Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Webpage Load Delays for Specific Sites

    Firewalling
    5
    15
    522
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gerardhebert last edited by gerardhebert

      [UPDATE] The name of this thread has been changed from "What are Common FW Rules for Home Use?" because the solution ended up having nothing to do with that question.

      Original Text:

      I recently installed 2.4.3 Community Edition and would like to know if there is a basic set of rules I need to add to pfSense.

      Everything is working well except for two issues and I am concerned something is missing from the configuration.

      The first issue is a few sites take 22 seconds to load each page. One example is papjohns. Every link or <F5> consistently takes 22 seconds to complete on wired PCs. It will not load on mobile devices at all unless WiFi is turned off. The pages load within 2 seconds on cell data.

      The second issue is redirects. For example, clicking on an add in Google does not work because the reply comes from googleadservices.

      If there is no basic configuration that resolves these issues, I would appreciate it if someone could point me to a thread that explains how to troubleshoot them.

      Thank you.

      Gertjan 1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad last edited by NogBadTheBad

        @gerardhebert said in What are Common FW Rules for Home Use?:

        recently installed 2.4.3 Community Edition and would like to know if there is a basic set of rules I need to add to pfSense.
        Everything is working well except for two issues and I am concerned something is missing from the configuration.
        The first issue is a few sites take 22 seconds to load each page. One example is papjohns. Every link or <F5> consistently takes 22 seconds to complete on wired PCs. It will not load on mobile devices at all unless WiFi is turned off. The pages load within 2 seconds on cell data.
        The second issue is redirects. For example, clicking on an add in Google does not work because the reply comes from googleadservices.
        If there is no basic configuration that resolves these issues, I would appreciate it if someone could point me to a thread that explains how to troubleshoot them.
        Thank you.

        Post your pictures of your firewall rules & DNS set up.

        Also how is your Wi-Fi set up?

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • Gertjan
          Gertjan @gerardhebert last edited by

          @gerardhebert said in What are Common FW Rules for Home Use?:

          You wont believe me, but the default WAN rules and LAN rule are fine.
          None on WAN.
          None on LAN (except for the "fo not lock me out" safety net rule).
          pfSense doesn't filter any site or destination like "googleadservices" or what ever.

          Use the default Resolver settings, do not add or modify any DNS related settings.

          No "help me" PM's please. Use the forum.

          johnpoz 1 Reply Last reply Reply Quote 0
          • G
            gerardhebert last edited by

            Hopefully this is what you meant.

            1_1536530574391_FWRules.jpg 0_1536530574390_DNS.jpg

            The firewall has been up for ~30 days. The traffic for the Trove rule is 0B because the game has not been used since the last pfSense restart.

            All streaming services work well and 99% of websites load as expected.

            pfBlockerNG is installed, but disabled. Snort was running, but is disabled now because I discovered today that disabling Snort allows the pages like papjohns to load on mobile devices after ~70 seconds which is better than not at all. That problem was probably simply how iOS and Android handle ad blocking compared to Windows.

            For this reason, I think the WiFi issue is a different thing and would just as soon disregard it for now. If it is relevant, WiFi is a D-Link DIR-890L running in AP mode with a static IP. The WAN port is not in use. Its default gateway and DNS server is pfSense. Things like wireless printing/scanning, Hue lights, and several Echo Dots all work well.

            Are these two issues (1. Slow loading for a few sites and 2. Redirects like Google -> googleadservices) unique to my configuration or are these the types of things that are inherent in setting up a firewall? I was assuming it was the latter.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • G
              gerardhebert last edited by

              The top half of the resolver options are all at their defaults.
              Port: 53
              Network Interfaces: All
              Outgoing Network Interfaces: All
              System Domain Local Zone Type: Transparent

              The rest of the settings do not list their defaults. My system has:

              DNSSEC: Enabled
              DNS Query Forwarding: Disabled
              DHCP Registration: Enabled
              Static DHCP: Enabled
              OpenVPN Clients: Disabled

              ...And there it is.
              Custom Options: server:include: /var/unbound/pfb_dnsbl.*conf

              Which contains over 39K websites to block. Took that out and the websites like papjohns load normally. Those few websites must be trying to load ad or tracking websites that were blocked. Googleadservices works too.

              Thanks Gertjan!

              1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan last edited by Gertjan

                Wait !

                Your first image, the Allow trove rule (third rule) is that a rule that is part of a NAT rule (show your NAT rules please).
                If not, delete it. No game server on the net needs incoming connections to a device on your LAN.
                The exception might be : the web server, as your device 192.168.100.200 on your LAN.

                Next image : LAN rules 3 and 4 are the same as the final/hidden default pass rule. Rule counters for rule 4 show clearly that you have no IPv6 connection.

                DNS : instead of resolving, you pass all DNS requests to Google. That's ok, up to you if you want to tell Google all about what you are doing. And loosing DNSSEC while doing so.

                pfBlockerNG has a new, experimental version, see here that behaves better. True is, every time the resolver (unbound) restarts, everything is read again, cache is flushed, etc. This can take seconds, if not minutes. During that moment, the DNS is "out".
                I advice you to :
                Uncheck "DHCP Registration" on the Resolver settings page.
                and
                Give all your devices a Static DHCP Lease using their MAC address - see at the bottom of the Services => DHCP Server => LAN page.

                No "help me" PM's please. Use the forum.

                1 Reply Last reply Reply Quote 0
                • NogBadTheBad
                  NogBadTheBad last edited by

                  Are you using an old router for the Wi-Fi ?

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66 last edited by

                    pfSense works out of the box. If you're having issues, might be best to start over and make each change one at a time.

                    1 Reply Last reply Reply Quote 0
                    • G
                      gerardhebert last edited by

                      Harvy66, it's working well now that it's not blocking those 39K sites, thanks.

                      NogBadTheBad, the router is 2 or 3 years old. It's an AC tri-band with 6 antennas located above the kitchen cupboards which is in the middle of the house. The coverage is good except for one far corner of the basement. All is well now that those sites are not blocked.

                      Gertjan, I have deleted the rule for Trove.
                      I do not recall manually creating LAN rules 3 and 4 and am not sure how they got there. I have disabled them to see what happens. UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.

                      The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.

                      Thanks.

                      Gertjan 1 Reply Last reply Reply Quote 0
                      • Gertjan
                        Gertjan @gerardhebert last edited by

                        @gerardhebert said in What are Common FW Rules for Home Use?:

                        The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.

                        8.8.8.8/4.4.4.4 : Depends how you set it up:
                        As said here : System => General Setup=> DNS Servers :

                        Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled.
                        

                        So, if the Resolver is still in resolving mode, your LAN clients are still Resolving, and not using these IP's (DNS).
                        User the Forwarder, or the Resolver in forwarding mode to use these IP's for your clients.

                        No "help me" PM's please. Use the forum.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gerardhebert last edited by

                          DNS Query Forwarding is not enabled.

                          Thanks for everyone's help.

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator @Gertjan last edited by

                            @gertjan said in Webpage Load Delays for Specific Sites:

                            None on LAN (except for the "fo not lock me out" safety net rule).

                            Huh? The default rule, out of the box will be Any Any.. You kind of need that rule so confused to your NONE statement.. If the user wants internet they need rules to pass traffic. Out of the box this is an any any rule.. If they do not want that then sure they can change it, add others, etc. to only allow the traffic they want. But saying that lan needs NONE is not correct.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                            1 Reply Last reply Reply Quote 0
                            • Gertjan
                              Gertjan last edited by

                              I mend : No user entered rules, so "None"
                              The "all pass" rule already present when setting up pfSense shouldn't be modified or deleted.

                              True, I could have been more clear.

                              No "help me" PM's please. Use the forum.

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                Your statement is why he deleted those rules I think ;)

                                UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.

                                And with this

                                except for the "fo not lock me out" safety net rule).

                                I sure read it as no rules are needed on lan..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                1 Reply Last reply Reply Quote 0
                                • Gertjan
                                  Gertjan last edited by

                                  Oops.

                                  Some mix-up between WAN and LAN and my comments.
                                  Even some bllsht about hidden rules on LAN : this default rule isn't hidden at all. All interfaces have a default (hidden !) block rule.
                                  I'll edit my post.

                                  No "help me" PM's please. Use the forum.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post