pfSense blocking addic7ed, but how ?

chudak

@kom

no clue why it shown port 80

hit in FF https://www.addic7ed.com/

11:42:51.219581 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0
11:42:51.469814 IP WAN_IP.38930 > 46.105.102.174.443: tcp 0
11:42:52.238682 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0

johnpoz

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

chudak

@johnpoz said in pfSense blocking addic7ed, but how ?:

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

I agreed with that !

The question after that was what is blocking ?

I checked on a remote ubuntu box and it works fine. Could it be my ISP +/- upstream DNS servers ?

KOM

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

That maybe a different issue.
I can use a remote system (not on my net) and can login from it.
Also in my case I can't even get to a login page...

johnpoz

What is upstream of your pfsense? Just your ISP? Could be connectivity issue with that site from your isp, ie peering. Or the site themselves might of blocked your IP, etc.

DNS is not involved once you resolve the fqdn.. If you got the correct IP when you resolved, then dns is no longer in the picture.. I show that resolving to the same IP.

And works just fine here as far as connectivity is connected, get redirect to 443 when hit it on 80 via a 301 and then index is downloaded

user@NewUC:/tmp$ wget http://www.addic7ed.com/
--2021-05-14 14:28:08--  http://www.addic7ed.com/
Resolving www.addic7ed.com (www.addic7ed.com)... 46.105.102.174
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.addic7ed.com/ [following]
--2021-05-14 14:28:08--  https://www.addic7ed.com/
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                         [  <=>                                                                                               ] 329.76K   968KB/s    in 0.3s    

2021-05-14 14:28:10 (968 KB/s) - ‘index.html’ saved [337672]

user@NewUC:/tmp$ 

chudak

@johnpoz

I have Sonic fiber ISP
Good point about DNS - withdrawn

Dunno, flaky, we will see

Thanks guys @johnpoz @KOM for walking me thru Packet Capture
I don's use too often.

Although this case maybe not had been a good example

KOM

@chudak

I can use a remote system (not on my net) and can login from it.

Well, that would make sense if your WAN address is blocked. The remote system isn't blocked.

Also in my case I can't even get to a login page...

In the other guys' case, they were blocking his IP at the external firewall so he didn't get a login page either.

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak

I can use a remote system (not on my net) and can login from it.

Well, that would make sense if your WAN address is blocked. The remote system isn't blocked.

Also in my case I can't even get to a login page...

In the other guys' case, they were blocking his IP at the external firewall so he didn't get a login page either.

That's interesting...
Maybe then it's my case.

Do you know by chance how many say bad requests did it take to get it blocked ? and how long was it blocked ?

https://www.addic7ed.com/downloadexceeded.php?why=2&ip=65.23.243.52

KOM

@chudak That depends entirely on whatever software they're using to monitor that. I have no idea. It could be fail2ban or something else. Unless you are using a user account to login to that website, his case would not apply to you. Perhaps you're blocked for another reason? We haven't yet established that you're being blocked, only that they do not respond to you. If you have a VPN (seriously, get one they're like $5/month) you could go there via your tunnel and see if it just works. Contact the site's host and ask them if you're blocked.

chudak

@kom said in pfSense blocking addic7ed, but how ?:

@chudak If you have a VPN (seriously, get one they're like $5/month) you could go there via your tunnel and see if it just works.

Forgot to mention that it did work via VPN tunnel

Thx

KOM

@chudak Well there you go.