Webpage Load Delays for Specific Sites

gerardhebert

[UPDATE] The name of this thread has been changed from "What are Common FW Rules for Home Use?" because the solution ended up having nothing to do with that question.

Original Text:

I recently installed 2.4.3 Community Edition and would like to know if there is a basic set of rules I need to add to pfSense.

Everything is working well except for two issues and I am concerned something is missing from the configuration.

The first issue is a few sites take 22 seconds to load each page. One example is papjohns. Every link or <F5> consistently takes 22 seconds to complete on wired PCs. It will not load on mobile devices at all unless WiFi is turned off. The pages load within 2 seconds on cell data.

The second issue is redirects. For example, clicking on an add in Google does not work because the reply comes from googleadservices.

If there is no basic configuration that resolves these issues, I would appreciate it if someone could point me to a thread that explains how to troubleshoot them.

Thank you.

NogBadTheBad

@gerardhebert said in What are Common FW Rules for Home Use?:

recently installed 2.4.3 Community Edition and would like to know if there is a basic set of rules I need to add to pfSense.
Everything is working well except for two issues and I am concerned something is missing from the configuration.
The first issue is a few sites take 22 seconds to load each page. One example is papjohns. Every link or <F5> consistently takes 22 seconds to complete on wired PCs. It will not load on mobile devices at all unless WiFi is turned off. The pages load within 2 seconds on cell data.
The second issue is redirects. For example, clicking on an add in Google does not work because the reply comes from googleadservices.
If there is no basic configuration that resolves these issues, I would appreciate it if someone could point me to a thread that explains how to troubleshoot them.
Thank you.

Post your pictures of your firewall rules & DNS set up.

Also how is your Wi-Fi set up?

Gertjan

@gerardhebert said in What are Common FW Rules for Home Use?:

You wont believe me, but the default WAN rules and LAN rule are fine.
None on WAN.
None on LAN (except for the "fo not lock me out" safety net rule).
pfSense doesn't filter any site or destination like "googleadservices" or what ever.

Use the default Resolver settings, do not add or modify any DNS related settings.

gerardhebert

Hopefully this is what you meant.

The firewall has been up for ~30 days. The traffic for the Trove rule is 0B because the game has not been used since the last pfSense restart.

All streaming services work well and 99% of websites load as expected.

pfBlockerNG is installed, but disabled. Snort was running, but is disabled now because I discovered today that disabling Snort allows the pages like papjohns to load on mobile devices after ~70 seconds which is better than not at all. That problem was probably simply how iOS and Android handle ad blocking compared to Windows.

For this reason, I think the WiFi issue is a different thing and would just as soon disregard it for now. If it is relevant, WiFi is a D-Link DIR-890L running in AP mode with a static IP. The WAN port is not in use. Its default gateway and DNS server is pfSense. Things like wireless printing/scanning, Hue lights, and several Echo Dots all work well.

Are these two issues (1. Slow loading for a few sites and 2. Redirects like Google -> googleadservices) unique to my configuration or are these the types of things that are inherent in setting up a firewall? I was assuming it was the latter.

Thanks.

gerardhebert

The top half of the resolver options are all at their defaults.
Port: 53
Network Interfaces: All
Outgoing Network Interfaces: All
System Domain Local Zone Type: Transparent

The rest of the settings do not list their defaults. My system has:

DNSSEC: Enabled
DNS Query Forwarding: Disabled
DHCP Registration: Enabled
Static DHCP: Enabled
OpenVPN Clients: Disabled

...And there it is.
Custom Options: server:include: /var/unbound/pfb_dnsbl.*conf

Which contains over 39K websites to block. Took that out and the websites like papjohns load normally. Those few websites must be trying to load ad or tracking websites that were blocked. Googleadservices works too.

Thanks Gertjan!

Gertjan

Wait !

Your first image, the Allow trove rule (third rule) is that a rule that is part of a NAT rule (show your NAT rules please).
If not, delete it. No game server on the net needs incoming connections to a device on your LAN.
The exception might be : the web server, as your device 192.168.100.200 on your LAN.

Next image : LAN rules 3 and 4 are the same as the final/hidden default pass rule. Rule counters for rule 4 show clearly that you have no IPv6 connection.

DNS : instead of resolving, you pass all DNS requests to Google. That's ok, up to you if you want to tell Google all about what you are doing. And loosing DNSSEC while doing so.

pfBlockerNG has a new, experimental version, see here that behaves better. True is, every time the resolver (unbound) restarts, everything is read again, cache is flushed, etc. This can take seconds, if not minutes. During that moment, the DNS is "out".
I advice you to :
Uncheck "DHCP Registration" on the Resolver settings page.
and
Give all your devices a Static DHCP Lease using their MAC address - see at the bottom of the Services => DHCP Server => LAN page.

NogBadTheBad

Are you using an old router for the Wi-Fi ?

Harvy66

pfSense works out of the box. If you're having issues, might be best to start over and make each change one at a time.

gerardhebert

Harvy66, it's working well now that it's not blocking those 39K sites, thanks.

NogBadTheBad, the router is 2 or 3 years old. It's an AC tri-band with 6 antennas located above the kitchen cupboards which is in the middle of the house. The coverage is good except for one far corner of the basement. All is well now that those sites are not blocked.

Gertjan, I have deleted the rule for Trove.
I do not recall manually creating LAN rules 3 and 4 and am not sure how they got there. I have disabled them to see what happens. UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.

The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.

Thanks.

Gertjan

@gerardhebert said in What are Common FW Rules for Home Use?:

The dashboard shows the DNS servers to be 127.0.0.1, 8.8.8.8, and 8.8.4.4. Does this still mean all DNS requests go to Google? I'm weighing the effort to create over 50 static DNS leases vs. the fact that Google already knows everything about me anyway. FWIW, I usually use the OpenDNS servers, but changed it to Google while troubleshooting this issue.

8.8.8.8/4.4.4.4 : Depends how you set it up:
As said here : System => General Setup=> DNS Servers :

Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled.

So, if the Resolver is still in resolving mode, your LAN clients are still Resolving, and not using these IP's (DNS).
User the Forwarder, or the Resolver in forwarding mode to use these IP's for your clients.

gerardhebert

DNS Query Forwarding is not enabled.

Thanks for everyone's help.

johnpoz

@gertjan said in Webpage Load Delays for Specific Sites:

None on LAN (except for the "fo not lock me out" safety net rule).

Huh? The default rule, out of the box will be Any Any.. You kind of need that rule so confused to your NONE statement.. If the user wants internet they need rules to pass traffic. Out of the box this is an any any rule.. If they do not want that then sure they can change it, add others, etc. to only allow the traffic they want. But saying that lan needs NONE is not correct.

Gertjan

I mend : No user entered rules, so "None"
The "all pass" rule already present when setting up pfSense shouldn't be modified or deleted.

True, I could have been more clear.

johnpoz

Your statement is why he deleted those rules I think ;)

UPDATE: Disabling them caused my Internet connection to go down, so I think they need to be there.

And with this

except for the "fo not lock me out" safety net rule).

I sure read it as no rules are needed on lan..

Gertjan

Oops.

Some mix-up between WAN and LAN and my comments.
Even some bllsht about hidden rules on LAN : this default rule isn't hidden at all. All interfaces have a default (hidden !) block rule.
I'll edit my post.