.0.1
208.67.222.222

The resolver (unbound) is a resolver. When you transform it into a dumb forwarder, you just add more things in the queue that can go wrong.

This problem existed before I changed to these DNS servers, I enabled the "dns query forwarding" option as a troubleshooting step.

KOM

@the_2pc Do you have just the one WAN?

the_2PC

@kom
Yes. We have a block of 5 IPs on our account, but only 1 coming into this pf box. The others are currently unused.

KOM

@the_2pc Do a packet capture that keys on 50.220.121.209, then do a find & replace on the results to remove your public IP, then post it here so me or others can look at what's going on. That small snippet you posted above isn't enough information to see what's going on.

KOM

@kom The file was sent privately and I've replaced his public IP with 12.34.56.78:

cap.txt

You have something constantly talking to that IP via port 3339 and those comms happen just fine. All the attempts to start a connection with port 443 are not replied to. The other end isn't responding. I don't understand how pfSense would be the cause, but you say the problem goes away if you take it out of the loop.

the_2PC

@kom

Port 3339 is the port for the mining software, which is working fine. I will contact their support and see if our IP has been blocked or something, because it's fine from literally every other source.

KOM

@the_2pc You did say it worked fine without pfSense involved though, so that can't be it.

the_2PC

@kom

Well, maybe. When I plugged directly into the modem it gave us a DHCP IP, it was not using our static. I did not have an easy way at the time to use our static IP without using PF (during the workday I cant just take everyone offline or I'll have some very unhappy coworkers)

KOM

@the_2pc A-HA! I knew there had to be something else. Do you have more than one static IP you could try?

the_2PC

@kom

Okay I changed to another of our static IPs for a few moments and it worked fine. So it IS something to with that IP...
I've opened a ticket with their support team for further investigation.

KOM

@the_2pc $10 please

the_2PC

Turns out we had a few too many incorrect login attempts (someone forgot a password) and they IP banned us. All is working again.
Thanks everyone