Specific https site not working through pfsense

stephenw10

I would check the state table when testing to see if you have any traffic to/from that site.
A pcap will show you more if needed. It could be an MTU issue in the route to that site for example.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html

Steve

qctech

Thanks @stephenw10,

I'm working through the connectivity and website access troubleshooting guides now.

I also suspect MTU problems.

qctech

@stephenw10

Ok, so checked through and I get an interesting result when doing the ping fragmentation test. I get good results at 1468, 4 short of the "normal" 1472 that I would expect. I think this is vlan tag related and that I have got something wrong in the hypervisor (xcp-ng).

Am I going to break anything if I set the MTU on the WAN interface to 1496 in interfaces>wan1 or should i put 1468 in the MSS

qctech

Interestingly I have just established that my own website is also not working through this connection. Checking the state tables shows the following;
LAN tcp 10.1.1.2:59812 -> 3.10.30.47:443 TIME_WAIT:TIME_WAIT 12 / 20 1 KiB / 17 KiB

WAN1 tcp ...:14318 (10.1.1.2:59812) -> 3.10.30.47:443 TIME_WAIT:TIME_WAIT 22 / 20 3 KiB / 17 KiB

stephenw10

You should be able to set the MTU lower. PMTU should detect that and set TCP packet size accordingly. If it was a problem you have created locally I would expect it to affect all traffic not just one site. Seems more likely something in the route breaking PMTU in which case you might need to use MSS clamping.

Steve

qctech

@stephenw10 understood, thanks for the assistance.

What value would you suggest for the MSS? If I went really safe, say 1400 would that cause any serious problems?

stephenw10

It should be fine at lower values. It's common to clamp at 1350 for VPN traffic for example.

qctech

@stephenw10 fully understand the should. Don't worry I won't hold you responsible!!! (unless it works obviously).

I'm supposed to be on holiday this week and the job is about an 8 hour drive away so I want to avoid that if at all possible!

qctech

@stephenw10 Fingers crossed... that seems to have it sorted. I'll do some tuning once I'm able to be on site but for now all of the sites that I know were not loading are working fine.

Massive thanks, if you are every in Staffordshire let me know, I owe you beer or dinner or both! (genuinely thanks, you have no idea how stressed this has had me)

The learning opportunity for me now is to work out why I have never had this problem before. Another day, another lesson.

stephenw10

Ah nice! Something probably changed in the route. Fireware update, router swapped etc. You could probably find where it was failing with enough tracetroute and pinging but finding someone to admit it's a problem and fix it is a different matter!

Steve