Vip 80, 8081 work but 443 and 8444 won't



  • I'm not really sure where to start.    sorry it's so long.
    internet is very slow, I can load 10.0.0.1:80 and get a dot.  10.0.0.1:443 won't load.
    I have snort running but it has no alerts, or blocks.
    I'm using openDns FamilyShield for my DNS server, under general
    I'm using dns resolver with google safesearch list in custom options.

    CustomOptions{
    server: include: /var/unbound/safesearch.conf
    server: include: /var/unbound/pfb_dnsbl.conf
    }

    I have NAT Port Forward to force any dns request to use pfsense.
    on my lan/firewall I have ipv6 dns blocked, because it would allow safe search to be turned off on android phone…  better way?
    I have tried it with "lan default allow" on, but it didn't help.
    Host overrides are set to make Bing and Youtube use safesearch.  Duckduckgo and yahoo are set to 0.0.0.0.
    vip is setup for 10.0.0.1 8081 8444
    pfsense is 10.10.10.1
    I can't see anything blocking it in the logs.
    sockstat -4 had this {root  lighttpd_p 91002 6  tcp4  *:8444 :}  seems correct?

    I'm not sure if it would matter but in the past I did have squid and squidguard installed, but they have since been removed.

    just for fun I tried https://10.0.0.1  and that will load.  ( not sure that matters  )



  • I turned off IPV6 on the lan, and all my speed problems went away.  I still can't go to vip:443 like I thought was how you test.
    I'm not sure why ipv6 is giving me issues, maybe because its 6RD?
    Anyhow thanks for everyone that took a look.


  • Moderator

    Each lan segment should be able to access the DNSBL VIP via ping and browsing to the IP. There is a DNSBL permit rule option that you can select which will create a floating permit rule for the selected lan segments.

    Also check the NAT rules and see if there is another NAT rule that is interfering with the DNSBL NAT rules.