Tips how troubleshoop pfSense, smart people wanted !



  • Here is a problem.

    My router does not allow me to connect to http://sf-police.org/ (74.121.194.238)
    (I tested on out of my network system and the website seems accessible.)

    So …

    Wonder how people do troubleshooting?

    The reason I scratching my head is that I checked my pfSense firewall and I see that that IP (as Destination IP Address) passed (!!):

    Apr 28 18:32:03 ► WAN let out anything from firewall host itself (1000004861)   xx.xx.xx.xx:25335   74.121.194.238:80 TCP:S
    Apr 28 18:32:03 LAN Default allow LAN IPv4 to any rule (1497920954)   192.168.90.3:36966   74.121.194.238:80 TCP:S

    And I stuck, nit sure what do I do now?  I rebooted router, of cause, and still no love :(

    What smart people on the forum do next ???

    Thx


  • Netgate

    Why would a firewall care what sites you visit?

    What else do you have installed? Squid? Snort?



  • @Derelict:

    Why would a firewall care what sites you visit?

    What else do you have installed? Squid? Snort?

    Why would not a firewall care ?  It shows what is passed and what is blocked, no?

    I have both Squid and Snort

    Thx



  • @chudak:

    Why would not a firewall care ?  It shows what is passed and what is blocked, no?

    Firewalls normally protect against outside threats, not blocking a user's access to the Internet.  I run pfSense and tried that link you provided.  I was able to access that site without problem.  So, if pfSense is blocking you, it's because you created a rule to do that.



  • @JKnott:

    @chudak:

    Why would not a firewall care ?  It shows what is passed and what is blocked, no?

    Firewalls normally protect against outside threats, not blocking a user's access to the Internet.  I run pfSense and tried that link you provided.  I was able to access that site without problem.  So, if pfSense is blocking you, it's because you created a rule to do that.

    Well as you saw my FW was not blocking it!

    And the question was mainly not about this particular site but rather what’s the steps to troubleshoot and understand what’s going on.



  • Packet capture and see what is actually being received and sent. Check the snort logs. By default pfSense does not block outgoing. What Derelict was getting after if the firewall should have no biases about which destination IP addresses are being contacted. In that regard, the firewall does not care. If there's a bias, it's not from pfSense, but from user configuration, be it squid or snort or some rules blocking.

    You could also quickly check the snort and squid logs.



  • Well as you saw my FW was not blocking it!

    You mentionned :

    
    The reason I scratching my head is that I checked my pfSense firewall and I see that that IP (as Destination IP Address) passed (!!):
    
    Apr 28 18:32:03   ► WAN   let out anything from firewall host itself (1000004861)     xx.xx.xx.xx:25335     74.121.194.238:80   TCP:S
    Apr 28 18:32:03   LAN    Default allow LAN IPv4 to any rule (1497920954)     192.168.90.3:36966     74.121.194.238:80   TCP:S
    

    But that is nly hald the story.
    Your browser send out requests, that part seems to wok.
    Now, the other part : what comes back ?

    And the question was mainly not about this particular site but rather what’s the steps to troubleshoot and understand what’s going on.

    Start be removing things that tend to block things on the incoming side, like …. you have them both : Squid and Snort.

    Btw : I use pfSense, and of course I can visit the site you mentioned in the first post.

    Note : I'm not typically smart, that why I stay away from these packages  ;)



  • @Gertjan thanks for reply!

    @Gertjan:

    Now, the other part : what comes back ?

    That's interesting and how would you check that ?

    @Gertjan:

    Start be removing things that tend to block things on the incoming side, like …. you have them both : Squid and Snort.

    I tried that, wonder after disabling something, would you expect that to take immidiate effect or you need to do something else? (delete stats maybe?)