Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense blocks traffic to a single HTTPS website

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 537 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maxxerM
      maxxer
      last edited by

      I've a weird situation in a recently installed pfSense: they cannot load an https website. With the former firewall (Endian) they had no issues, now that we upgraded to pfSense the site is not loading anymore. We tried connecting a laptop directly to the upstream router and the site loads instantly, os it must be something on the pfSense side.

      We're running 2.3.4 (but was happening even with 2.3.3) installed as a XenServer7.1 VM. We've run these two commands on the LAN interface of pfSense's VM to fix tcp offloading:

      
      xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
      xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"
      
      

      While most of the https sites work (at least all the ones I tried) and http has no problem at all, this specific site (www.ubibanca.com) won't load from any browser behind the firewall. I managed to capture a dump on pfSense's wan interface, here's a Wireshark screenshot. I'm not familiar with TCP protocol, but from what I can see pfSense is apparently not replying to the webserver's ACK packets.

      What can cause this?
      thanks

      pfsense-packetcapture.jpg
      pfsense-packetcapture.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Well, it looks like the packets need to be fragmented, because there's a hop with a smaller MTU along the path, but the router can't fragment.  That would be because the do not fragment bit is set.  What is the MTU set for?  What type of Internet connection do you have?  What operating system?  Where are those ICMP packets coming from?  You have the address hidden.

        BTW, if you're providing networking support, knowing TCP/IP is part of the job.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "pfSense is apparently not replying to the webserver's ACK packets."

          It wouldn't be pfsense that would be responding or not responding - it would be the client.  Check on the client with a sniff..

          Looks like frag needed keeps being sent, so you yeah you got something going on there.. JKnott is correct on all counts, what is your MTU set for - do you have do not fragment set?  What sort of connection do you have?

          Notice when I go to that same site www.ubibanca.com, get the redirect to https - but then only 1514, not 1526 - Are you doing any sort of QinQ maybe?

          redirect.png
          redirect.png_thumb
          wansniff.png
          wansniff.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • maxxerM
            maxxer
            last edited by

            @JKnott:

            Well, it looks like the packets need to be fragmented, because there's a hop with a smaller MTU along the path, but the router can't fragment.  That would be because the do not fragment bit is set.  What is the MTU set for?  What type of Internet connection do you have?  What operating system?  Where are those ICMP packets coming from?  You have the address hidden.

            MTU is at default value, 1500. pfSense is attached to a Microtik with an Hyperlan (wireless) connection.

            All the hidden addresses are pfSense's WAN address (which is a static ip address), so the ICMPs are generated by the firewall itself. Sadly the remote endpoint doesn't reply to those packets.

            Setting MTU/MSS to 1492/1452, and checking Clear invalid DF bits instead of dropping the packets (as suggested here) improved the situation, since now the site loads (even if not at a great speed)…

            Thanks for your help, I will investigate more on the best size for MTU/MSS

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              @johnpoz:

              JKnott is correct on all counts

              Of course!  :D

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.