Newbe on thin ice: https://static.hitta.se -> not allowed?



  • So yes I am completly new to pfSense :-) I am just building my first installation and I am not doing it the easy way.

    However, one of my first "what?" is why on earth pfSense in a very basic config can't handle https://static.hitta.se ?

    Any one, any ideas?

    Background: I have a fresh install of 2.4RC, I have WAN (standard, no nothing extra at all), LAN (standard also) and WiFi (this is where i spend all my time, to get my Atheros M2 card working, which is does for the moment). The only firewall I have added are for WiFi, which are copies of the LAN. WiFi has it own IP4 DHCP. Apart from that, well I did turn on DNS forward since I got a lot of sites on internet that I could not find when behind the pfSense firewall (I have a Samsung Galaxy TAB 10.5S, which I use for testing the WiFi of my current Asus AC88 and my pfSense setup) - however I got to www.blocket.se and tried to look for apartments ("Bostad" it is called in Swedish) and thought I go for the map search ("Kartsök", if you enter that site, you might have to choose an area, I live in "Stockholm") - however I never got the background map. The hard way I found out that https://static.hitta.se never resolved to something useful - I just do not understand why.

    Do notice, that it does not matter if I use a computer on LAN, or my tablet on WiFi - behind pfSense I can not get that background map - change to my Asus - no problem at all.

    For the record my pfSense sits behind my Asus AC88 router - this is since I don't trust my experince in pfSense yet so better safe than sorry and all that.


  • LAYER 8 Netgate

    ;; QUESTION SECTION:
    ;static.hitta.se. IN A

    ;; ANSWER SECTION:
    static.hitta.se. 299 IN CNAME static.hitta.se.cdn.cloudflare.net.
    static.hitta.se.cdn.cloudflare.net. 299 IN A 104.20.91.161
    static.hitta.se.cdn.cloudflare.net. 299 IN A 104.20.92.161

    pfSense likes it just fine. Unless you tell it otherwise (pfBlocker, DNSBL, squidguard) pfSense is just a firewall and is domain/website agnostic.

    Perhaps you are seeing an issue with access to that CDN.

    The blame pfSense first approach won't get you very far here. At least with me.



  • I do not blame pfSense - I am trying to figure out WHY I can not get thru pfSense - I, just as You, see no reason for stopping static.hitta.se.

    If you think that I blame pfSense, well then I am sorry for you.


  • LAYER 8 Netgate

    why on earth pfSense in a very basic config can't handle https://static.hitta.se

    What are the DNS servers configured on your workstation/client?

    What are the DNS servers configured on pfSense? (System > General or in the forwarder configuration itself.)

    What are the DNS servers configured on your upstream router?

    Can pfSense itself resolve static.hitta.se in Diagnostics > DNS lookup?

    Going to need specifics such as what IP addresses are where on the interfaces, etc.



  • What are the DNS servers configured on your workstation/client?

    Client 1: Win 10 laptop with ethernet cable direct to LAN port on pfSense pc. IP 192.168.1.100
    Client 2: Samsung Galaxy TAB S 10.5 Android, WiFi. IP 192.168.2.100

    Both use DHCP. Do observe that they are on different DHCP ranges.

    What are the DNS servers configured on pfSense? (System > General or in the forwarder configuration itself.)

    In System->General: DNS Server Override is selected - nothing else.
    In Services->DNS Forward: Nothing, it is NOT enabled.
    In Services->DNS Resolver: Enabled, ALL network interfaces, ALL outgoing Network Interfaces. Transparent Zony Type, DNSSEC enabled. DNS Query Forwarding Enabled.

    What are the DNS servers configured on your upstream router?

    My Asus AC88 runs latest RMerlin firmware with a few custom tricks on it. Do note that my pfSense is connected direct to one of the Ethernet ports on my Asus. And when I compare between pfSense and Asus, the pfSense comparison includes Asus since it is direct after. So anything that works connected to Asus, I am expecting to work after pfSense. One thing that might be of interest is that my Asus uses IP 10.168.1.1. pfSense has the IP of 10.168.1.133 (which is fully DHCP, so no static IP). Also my Asus has white rules for trafic out, port 80/443/53/123 are allowed - nothing else.

    The firewall rules I have are as I mentioned the very basic ones installed when pfSense was installed. So WAN has the two original rules ("Block private" and "Block bogon"). LAN has default allow lAN to any rules, and the same one for IP6. WiFi has a copy of LAN rules.

    IPs then: As Mentioned the pfSense hangs after my Asus, and has WAN IP 10.168.1.133 - the inside of pfSense is 192.168.1.xxx  (LAN) or 192.168.2.xxx (WiFi). xxx Is 100-199 in both cases. LAN also has IP6 DHCP server (the default one, never touched this). And as I wrote above, DNS Resolver is Enabled, and I know I have turned on "Enable Forward Mode".

    Can pfSense itself resolve static.hitta.se in Diagnostics > DNS lookup?

    Yes, it does. However traceroute does NOT work (endles loop "waiting", and then just stars in result after a while).

    Going to need specifics such as what IP addresses are where on the interfaces, etc.

    I hope I got everything correct. Please let me know if I missed something.


  • LAYER 8 Netgate

    You gave absolutely nothing I asked for. WHAT DNS SERVERS ARE CONFIGURED?

    If they are automatically assigned using DHCP or something, what are they?

    It sounds like you have it configured that:

    hosts ask pfsense for DNS

    pfsense forwards requests to asus

    asus probably forwards requests to ISP

    ISP responds to asus

    asus responds to pfsense

    pfsense responds to hosts.

    Maybe you can see the potential problem with that.



  • Sorry, my fault, I was about to add that just when you wrote.

    Asus uses "Connect to DNS Server automatically Yes" - So NO I do NOT do any changes to DNS in Asus - it is just as you write forwarding any requests.

    No I do not see the problem you think I should see. Ans this is most likly why I ask.

    So I added 8.8.8.8 under General - and it solved my issue. No I do not like this, since I can not understand why the Asus can and the pfSense needs to bypass Asus to get it working?


  • LAYER 8 Netgate

    In order to figure that out you will need to get familiar with something like dig or drill and step from DNS hop to DNS hop and see where it fails.

    Then when you know what is failing, figure out why.

    Hint: it's probably not pfSense's fault.



  • Well it my or may not be pfSense, it could just as easy be a setup thing.

    Here is why I can't accept this:

    a) When using the built in diagnostics in pfSense, and NO Google DNS of 8.8.8.8 entered, seems to figure out the IP for static.hitta.se
    b) When a client connected to pfSense, it will never get that IP resolved
    c) However if I in pfSense enter a DNS server like Google on 8.8.8.8, then the client can get the IP resolved

    I fail to see why I need that Google DNS of 8.8.8.8.

    So I just grabed my parents old Asus RT56N router. Set it up as router with firewall (default EVERYTING, on old firmware on top of that) enabled. Connected my Samsung Galaxy TAB S 10.5 Android based tablet - and it just worked.

    Asus after Asus, works out of the box.
    pfSense after Asus - does not.

    I'll drop this now, and consider this something odd - like the fact that my WiFi card did not work for a day, and just by turning the pfSense box off for 24 hours, and now it works perfect, nothing changed other than a day off power.

    I wonder why all this happens to me.  :o


  • LAYER 8 Netgate

    Again - dig/drill is your friend.

    Also, if you are using DNS Resolver in forwarding mode, disable DNSSEC. You are relying on it being properly implemented and configured on the DNS forwarders which is not always the case.


Log in to reply