Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with some encrypted websites

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mtrepanier
      last edited by

      Hello all, I upgraded to 2.3.2 and I am having loading some encrypted websites. Example, I can't go to www.microsoft.com or sometimes www.netflix.com It times out after a while when starting an episode. I decided to reinstall from scratch my firewall to make certain I have no old configs lying around. I did not install any packages. When I plug my laptop directly over the Internet, it works fine.

      I looks like some encrypted URLs are not loading, it times out.

      My question : Is there any new encryption or certificate management that has changed in the latest version of pfSense that I should be looking for ?

      Anything else to look for ?

      My last resort would be to install a previous version of pfSense, I want to avoid this.

      Thanks !

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by

        Is DNS configured properly?
        Do the domain names resolve properly?

        1 Reply Last reply Reply Quote 0
        • M
          mtrepanier
          last edited by

          Yes, no problem for the DNS

          1 Reply Last reply Reply Quote 0
          • M
            mtrepanier
            last edited by

            For instance, at the MSFT site, I get this error in the browser : GET https://assets.onestore.ms/cdnfiles/external/mwf/v1/latest/css/mwf-west-european-default.min.css net::ERR_TIMED_OUT. when I ping assets.onestore.ms it gets resolved quickly to : 104.93.164.187

            No special Rules were inserted in the WAN Interface or LAN.

            1 Reply Last reply Reply Quote 0
            • C
              chrcoluk
              last edited by

              Unless you have setup squid or something to proxy port 443 traffic then things like the certificate on pfSense should have absolutely no bearing on https sites.

              To rule out your internet connection it may be an idea to temporarily use something else as your router, as this could easily be caused by the desktop machine or the isp also.

              pfSense CE 2.8.0

              1 Reply Last reply Reply Quote 0
              • M
                mtrepanier
                last edited by

                I did not install any Squid or any other package.
                I did connect my laptop directly on my Cable modem to see if the problem follows, it does not. So, it rules out the laptop and the Internet connexion.

                Could it be the 64 bit version that I use instead of a 32 bits ?

                Here is the version :
                2.3.2-RELEASE-p1 (amd64)
                built on Tue Sep 27 12:13:07 CDT 2016
                FreeBSD 10.3-RELEASE-p9

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by

                  @mtrepanier:

                  Could it be the 64 bit version that I use instead of a 32 bits ?

                  Always use the version that matches and is appropriate for the hardware.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mtrepanier
                    last edited by

                    I have an Atom D2500 on a Mini-itx, I see that it is supported for linux. I assume this should be ok since it was working on previous pfSense versions.

                    However, I see that I am getting numerous invalid checksums on port 443 :

                    Example :

                    imac-5k.admotech.int.55723 > ec2-52-87-118-85.compute-1.amazonaws.com.https: Flags [.], cksum 0xb997 (incorrect -> 0x2391), seq 903507:904695, ack 5118, win 4096, options [nop,nop,TS val 824003478 ecr 1747747351], length 1188
                    09:20:21.303001 IP (tos 0x0, ttl 64, id 48755, offset 0, flags [DF], proto TCP (6), length 1240, bad cksum 0 (->c2df)!)

                    Any ideas as to what this problem may come from ?

                    Note : the websites I browse are not exotic : Microsoft, Apple, CNN, Netflix, … (and I get the problem)
                    I know that those sites are on Amazon or Akamai, but so does Oracle.com which works fine, super fast.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mtrepanier
                      last edited by

                      *** Update ***

                      Added a Linksys Router as Firewall/NAT between the Internet and the LAN 172.19.19.1
                      Connected my pfSense to the Linksys as Router only : 172.19.19.102
                      Added a route in the Linksys from the 172.19.19.1 gw to my Lan behind the pfSense
                      Changed the DNS from Resolver to Forwarder on pfSense.

                      Works perfectly, no delays or timeout.

                      Problem solved ? Well… Yes and No. I would like to get rid of the Linksys and use the pfSense exclusively as before.

                      Any ideas as to what may cause this on pfSense ? I know for a fact the problem is either NAT or fw, but since it acts out on some websites using encryption, I am clueless.

                      Any ideas ?
                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • M
                        marvosa
                        last edited by

                        I had a similar issue the day I upgraded to v2.3.2 back in July…. and I'm still convinced something changed, but that's another conversation.

                        As soon as I upgraded to v2.3.2, the DNS forwarder stopped resolving.  I tried both the resolver and the forwarder to no avail.  The fix for me was to deselect "ALL" from the interfaces section and manually selecting my "LAN" interface.  As soon as that was done, DNS started resolving again and my issues went away.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.