Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense keeps blocking google.com, I lost all hope

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 6 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pfrickrollP
      pfrickroll
      last edited by pfrickroll

      I am running on latest pfSense update.
      Basically I followed this post https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3 to configure my pfSense and then copied Firewall Rules, DNS Resolver and Package Manager.
      I successfully was able to set up 7 different sites but on one I am stuck. I even uploaded my old backup, reinstalled packages and etc but google website and gmail are still blocked.
      When I turn off Squid, everything works once I turn it on google doesn't. Everything else seems fine, all stuff from blacklist that I checked is getting blocked as suppose to and etc. When i use my old backup the files in www folder don't get deleted and still there.

      So, may be is that where the problem is from the link I provided (which i followed to configure squid:

      Part 3
      Now we are going to set up a wpad read more here about wpad https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
      ssh in to pfsense
      8
      cd /
      create the wpad.da file
      vi /usr/local/www/wpad.da
      wq

      Create two new symbolic link files

      ln -s /usr/local/www/wpad.da /usr/local/www/wpad.dat
      ln -s /usr/local/www/wpad.da /usr/local/www/proxy.pac

      I tried to delete these files and it seems like I did, then recreated them, however, when I delete them I still see proxy.pac when I got directly into GUI of pfsense through "edit file" under Diagnostics..

      I am really lost at this point...

      1 Reply Last reply Reply Quote 0
      • T
        tirsojrp
        last edited by

        ditch squid and try pfblockerng

        pfrickrollP 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
          If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

          Steve

          pfrickrollP 1 Reply Last reply Reply Quote 0
          • pfrickrollP
            pfrickroll @stephenw10
            last edited by

            @stephenw10 said in pfSense keeps blocking google.com, I lost all hope:

            If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
            If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

            Steve

            I have a shortcut with all google domains, so the issue is something else that I can't figure out.

            O 1 Reply Last reply Reply Quote 0
            • pfrickrollP
              pfrickroll @tirsojrp
              last edited by

              @tirsojrp said in pfSense keeps blocking google.com, I lost all hope:

              ditch squid and try pfblockerng

              Squid and pfblockerng do different type of jobs, doesn't solve my problem.

              O 1 Reply Last reply Reply Quote 0
              • O
                onyxfire @pfrickroll
                last edited by

                @pfrickroll Not understanding why you think a shortcut has anything to do with this. @stephenw10 is right in that if your clients and squid are using different DNS servers, they can resolve the same url to 2 different IPs and squid will deny the request as a security feature if there is a mismatch. If you look in squid in the realtime tab to view the logs, when you try to access google, what are the messages in the logs there? If you see a lot of TCP_NONE/409 then it is likely this is your problem. Squid throws a 409 (Conflict) code whenever you have a mismatch in the DNS resolved IPs.

                If your clients are using pfsense as their DNS server, you have to list 127.0.0.1 in the Squid general tab or Squid will not be using your local DNS but instead the external DNS servers listed on your general tab.

                1 Reply Last reply Reply Quote 0
                • O
                  onyxfire @pfrickroll
                  last edited by

                  @pfrickroll Also, they can do the same kind of job depending on what you are using Squid for. If you are just trying to block domains then pfBlockerNG has DNSBL function that can do this on a DNS level instead of inspecting the actual traffic. If you are using it for caching, tracking user URLs, etc then you are correct in that it won't do what you need it to.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    luckman212L 1 Reply Last reply Reply Quote 0
                    • luckman212L
                      luckman212 LAYER 8 @marcelloc
                      last edited by

                      @marcelloc said in pfSense keeps blocking google.com, I lost all hope:

                      If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

                      That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

                      https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

                      or disable it using a Chrome flag:
                      chrome://flags > QUIC protocol > Disable

                      I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.