pfSense keeps blocking google.com, I lost all hope

pfrickroll · Jun 1, 2018, 8:52 PM

I am running on latest pfSense update.
Basically I followed this post https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3 to configure my pfSense and then copied Firewall Rules, DNS Resolver and Package Manager.
I successfully was able to set up 7 different sites but on one I am stuck. I even uploaded my old backup, reinstalled packages and etc but google website and gmail are still blocked.
When I turn off Squid, everything works once I turn it on google doesn't. Everything else seems fine, all stuff from blacklist that I checked is getting blocked as suppose to and etc. When i use my old backup the files in www folder don't get deleted and still there.

So, may be is that where the problem is from the link I provided (which i followed to configure squid:

Part 3
Now we are going to set up a wpad read more here about wpad https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
ssh in to pfsense
8
cd /
create the wpad.da file
vi /usr/local/www/wpad.da
wq

Create two new symbolic link files

ln -s /usr/local/www/wpad.da /usr/local/www/wpad.dat
ln -s /usr/local/www/wpad.da /usr/local/www/proxy.pac

I tried to delete these files and it seems like I did, then recreated them, however, when I delete them I still see proxy.pac when I got directly into GUI of pfsense through "edit file" under Diagnostics..

I am really lost at this point...

tirsojrp · Jun 4, 2018, 2:39 PM

ditch squid and try pfblockerng

stephenw10 · Jun 4, 2018, 1:21 PM

If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

Steve

pfrickroll · Jun 4, 2018, 1:21 PM

@stephenw10 said in pfSense keeps blocking google.com, I lost all hope:

If you see some sites get blocked inexplicably and the client is showing some sort of authentication error it's often because of a DNS resolution issue. With large sites distributed across many IPs, like gmail, if the client the squid resolve different IPs then you will see an error.
If you clients are not using the pfSense DNS resolver make sure to set Squid to use whatever DNS server the clients are using too.

Steve

I have a shortcut with all google domains, so the issue is something else that I can't figure out.

pfrickroll · Jun 4, 2018, 2:39 PM

@tirsojrp said in pfSense keeps blocking google.com, I lost all hope:

ditch squid and try pfblockerng

Squid and pfblockerng do different type of jobs, doesn't solve my problem.

onyxfire · Jun 16, 2018, 2:48 PM

@pfrickroll Not understanding why you think a shortcut has anything to do with this. @stephenw10 is right in that if your clients and squid are using different DNS servers, they can resolve the same url to 2 different IPs and squid will deny the request as a security feature if there is a mismatch. If you look in squid in the realtime tab to view the logs, when you try to access google, what are the messages in the logs there? If you see a lot of TCP_NONE/409 then it is likely this is your problem. Squid throws a 409 (Conflict) code whenever you have a mismatch in the DNS resolved IPs.

If your clients are using pfsense as their DNS server, you have to list 127.0.0.1 in the Squid general tab or Squid will not be using your local DNS but instead the external DNS servers listed on your general tab.

onyxfire · Jun 16, 2018, 2:53 PM

@pfrickroll Also, they can do the same kind of job depending on what you are using Squid for. If you are just trying to block domains then pfBlockerNG has DNSBL function that can do this on a DNS level instead of inspecting the actual traffic. If you are using it for caching, tracking user URLs, etc then you are correct in that it won't do what you need it to.

marcelloc · Jun 20, 2018, 8:00 AM

If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

luckman212 · Jul 23, 2018, 12:45 AM

@marcelloc said in pfSense keeps blocking google.com, I lost all hope:

If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

or disable it using a Chrome flag:
chrome://flags > QUIC protocol > Disable

I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.