The firewall appears to be blocking outgoing text messages from my phone ...
-
pfSense doesn't block anything out by default.
Does the WAN interface have a RFC1918 address ?
Post a screenshot of your LAN rules.
Is the ASUS connected to the LAN port via the switch or an OPT port ?
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
I don't know what a RFC1918 address is. How would I check?
Post a screenshot of your LAN rules.
I haven't made any changes or added any rules:
Is the ASUS connected to the LAN port via the switch or an OPT port ?
It is connected to the LAN1 port via the switch.
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
RFC1918
https://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)You'd see if pfSense was blocking by looking in the logs, unless you've disabled log default drop rules:-
Status -> System Logs -> Firewall -> Normal View
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
I don't know what a RFC1918 address is. How would I check?
Check : Interfaces > WAN (Inf)
There is a check box that states :
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does pfSense block VPN traffic by default?
See it like this :
Traffic coming from devices connected to your interface called LAN filtered by your LAN firewall rules.
These are your rules :
Which is just fine for any existing protocol on planet earth.
What I do see is an IPv6 pass rule.
This rule is used !!! Which is just great. So you ISP also gives you an IPv4 and a IPv6 connection .... (without you even knowing this ?)
You talked about a Phone - not an iPhone but "the other one". I do not have a phone from that other brand, but I do know that IPv6 support for these devices can be ... messy or worse.Just for testing : change your IPv6 pass rule (on the LAN Firewall tab) into a block rule. Apply the rule. This enforces "only IPv4".
It works now ? -
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
Check : Interfaces > WAN (Inf)
There is a check box that states :My box is checked. Is it not supposed to be?
Just for testing : change your IPv6 pass rule (on the LAN Firewall tab) into a block rule. Apply the rule. This enforces "only IPv4".
It works now ?I'll give it a shot and let you know.
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
Check : Interfaces > WAN (Inf)
There is a check box that states :My box is checked. Is it not supposed to be?
It is supposed to be checked if your pfsense box is your perimeter device and sits between your internal machines and the internet.
Jeff
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
As others have stated, out-of-the-box pfSense blocks nothing outbound from your LAN. It only blocks unsolicited inbound traffic on the WAN side.
Mostly likely what is going on is Comcast is providing you with an IPv6 address. They are one of the few ISPs in the U.S. that do that now by default. Android-based devices such as your Galaxy phone don't behave well yet with IPv6 on most LANs.
Try this to see if it helps. Go to your LAN interface settings and be sure the IPv6 address box is set to "none". Do the same on the WAN interface settings. Apply the settings in both locations. Make sure any prefix delegation settings are also turned off for IPv6 on the WAN. Disconnect and reconnect your phone to WiFi and try things again. Your phone should now be forced to use IPv4.
-
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
As others have stated, out-of-the-box pfSense blocks nothing outbound from your LAN. It only blocks unsolicited inbound traffic on the WAN side.
Mostly likely what is going on is Comcast is providing you with an IPv6 address. They are one of the few ISPs in the U.S. that do that now by default. Android-based devices such as your Galaxy phone don't behave well yet with IPv6 on most LANs.
Try this to see if it helps. Go to your LAN interface settings and be sure the IPv6 address box is set to "none". Do the same on the WAN interface settings. Apply the settings in both locations. Make sure any prefix delegation settings are also turned off for IPv6 on the WAN. Disconnect and reconnect your phone to WiFi and try things again. Your phone should now be forced to use IPv4.
I will give this a try when I get home.
-
Okay, I'm not 100% sure, but it seems like turning off IPv6 solved the problem. The reason I'm a bit uncertain is because some texts actually went through before I made the change. They all seem to be going through after the change, though, so I think we found the solution.
So are there any downsides to having IPv6 disabled for my entire network? Would it perhaps make more sense to create rules that block IPv6 traffic only from my family's cell phones?
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
Okay, I'm not 100% sure, but it seems like turning off IPv6 solved the problem. The reason I'm a bit uncertain is because some texts actually went through before I made the change. They all seem to be going through after the change, though, so I think we found the solution.
So are there any downsides to having IPv6 disabled for my entire network? Would it perhaps make more sense to create rules that block IPv6 traffic only from my family's cell phones?
There are no downsides for now to disabling IPv6 on your LAN. One day in the distant future there may exist websites that have only an IPv6 address, but that day seems to keep getting pushed into the future.
Do not put IPv6 block rules in the firewall, though. Simply removing the ability for devices to get a routable IPv6 address on your LAN is enough.
-
http://ipv6-test.com/ << do you get a pass here ?
If you do I'd be tempted to keep IPv6 enabled.System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 optionAndy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
I have IPv6 on my cell network, as well as at home. In fact, my phone is IPv6 only and uses 464XLAT to support IPv4. The problem is not IPv6. Fire up Wireshark or Packet Capture to see what's happening. If you don't know what's happening, you can't fix it.
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 option
That is only for pfSense, not for clients connected to it.
And yes Android versions before 7 do have problems with IPv6, these are mostly related to PMTU discovery not working correct and the default MTU being to high. That also explains why connections sometimes work and sometimes not.
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs. But first make sure IPv6 is actually working.
-
@Grimson said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 option
That is only for pfSense, not for clients connected to it.
And yes Android versions before 7 do have problems with IPv6, these are mostly related to PMTU discovery not working correct and the default MTU being to high. That also explains why connections sometimes work and sometimes not.
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs. But first make sure IPv6 is actually working.
Oh didn't realise that :)
-
@Grimson said in The firewall appears to be blocking outgoing text messages from my phone ...:
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs.
This sounds like a good solution. Unfortunately, I don't have any experience with VLANs. Will my cell phones still be able to communicate with devices on the other VLAN?
-
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
-
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
That's exactly my story.
WAP, IPv6, iPhone's, all of it.Notable difference : I did not disable he.net because I need (an IPv6) it. I'm using their access point in Paris - I'm connecting from France.
I disabled Netflix .... and will come back when they changed their access politics. I know, this might take a while. -
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
That's exactly my story.
WAP, IPv6, iPhone's, all of it.Notable difference : I did not disable he.net because I need (an IPv6) it. I'm using their access point in Paris - I'm connecting from France.
I disabled Netflix .... and will come back when they changed their access politics. I know, this might take a while.I still have my Hurricane Electric tunnel configured. I've just disabled the gif0 interface on my firewall for now and removed the IPv6 DHCPv6 scopes from my DHCP server so my local devices don't grab routable IPv6 addresses. I did not disable the protocol itself on my devices.
The only real issue I had was a rare occasion when some dual-stack web site would not work with IPv6 but would with IPv4 (hello US Social Security site a couple of years ago ...
). Truth be told the main streaming client issues were with my grandkids trying watch Netflix cartoons on their iPads. When they wanted to watch their favorite cartoon and Netflix blocked my Hurricane Electric IPv6 network, then something had to give and that something was my IPv6 setup ... 
.
