Problems with some encrypted websites



  • Hello all, I upgraded to 2.3.2 and I am having loading some encrypted websites. Example, I can't go to www.microsoft.com or sometimes www.netflix.com It times out after a while when starting an episode. I decided to reinstall from scratch my firewall to make certain I have no old configs lying around. I did not install any packages. When I plug my laptop directly over the Internet, it works fine.

    I looks like some encrypted URLs are not loading, it times out.

    My question : Is there any new encryption or certificate management that has changed in the latest version of pfSense that I should be looking for ?

    Anything else to look for ?

    My last resort would be to install a previous version of pfSense, I want to avoid this.

    Thanks !



  • Is DNS configured properly?
    Do the domain names resolve properly?



  • Yes, no problem for the DNS



  • For instance, at the MSFT site, I get this error in the browser : GET https://assets.onestore.ms/cdnfiles/external/mwf/v1/latest/css/mwf-west-european-default.min.css net::ERR_TIMED_OUT. when I ping assets.onestore.ms it gets resolved quickly to : 104.93.164.187

    No special Rules were inserted in the WAN Interface or LAN.



  • Unless you have setup squid or something to proxy port 443 traffic then things like the certificate on pfSense should have absolutely no bearing on https sites.

    To rule out your internet connection it may be an idea to temporarily use something else as your router, as this could easily be caused by the desktop machine or the isp also.



  • I did not install any Squid or any other package.
    I did connect my laptop directly on my Cable modem to see if the problem follows, it does not. So, it rules out the laptop and the Internet connexion.

    Could it be the 64 bit version that I use instead of a 32 bits ?

    Here is the version :
    2.3.2-RELEASE-p1 (amd64)
    built on Tue Sep 27 12:13:07 CDT 2016
    FreeBSD 10.3-RELEASE-p9



  • @mtrepanier:

    Could it be the 64 bit version that I use instead of a 32 bits ?

    Always use the version that matches and is appropriate for the hardware.



  • I have an Atom D2500 on a Mini-itx, I see that it is supported for linux. I assume this should be ok since it was working on previous pfSense versions.

    However, I see that I am getting numerous invalid checksums on port 443 :

    Example :

    imac-5k.admotech.int.55723 > ec2-52-87-118-85.compute-1.amazonaws.com.https: Flags [.], cksum 0xb997 (incorrect -> 0x2391), seq 903507:904695, ack 5118, win 4096, options [nop,nop,TS val 824003478 ecr 1747747351], length 1188
    09:20:21.303001 IP (tos 0x0, ttl 64, id 48755, offset 0, flags [DF], proto TCP (6), length 1240, bad cksum 0 (->c2df)!)

    Any ideas as to what this problem may come from ?

    Note : the websites I browse are not exotic : Microsoft, Apple, CNN, Netflix, … (and I get the problem)
    I know that those sites are on Amazon or Akamai, but so does Oracle.com which works fine, super fast.



  • *** Update ***

    Added a Linksys Router as Firewall/NAT between the Internet and the LAN 172.19.19.1
    Connected my pfSense to the Linksys as Router only : 172.19.19.102
    Added a route in the Linksys from the 172.19.19.1 gw to my Lan behind the pfSense
    Changed the DNS from Resolver to Forwarder on pfSense.

    Works perfectly, no delays or timeout.

    Problem solved ? Well… Yes and No. I would like to get rid of the Linksys and use the pfSense exclusively as before.

    Any ideas as to what may cause this on pfSense ? I know for a fact the problem is either NAT or fw, but since it acts out on some websites using encryption, I am clueless.

    Any ideas ?
    Thanks.



  • I had a similar issue the day I upgraded to v2.3.2 back in July…. and I'm still convinced something changed, but that's another conversation.

    As soon as I upgraded to v2.3.2, the DNS forwarder stopped resolving.  I tried both the resolver and the forwarder to no avail.  The fix for me was to deselect "ALL" from the interfaces section and manually selecting my "LAN" interface.  As soon as that was done, DNS started resolving again and my issues went away.


Log in to reply