Firewall blocking some websites



  • For the past year, I routed all of my traffic to the VPN tunnel and everything went well. I now need to route some clients thru the WAN interface. I have created policy rules and at first, everything worked okay.  I started experiencing issues with http traffic being blocked for the clients that went thru the WAN interface.  Most of the sites were news and speed test sites.  I posted the issue here.

    https://forum.pfsense.org/index.php?topic=135175.0

    I thought I had the issue resolved earlier today by removing snort and unchecking some of the Suricata rules.  But now a new issue is appearing.  I started getting blocked on cnn.com.  The other news and speed test sites are okay so far.  So, I removed Suricata all together to eliminate that as the potential issue.  When I look at the logs and click on the X, I see the message:

    The rule that triggered this action is:

    @9(1000000103) block drop in log inet all label "Default deny rule IPv4"

    Attached are sample entries.

    When I do a nslookup, I see the ipv4 ip address did not get returned:

    nslookup cnn.com
    Server:  pfSense.mydomain.com
    Address:  192.168.4.1

    Name:    cnn.com
    Addresses:  2a04:4e42:600::323
              2a04:4e42::323
              2a04:4e42:400::323
              2a04:4e42:200::323

    A few minutes later, I try again, and they appear:

    nslookup cnn.com
    Server:  pfSense.mydomain.com
    Address:  192.168.4.1

    Non-authoritative answer:
    Name:    cnn.com
    Addresses:  2a04:4e42:600::323
              2a04:4e42::323
              2a04:4e42:400::323
              2a04:4e42:200::323
              151.101.129.67
              151.101.1.67
              151.101.65.67
              151.101.193.67

    I did not do anything that I am aware of to get the ipv4 address working again.

    I also run pfBlockerNG on the WAN and two VPN Client interfaces.  Any ideas are welcome.  Thank you!

    Update
    After posting this, I left for two hours and returned home. I wanted to go to the pfsense doc web site to read more about firewall and what  could be causing my grief. The page doc.pfsense.org could not be loaded. Good grief!  Notice how the ipv4 ip address for the site is not listed when performing a nslookup.

    nslookup doc.pfsense.org
    Server:  pfSense.mydomain.com
    Address:  192.168.4.1

    Name:    doc.pfsense.org
    Address:  2610:160:11:11::68




  • Please post the whole log entry of the issue.

    What should the attached picture tell us? The destination is not cnn.com and it shows out of state packets which are blocked.



  • Thank you for the reply. I restored my config to an earlier version that did not have this issue. I then uninstalled snort and reconfigured suricata for for no blocking. Then did a reboot. I let things settle for awhile.  I have not see the issues appear since then. I will keep hitting the pfsense box to see if I can replicate the issue.  I will post the log file as you suggest if it starts happening again.