Working firewall suddenly broke Cloudflare hosted websites



  • Hello all. Please help me as I am losing my mind.

    I have a pfSense firewall (that has been running for weeks without issues) suddenly break certain websites. In my troubleshooting I have discovered those websites to be ones that are fronted from Cloudflare IP addresses.

    If I revert back to my old firewall (Sophos UTM) those Cloudflare sites work just fine.

    I have tried a fresh install of pfSense with a minimal configuration and I get the same behaviour.

    Trawling the forums, I have found some references to SNI (Server Name Indication) being problematic for Cloudflare but the context was for Squid proxying which I am not doing. I think that SNI might be at play here but I don't understand how that it at all possible since the firewall is ONLY being a firewall.

    I have been at this for several days now and I am out of ideas.

    Has anyone else experienced something similar and can anyone give me any other ideas of where to look?

    Thanks,
    Bob.



  • You have Cloudflare DDNS configured? There was an issue in 2.2.6 release only IIRC that it would turn off part of Cloudflare for that hostname, but that wouldn't be the case with 2.3 release and newer. Doesn't necessarily sound like that's the case though.

    Guessing your port forwards for the site(s) in question aren't correct maybe. Can you access the sites directly from outside?



  • Thanks for your reply.

    I'm not sure what Cloudflare DDNS is but I am using my own DNS server and as far as I can tell, they are resolving to the correct IP addresses for the websites in question (eg: www.adafruit.com)

    The pfSense box is doing PPPoE so I do not have any way of putting myself between it and the upstream gateway. However, you've given me an idea to try. I'm going to see if I can get some other device to hold up PPPoE and have my pfSense box behind it. That way I'll also be able to try what you suggested.

    Thanks again.
    Bob.



  • If you don't know what it is, you're not using it. That's a means of updating Cloudflare with your IP if it's dynamic. Probably a general connectivity problem to the server unrelated to Cloudflare in that case.



  • @cmb:

    If you don't know what it is, you're not using it. That's a means of updating Cloudflare with your IP if it's dynamic. Probably a general connectivity problem to the server unrelated to Cloudflare in that case.

    I don't think he's hosting a site that's fronted by Cloudflare - rather, he's having issues getting to those sites.

    Seems more like a DNS resolution issue.

    @OP:

    1. Have you tried flushing the cache on your DNS server that is used internally?
    2. Are you forwarding DNS requests from that server to pfSense?
    3. If so, did you set that server as a source for DNS in pfSense? - i.e. Under System -> General -> DNS Servers.
    4. Have you tried using another upstream DNS server(s) as a source for the DNS server?


  • Oh, yeah maybe I read that completely backwards, I was thinking you're hosting sites with Cloudflare front end that stopped working, not that you couldn't browse out to Cloudflare-fronted sites. Completely different in that case. See if you can resolve DNS for them, see if you can ping the IP they resolve to.



  • Which reminds me…

    Since you are running Sophos UTM (presumably with MOS full guard), are you also running the clients with Sophos Endpoint Protection tagged to the UTM as a central console?

    In this case, the software firewall in the Endpoint suite might be affecting your web traffic if it's expecting to be integrating with the UTM.



  • Thank you! Thank you! Thank you!

    While I don't know exactly what the problem was, I am able to work around it by moving the PPPoE off of the pfSense unit onto the DSL gateway and still maintain the pfSense as the firewall.

    Now the Cloudflare sites are visible from inside my network.

    Thanks to your suggestion CMB, I was able to try another configuration on the WAN side that at least isolated the problem to PPPoE.

    Do we have a potential bug here in the PPPoE subsystem? I'm going to check with the Internet provider to see if any changes were made on their DSL infrastructure and see if there are any clues there.

    I would love to see the root cause of this explained and fixed.

    Bob.


Log in to reply