Some sites won't load after a while
So I have been tying to google this issue, and it seems that there is a section in the docs for it (https://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites) The problem lacks in consistency so it appears, if I reboot my pfsense machine, I can access all pages. But as time passes, sites becomes unavailable. Some sites is partially available, but don't loading the CSS files correctly.
Im running pfBlockerNG, but I have disabled it and evaluated, but the issue continues.
I throttle all my traffic thru a OpenVPN connection, but if I connect to the same VPN on my local machine with tunnelblick, sites starts to work agin (or works perfectly when using!)
what exactly happens when they do not load - its just your browser says can not find site.. Says the site times out, your just not loading css file?
When you can not load site can you do a dns query for the fqdn your trying to access. What are you using for dns - are you routing your dns through your vpn as well?
Going to need more info to try and help you track down what the issue is.
dns query for the fqdn
➜ ~ dig twitter.com ; <<>> DiG 9.8.3-P1 <<>> twitter.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51517 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;twitter.com. IN A ;; Query time: 4 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Jan 22 18:51:26 2018 ;; MSG SIZE rcvd: 29 ➜ ~ host twitter.com Host twitter.com not found: 3(NXDOMAIN) ➜ ~ host google.se google.se has address 18.104.22.168 google.se has IPv6 address 2a00:1450:400f:80b::2003 google.se mail is handled by 10 aspmx.l.google.com. google.se mail is handled by 20 alt1.aspmx.l.google.com. google.se mail is handled by 30 alt2.aspmx.l.google.com. google.se mail is handled by 50 alt4.aspmx.l.google.com. google.se mail is handled by 40 alt3.aspmx.l.google.com. ➜ ~ dig google.se ; <<>> DiG 9.8.3-P1 <<>> google.se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12440 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.se. IN A ;; ANSWER SECTION: google.se. 288 IN A 22.214.171.124 ;; AUTHORITY SECTION: google.se. 62491 IN NS ns2.google.com. google.se. 62491 IN NS ns4.google.com. google.se. 62491 IN NS ns1.google.com. google.se. 62491 IN NS ns3.google.com. ;; Query time: 3 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Jan 22 18:51:58 2018 ;; MSG SIZE rcvd: 125 ➜ ~
What are you using for dns - are you routing your dns through your vpn as well?
Im using three (3) custom DNS and I have tested them with namebench so they work, and I'm not sure if I'm routing DNS through my VPN.
And have a look at the attachment on how the browser responses.
EDIT: Seems to be occurring in random interval and random sites
You got a problem there with 192.168.1.1 - when you say you your using 3 customer dns… So you turned off the default resolver unbound and enabled the forwarder.. Or did you enable forwarding in unbound?
Out of the box pfsense resolves via unbound, it does not forward or use any sort of forwarding ns to anwhere.. It walks down the tree from roots til it gets for the authoritative ns for the domain your asking about..
So you need to troubleshoot why your getting servfail as response when you query twitter.
" Host twitter.com not found: 3(NXDOMAIN)"
NXDomain is completely different error than servfail - is what your using for dns on pfsense restarting? NX is not that something had an error, but that what your looking for didn't exist, etc.
The DNS Forwarder is disabled.
The DNS Resolver is enabled, and the only change I have made is to tic "DHCP Registration" so I can reach my machines easier.
DNS Query Forwarding is unticked.
DNS Server Override is unticked, to use my custom DNS list
Disable DNS Forwarder is unticked (don't think I have touched this setting)
Otherwise it seems to work
Well then your not forwarding your not using any 3 custom dns like you think your using.. Unbound resolves it does forward to what you put in the general tab..
If you told it to register dhcp clients, its most likely restarting unbound.. Which would and could cause random issues with resolving stuff if unbound was restarting when your asking for stuff.
Look in your logs to see if unbound is restarting.
Alright I checked the logs, and it seems that unbound randomly restarts.
What should I do to properly get things up and running?
(I like the option to be able to use hostnames like pfsense.local and other machine names)
I use lots and lots of local names.. You shouldn't be using .local - states that right in the notes for when setting up your domain under general settings.
Do not use '.local' as the final part of the domain (TLD), The '.local' domain is widely used by mDNS (including Avahi and Apple OS X's Bonjour/Rendezvous/Airprint/Airplay), and some Windows systems and networked devices. These will not network correctly if the router uses '.local'. Alternatives such as '.local.lan' or '.mylocal' are safe.
I would turn off register dhcp… Just have it register reservations.. All devices you want to resolve most likely should have the same IP - so just setup a reservation for them, etc. so they always get the same IP..