The firewall appears to be blocking outgoing text messages from my phone ...

A Former User

@lifespeed what I did after changing settings was just reload unbound, pfblockerng, dnsbl, and snort. No need to restart or wait too long. Cron update as well is what I did. Hope it works!

Edit additional: I checked my phone APN settings, added their "mmsc" and "proxy" to the whitelist in dnsbl, host name and IP (excessive, but this was only added AFTER verifying it working adding additional DNS servers)

Also, I do not "allow upstream DNS" the forwarding setting. pfsense first, then cloudflare, quad9, Google

Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

A Former User

@lifespeed as for dnssec uh general setup under system and then the DNS resolver or forwarder had another checkbox I think. Check out dnsprivacy.org

lifespeed

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

Edit: Last "also" I have a feeling the Google DNS is what really did it, at least for me, you know cause android, and I'm sure iPhone works too cause they mostly use Google DNS as well from what I remember

I had avoided the Gogle Empire, but I'll add it to the end of the list.

A Former User

@lifespeed
i tried too, but that's why i went from just the 1, to 3 for lack of a better term "a RAID 50 DNS connection" raid 5 cause 3 dns make it 50 because dnssec.

if someone takes over all three and screws up my pfsense, there's far bigger problems edit: maybe 60, cause technically i have 5, the two backups for cloudflare and google included. i only have the 'secure' quad9 i didn't want to use the 'insecure' secure one lol

A Former User

@lifespeed
side note: using cloudflare dns (without adding TLS hostname) will use the DoH standard as per the explanation on their site. i believe google does as well. i dont remember about quad9, but from my understanding of the pfsense documentation, if you enter the TLS hostname, it will use both depending on whatever situation or browser being used. as for the 'insecure' secure quad9, that just means it doesn't have their complimentary 'we have ad blocker and ips/ids stuff too guys let us play..." heh

edit let me make this easier:

widget:

general setup:

current base system:

the way i have this set up, and with my knowledge of networking (need to renew my Network+ or just.. not.. ripcomptia) i understand it to work this way with a clean slate and no dns cached entries:

if 127.x.x.x doesn't have record, query dns server list. because i don't 'allow override' ISP can't give me the DNS result cause it's technically blocked (or at least just dropped at the adapter level?) edit: or actually not even seen by them duh

oh this reminds me i have ASN set to one hour, not 24 hours...

sorry for the here and there edits i keep reminding myself of something
"Enable DNSSEC Support" checkbox in DNS resolver settings:

custom options (2 part cause of scroll bar):

lifespeed

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

A Former User

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

self signed yes i think. i just wanted the 8 dollar domain and ddos and whois protection from namecheap lol

this 8 dollar domain also was just for name resolution (ya i could've acme but eh)

technically i didn't need it for these purposes, i was just preparing for later on when i added openvpn, so that name resolution could be supplemental on my DDNS (residential IP)

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Adding DNSwatch, Quad9 and Google DNS servers did not fix the problem. I don't have hostnames entered for the DNS servers as you have shown. Also it looks like you just updated pfSense to 2.4.5? I think I'm on the previous rev of pfSense, 2.4.4. Also I don't have DNSsec set up, is a self-signed certificate adequate? Will try again tonight.

for dnssec all this stuff i watch Lawrence Tech Systems on youtube. wonderful guy. such an easy setup process, link:

"Setting up DNS Over TLS & DNSSEC With pfsense"

i followed this and had no issues. i went to dnsprivacy to obtain settings for other providers

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

Also it looks like you just updated pfSense to 2.4.5?

correct however all these dns settings i had entered into 2.4.4-3 before changing to RC branch

lifespeed

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

@lifespeed
side note: using cloudflare dns (without adding TLS hostname) will use the DoH standard as per the explanation on their site. i believe google does as well. i dont remember about quad9, but from my understanding of the pfsense documentation, if you enter the TLS hostname, it will use both depending on whatever situation or browser being used. as for the 'insecure' secure quad9, that just means it doesn't have their complimentary 'we have ad blocker and ips/ids stuff too guys let us play..." heh

So it sounds like I left out a key step of entering the DNS server domain names? Or is TLS and DNSsec required as well? Just trying to figure out why I'm still not getting wifi calling and SMS on the Samsung phone.

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...:

@lifespeed
side note: using cloudflare dns (without adding TLS hostname) will use the DoH standard as per the explanation on their site. i believe google does as well. i dont remember about quad9, but from my understanding of the pfsense documentation, if you enter the TLS hostname, it will use both depending on whatever situation or browser being used. as for the 'insecure' secure quad9, that just means it doesn't have their complimentary 'we have ad blocker and ips/ids stuff too guys let us play..." heh

So it sounds like I left out a key step of entering the DNS server domain names? Or is TLS and DNSsec required as well? Just trying to figure out why I'm still not getting wifi calling and SMS on the Samsung phone.

yes for DNSSEC those extra little 'server options' from what i understand in the video i linked, need to be set

"tls and dnssec required?" i 'think' so. entering in the info just in the server options and in general setup i believe without the dnssec support checkbox enabled, could explain broken dns routing.

it's possible you need to check your phone APN settings and add the host names of your carrier listed there into the DNSBL whitelist (i did this for my carrier - still after it working just added it for certainty - like in case a blocklist lists those addresses) i had a block list blocking google dns just last week (reported it to the list owner already). no issues since

lifespeed

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...: possible you need to check your phone APN settings and add the host names of your carrier listed there into the DNSBL whitelist (i did this for my carrier - still after it working just added it for certainty - like in case a blocklist lists those addresses) i had a block list blocking google dns just last week (reported it to the list owner already). no issues since

Does pfSense enable any blocklists by default? I don't think I have enabled any. If it isn't obvious already, I am far from an expert on this router SW.

A Former User

@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:

@sparkyMcpenguin said in The firewall appears to be blocking outgoing text messages from my phone ...: possible you need to check your phone APN settings and add the host names of your carrier listed there into the DNSBL whitelist (i did this for my carrier - still after it working just added it for certainty - like in case a blocklist lists those addresses) i had a block list blocking google dns just last week (reported it to the list owner already). no issues since

Does pfSense enable any blocklists by default? I don't think I have enabled any. If it isn't obvious already, I am far from an expert on this router SW.

as far as i know, no. but usually a cell phone carrier's proxy on mobile is set to an Internally Routeable IP Address (RFC 1918).

when i first started i had those blocks enabled. didn't work. turned it off, still didn't work. turned it back on, changed dns settings cleared cache reboot for safe measure, forgot about it for a couple days checked again and it was working just fine.

what i did (this is for ATT) was add their 'mmsc.x.x.x' and 'proxy.x.x.x' listed (hostname not ip as RFC 1918 is a private ip address not public, so the DNS lookup for that IP would fail as per my testing) (forgot to finish this thought:) added it to DNSBL whitelist

to verify all this i installed hetools onto my phone, on and off wifi did traceroute tests to the att proxy and my public facing wan ip

this gave me 'extra ip addresses' that i then added to the IP whitelist as yet another redundacy backup.

wifi calling also (for me) works over the openvpn i have set up (on wifi not cell service - obviously) with the android phone originally in question

i also have 'switch to mobile network when wifi connectivity..." turned on and off for testing. worked either way for me (depending on wifi interference as well.. too many walls in the way or if im outside, and wifi calling is still intermittent, but will reconnect when it gets a stronger signal)

lifespeed

@A-Former-User said in The firewall appears to be blocking outgoing text messages from my phone ...:

it's possible you need to check your phone APN settings and add the host names of your carrier listed there into the DNSBL whitelist (i did this for my carrier - still after it working just added it for certainty - like in case a blocklist lists those addresses) i had a block list blocking google dns just last week (reported it to the list owner already). no issues since

There are no hostnames in the APN settings of the Samsung/Verizon phone.

JKnott

@lifespeed

I did a host lookup on the IP address my carrier uses and there was no associated host name.

lifespeed

Just a quick update, the final resolution for this ended up being to replace the Samsung 9plus with a Pixel 4XL. It has been working reliably for a week using wifi calling. Not every network problem is pfSense's fault.

As an additional example of problem network clients, I use home automation software called Homeseer 3. The smartphone app can only access it from inside the network by IPv4 address, not from the WAN by domain and IPv6. But it can be accessed from the WAN by IPv4. It is not a problem with pfSense configuration either.

While I have to keep my home automation software and hope they fix it, I can work around it. But the Samsung phone not receiving calls on wifi was impossible to work around. Sometimes you have to be willing to trash a problem client.

NineEyes

I swapped out a Fresh Tomato NAT box for an SG-3100 last weekend and now both my wife (Galaxy S4 on Verizon) and I (Galaxy S10 on Verizon) are having issues with SMS over Wifi. Although I have an IPv6 firewall rule (Pass/IPv6/Any) for the VLAN the phones connect to, the ISP does not yet support IPv6 so I wonder how the "disable IPv6" workaround I see here might work for me.

I have a lot of experiments to run to try to resolve this issue for myself. I also have a second ISP that supports IPv6 so I can play with that too. In the mean time, I'm getting the wife a Pixel 4a to keep the peace. More later...

lifespeed

@NineEyes Keep us posted if you find a solution. There have been many reports of problems with Samsung, but I'm not sure it has ever been tracked down to a specific issue, other than the availability of IPv6 makes it choke. For me, disabling IPv6 to workaround what a believe is a Samsung problem makes no sense.

If it is a Samsung phone problem, then the solution is to ditch Samsung and keep using IPv6. Although I know getting rid of a new phone is painful.

tman222

@NineEyes - have you tried the suggestion here yet, i.e. changing the Firewall Optimization to conservative?

https://forum.netgate.com/topic/155113/wifi-calling-issue

A family member also has a Samsung Galaxy Android phone - this change seems to have resolved all issues (WiFi calling and SMS related) for us.

Hope this helps.