• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfSense keeps blocking google.com, I lost all hope

Scheduled Pinned Locked Moved Cache/Proxy
9 Posts 6 Posters 6.9k Views 5 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    pfrickroll
    last edited by pfrickroll Jun 1, 2018, 8:52 PM Jun 1, 2018, 8:47 PM

    I am running on latest pfSense update.
    Basically I followed this post https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3 to configure my pfSense and then copied Firewall Rules, DNS Resolver and Package Manager.
    I successfully was able to set up 7 different sites but on one I am stuck. I even uploaded my old backup, reinstalled packages and etc but google website and gmail are still blocked.
    When I turn off Squid, everything works once I turn it on google doesn't. Everything else seems fine, all stuff from blacklist that I checked is getting blocked as suppose to and etc. When i use my old backup the files in www folder don't get deleted and still there.

    So, may be is that where the problem is from the link I provided (which i followed to configure squid:

    Part 3
    Now we are going to set up a wpad read more here about wpad https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
    ssh in to pfsense
    8
    cd /
    create the wpad.da file
    vi /usr/local/www/wpad.da
    wq

    Create two new symbolic link files

    ln -s /usr/local/www/wpad.da /usr/local/www/wpad.dat
    ln -s /usr/local/www/wpad.da /usr/local/www/proxy.pac

    I tried to delete these files and it seems like I did, then recreated them, however, when I delete them I still see proxy.pac when I got directly into GUI of pfsense through "edit file" under Diagnostics..

    I am really lost at this point...

    1 Reply Last reply Reply Quote 0
    • T Offline
      tirsojrp
      last edited by Jun 2, 2018, 11:55 AM

      ditch squid and try pfblockerng

      P 1 Reply Last reply Jun 4, 2018, 2:39 PM Reply Quote 0
      • S Online
        stephenw10 Netgate Administrator
        last edited by Jun 2, 2018, 11:28 PM

        If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
        If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

        Steve

        P 1 Reply Last reply Jun 4, 2018, 1:21 PM Reply Quote 0
        • P Offline
          pfrickroll @stephenw10
          last edited by Jun 4, 2018, 1:21 PM

          @stephenw10 said in pfSense keeps blocking google.com, I lost all hope:

          If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
          If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

          Steve

          I have a shortcut with all google domains, so the issue is something else that I can't figure out.

          O 1 Reply Last reply Jun 16, 2018, 2:48 PM Reply Quote 0
          • P Offline
            pfrickroll @tirsojrp
            last edited by Jun 4, 2018, 2:39 PM

            @tirsojrp said in pfSense keeps blocking google.com, I lost all hope:

            ditch squid and try pfblockerng

            Squid and pfblockerng do different type of jobs, doesn't solve my problem.

            O 1 Reply Last reply Jun 16, 2018, 2:53 PM Reply Quote 0
            • O Offline
              onyxfire @pfrickroll
              last edited by Jun 16, 2018, 2:48 PM

              @pfrickroll Not understanding why you think a shortcut has anything to do with this. @stephenw10 is right in that if your clients and squid are using different DNS servers, they can resolve the same url to 2 different IPs and squid will deny the request as a security feature if there is a mismatch. If you look in squid in the realtime tab to view the logs, when you try to access google, what are the messages in the logs there? If you see a lot of TCP_NONE/409 then it is likely this is your problem. Squid throws a 409 (Conflict) code whenever you have a mismatch in the DNS resolved IPs.

              If your clients are using pfsense as their DNS server, you have to list 127.0.0.1 in the Squid general tab or Squid will not be using your local DNS but instead the external DNS servers listed on your general tab.

              1 Reply Last reply Reply Quote 0
              • O Offline
                onyxfire @pfrickroll
                last edited by Jun 16, 2018, 2:53 PM

                @pfrickroll Also, they can do the same kind of job depending on what you are using Squid for. If you are just trying to block domains then pfBlockerNG has DNSBL function that can do this on a DNS level instead of inspecting the actual traffic. If you are using it for caching, tracking user URLs, etc then you are correct in that it won't do what you need it to.

                1 Reply Last reply Reply Quote 0
                • M Offline
                  marcelloc
                  last edited by Jun 20, 2018, 8:00 AM

                  If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  L 1 Reply Last reply Jul 23, 2018, 12:45 AM Reply Quote 0
                  • L Offline
                    luckman212 LAYER 8 @marcelloc
                    last edited by Jul 23, 2018, 12:45 AM

                    @marcelloc said in pfSense keeps blocking google.com, I lost all hope:

                    If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

                    That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

                    https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

                    or disable it using a Chrome flag:
                    chrome://flags > QUIC protocol > Disable

                    I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      [[user:consent.lead]]
                      [[user:consent.not_received]]