pfSense blocking addic7ed, but how ?

KOM

@chudak You're not getting a response back from them according to wget. To do a packet capture, go to Diagnostics - Packet Capture. Leave it all at defaults except for Host Address, which you should plonk in 46.105.102.174. Click Start at the bottom. Then use a browser or wget to fetch that site again. When it fails, stop the capture and then look at what it says. We can help with that if you post the output with your public IP obscured.

johnpoz

Do it on the WAN side.. lan side not going to validate pfsense sent it on

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak You're not getting a response back from them according to wget. To do a packet capture, go to Diagnostics - Packet Capture. Leave it all at defaults except for Host Address, which you should plonk in 46.105.102.174. Click Start at the bottom. Then use a browser or wget to fetch that site again. When it fails, stop the capture and then look at what it says. We can help with that if you post the output with your public IP obscured.

I did it on WAN and does not show too much only like this many lines:

10:21:58.350108 IP WAN_IP.1089 > 46.105.102.174.80: tcp 0

KOM

@chudak That site is https with an http redirect. Try your test again using a browser and go to https://www.addic7ed.com

chudak

@kom @johnpoz

See this, better ?

10:36:38.601908 IP WAN_IP > ISP_IP: ICMP echo request, id 3384, seq 43306, length 9
10:36:38.604259 IP ISP_IP > WAN_IP: ICMP echo reply, id 3384, seq 43306, length 9
10:36:38.637137 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.640579 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 423
10:36:38.641853 IP 9.9.9.9.853 > WAN_IP.64380: tcp 0
10:36:38.641899 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.642325 IP WAN_IP.64380 > 9.9.9.9.853: tcp 293
10:36:38.644763 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 32
10:36:38.646518 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 34
10:36:38.646678 IP 9.9.9.9.853 > WAN_IP.64380: tcp 0
10:36:38.647248 IP 9.9.9.9.853 > WAN_IP.64380: tcp 1448
10:36:38.647262 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.647265 IP 9.9.9.9.853 > WAN_IP.64380: tcp 1436
10:36:38.647278 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.651608 IP WAN_IP.64380 > 9.9.9.9.853: tcp 80
10:36:38.656734 IP 9.9.9.9.853 > WAN_IP.64380: tcp 239
10:36:38.656751 IP WAN_IP.64380 > 9.9.9.9.853: tcp 152
10:36:38.656756 IP 9.9.9.9.853 > WAN_IP.64380: tcp 239
10:36:38.656765 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.665453 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 535
10:36:38.665795 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 69
10:36:38.666163 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 40
10:36:38.667843 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 34
10:36:38.671232 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 26
10:36:38.682128 IP 9.9.9.9.853 > WAN_IP.64380: tcp 84
10:36:38.682140 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.682866 IP WAN_IP.21724 > 34.199.142.162.1883: tcp 549
10:36:38.688527 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 1350
10:36:38.710016 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 1350
10:36:38.711884 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 1350
10:36:38.712253 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 462
10:36:38.716607 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 612
10:36:38.716623 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 76
10:36:38.716875 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 29
10:36:38.717267 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 33
10:36:38.734409 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 375
10:36:38.734733 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 25
10:36:38.735170 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 35
10:36:38.759637 IP 34.199.142.162.1883 > WAN_IP.21724: tcp 53
10:36:38.761106 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 33
10:36:38.764603 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 25
10:36:38.903124 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 304
10:36:38.903134 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 1452
10:36:38.903234 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 1452
10:36:38.907129 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.907248 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.907546 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 832
10:36:38.911514 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.965953 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.965976 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.965993 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966010 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966021 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966066 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966079 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1155
10:36:38.966309 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.966320 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.966721 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966752 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966857 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966881 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1233
10:36:38.966974 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.967573 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.967612 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.967643 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.967746 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 832
10:36:38.967882 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.970822 IP WAN_IP.21724 > 34.199.142.162.1883: tcp 0
10:36:39.010108 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.038817 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038872 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038905 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038925 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038949 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038978 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039005 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039031 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039135 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039149 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039160 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039177 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039188 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039201 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039212 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039231 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039239 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039266 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039292 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039319 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039451 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039460 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039590 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039609 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039722 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039724 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039741 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039754 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039769 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039781 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039793 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448

```:

Always wanted to improve on packet capture, thank you for helping !

johnpoz

you should filter on the IP your trying to go too.. this 46.105.102.174

Or its going to only log everything - default to only 100 packets. So quite possible you miss what your looking for.

Also you can then download that in wireshark and get more details.. If there is an answer, was it RST or FIN, etc.

chudak

@johnpoz said in pfSense blocking addic7ed, but how ?:

you should filter on the IP your trying to go too.. this 46.105.102.174

Or its going to only log everything - default to only 100 packets. So quite possible you miss what your looking for.

Also you can then download that in wireshark and get more details.. If there is an answer, was it RST or FIN, etc.

I still see only

11:31:06.926814 IP WAN_IP.1089 > 46.105.102.174.80: tcp 0

and assuming that I understood you correctly for "If there is an answer, was it RST or FIN, etc." i see in pfTop:

pfTop: Up State 1-8/8 (571), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
tcp       In  192.168.90.8:56162            46.105.102.174:443            ESTABLISHED:FIN_WAIT_2   00:08:17  00:10:08     3745  3625782
tcp       Out WAN_IP:14382          46.105.102.174:443             FIN_WAIT_2:ESTABLISHED  00:08:17  00:10:08     3745  3625782
tcp       In  192.168.90.3:32870            46.105.102.174:443                 CLOSED:SYN_SENT     00:00:37  00:00:24        6      360

Maybe using Packet Capture incorrectly ?!

KOM

@chudak Why is it going to port 80 when I asked you to go to https? Set your packet capture to WAN and host address 46.105.102.174 then start it, then go to your browser and try the address https://www.addic7ed.com and don't forget the S.

chudak

@kom

no clue why it shown port 80

hit in FF https://www.addic7ed.com/

11:42:51.219581 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0
11:42:51.469814 IP WAN_IP.38930 > 46.105.102.174.443: tcp 0
11:42:52.238682 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0

johnpoz

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

chudak

@johnpoz said in pfSense blocking addic7ed, but how ?:

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

I agreed with that !

The question after that was what is blocking ?

I checked on a remote ubuntu box and it works fine. Could it be my ISP +/- upstream DNS servers ?

KOM

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

That maybe a different issue.
I can use a remote system (not on my net) and can login from it.
Also in my case I can't even get to a login page...

johnpoz

What is upstream of your pfsense? Just your ISP? Could be connectivity issue with that site from your isp, ie peering. Or the site themselves might of blocked your IP, etc.

DNS is not involved once you resolve the fqdn.. If you got the correct IP when you resolved, then dns is no longer in the picture.. I show that resolving to the same IP.

And works just fine here as far as connectivity is connected, get redirect to 443 when hit it on 80 via a 301 and then index is downloaded

user@NewUC:/tmp$ wget http://www.addic7ed.com/
--2021-05-14 14:28:08--  http://www.addic7ed.com/
Resolving www.addic7ed.com (www.addic7ed.com)... 46.105.102.174
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.addic7ed.com/ [following]
--2021-05-14 14:28:08--  https://www.addic7ed.com/
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                         [  <=>                                                                                               ] 329.76K   968KB/s    in 0.3s    

2021-05-14 14:28:10 (968 KB/s) - ‘index.html’ saved [337672]

user@NewUC:/tmp$ 

chudak

@johnpoz

I have Sonic fiber ISP
Good point about DNS - withdrawn

Dunno, flaky, we will see

Thanks guys @johnpoz @KOM for walking me thru Packet Capture
I don's use too often.

Although this case maybe not had been a good example

KOM

@chudak

I can use a remote system (not on my net) and can login from it.

Well, that would make sense if your WAN address is blocked. The remote system isn't blocked.

Also in my case I can't even get to a login page...

In the other guys' case, they were blocking his IP at the external firewall so he didn't get a login page either.

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak

I can use a remote system (not on my net) and can login from it.

Well, that would make sense if your WAN address is blocked. The remote system isn't blocked.

Also in my case I can't even get to a login page...

In the other guys' case, they were blocking his IP at the external firewall so he didn't get a login page either.

That's interesting...
Maybe then it's my case.

Do you know by chance how many say bad requests did it take to get it blocked ? and how long was it blocked ?

https://www.addic7ed.com/downloadexceeded.php?why=2&ip=65.23.243.52

KOM

@chudak That depends entirely on whatever software they're using to monitor that. I have no idea. It could be fail2ban or something else. Unless you are using a user account to login to that website, his case would not apply to you. Perhaps you're blocked for another reason? We haven't yet established that you're being blocked, only that they do not respond to you. If you have a VPN (seriously, get one they're like $5/month) you could go there via your tunnel and see if it just works. Contact the site's host and ask them if you're blocked.

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak If you have a VPN (seriously, get one they're like $5/month) you could go there via your tunnel and see if it just works.

Forgot to mention that it did work via VPN tunnel

Thx

KOM

@chudak Well there you go.