The firewall appears to be blocking outgoing text messages from my phone ...
-
@JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:
Is this standard SMS? Are you using WiFi calling?
The texts are only blocked when WiFi calling is turned on. When I turn the feature off, everything is fine.
I did a little research and I came across this thread over on the Verizon forums ...
https://community.verizonwireless.com/t5/Verizon-Wireless-Services/What-are-the-wifi-calling-firewall-ports-and-destination-IP/td-p/1080659
Is the information in the last post relevant to my situation? Does pfSense block VPN traffic by default?
-
pfSense doesn't block anything out by default.
Does the WAN interface have a RFC1918 address ?
Post a screenshot of your LAN rules.
Is the ASUS connected to the LAN port via the switch or an OPT port ?
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
I don't know what a RFC1918 address is. How would I check?
Post a screenshot of your LAN rules.
I haven't made any changes or added any rules:
Is the ASUS connected to the LAN port via the switch or an OPT port ?
It is connected to the LAN1 port via the switch.
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
RFC1918
https://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)You'd see if pfSense was blocking by looking in the logs, unless you've disabled log default drop rules:-
Status -> System Logs -> Firewall -> Normal View
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
I don't know what a RFC1918 address is. How would I check?
Check : Interfaces > WAN (Inf)
There is a check box that states :@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does pfSense block VPN traffic by default?
See it like this :
Traffic coming from devices connected to your interface called LAN filtered by your LAN firewall rules.
These are your rules :Which is just fine for any existing protocol on planet earth.
What I do see is an IPv6 pass rule.
This rule is used !!! Which is just great. So you ISP also gives you an IPv4 and a IPv6 connection .... (without you even knowing this ?)
You talked about a Phone - not an iPhone but "the other one". I do not have a phone from that other brand, but I do know that IPv6 support for these devices can be ... messy or worse.Just for testing : change your IPv6 pass rule (on the LAN Firewall tab) into a block rule. Apply the rule. This enforces "only IPv4".
It works now ? -
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
Check : Interfaces > WAN (Inf)
There is a check box that states :My box is checked. Is it not supposed to be?
Just for testing : change your IPv6 pass rule (on the LAN Firewall tab) into a block rule. Apply the rule. This enforces "only IPv4".
It works now ?I'll give it a shot and let you know.
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
Check : Interfaces > WAN (Inf)
There is a check box that states :My box is checked. Is it not supposed to be?
It is supposed to be checked if your pfsense box is your perimeter device and sits between your internal machines and the internet.
Jeff
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
As others have stated, out-of-the-box pfSense blocks nothing outbound from your LAN. It only blocks unsolicited inbound traffic on the WAN side.
Mostly likely what is going on is Comcast is providing you with an IPv6 address. They are one of the few ISPs in the U.S. that do that now by default. Android-based devices such as your Galaxy phone don't behave well yet with IPv6 on most LANs.
Try this to see if it helps. Go to your LAN interface settings and be sure the IPv6 address box is set to "none". Do the same on the WAN interface settings. Apply the settings in both locations. Make sure any prefix delegation settings are also turned off for IPv6 on the WAN. Disconnect and reconnect your phone to WiFi and try things again. Your phone should now be forced to use IPv4.
-
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
Does the WAN interface have a RFC1918 address ?
Sorry. I forgot to answer your question. No, the WAN interface does not have an RFC1918 address. It is a standard IP address assigned by Comcast via DHCP and it starts with "67".
As others have stated, out-of-the-box pfSense blocks nothing outbound from your LAN. It only blocks unsolicited inbound traffic on the WAN side.
Mostly likely what is going on is Comcast is providing you with an IPv6 address. They are one of the few ISPs in the U.S. that do that now by default. Android-based devices such as your Galaxy phone don't behave well yet with IPv6 on most LANs.
Try this to see if it helps. Go to your LAN interface settings and be sure the IPv6 address box is set to "none". Do the same on the WAN interface settings. Apply the settings in both locations. Make sure any prefix delegation settings are also turned off for IPv6 on the WAN. Disconnect and reconnect your phone to WiFi and try things again. Your phone should now be forced to use IPv4.
I will give this a try when I get home.
-
Okay, I'm not 100% sure, but it seems like turning off IPv6 solved the problem. The reason I'm a bit uncertain is because some texts actually went through before I made the change. They all seem to be going through after the change, though, so I think we found the solution.
So are there any downsides to having IPv6 disabled for my entire network? Would it perhaps make more sense to create rules that block IPv6 traffic only from my family's cell phones?
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
Okay, I'm not 100% sure, but it seems like turning off IPv6 solved the problem. The reason I'm a bit uncertain is because some texts actually went through before I made the change. They all seem to be going through after the change, though, so I think we found the solution.
So are there any downsides to having IPv6 disabled for my entire network? Would it perhaps make more sense to create rules that block IPv6 traffic only from my family's cell phones?
There are no downsides for now to disabling IPv6 on your LAN. One day in the distant future there may exist websites that have only an IPv6 address, but that day seems to keep getting pushed into the future.
Do not put IPv6 block rules in the firewall, though. Simply removing the ability for devices to get a routable IPv6 address on your LAN is enough.
-
http://ipv6-test.com/ << do you get a pass here ?
If you do I'd be tempted to keep IPv6 enabled.System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 option -
I have IPv6 on my cell network, as well as at home. In fact, my phone is IPv6 only and uses 464XLAT to support IPv4. The problem is not IPv6. Fire up Wireshark or Packet Capture to see what's happening. If you don't know what's happening, you can't fix it.
-
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 option
That is only for pfSense, not for clients connected to it.
And yes Android versions before 7 do have problems with IPv6, these are mostly related to PMTU discovery not working correct and the default MTU being to high. That also explains why connections sometimes work and sometimes not.
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs. But first make sure IPv6 is actually working.
-
@Grimson said in The firewall appears to be blocking outgoing text messages from my phone ...:
@NogBadTheBad said in The firewall appears to be blocking outgoing text messages from my phone ...:
System -> Advanced -> Networking , try ticking the Prefer IPv4 over IPv6 option
That is only for pfSense, not for clients connected to it.
And yes Android versions before 7 do have problems with IPv6, these are mostly related to PMTU discovery not working correct and the default MTU being to high. That also explains why connections sometimes work and sometimes not.
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs. But first make sure IPv6 is actually working.
Oh didn't realise that :)
-
@Grimson said in The firewall appears to be blocking outgoing text messages from my phone ...:
So personally I would put those old Android devices on a separate VLAN without IPv6, and use IPv6 for all other LANs.
This sounds like a good solution. Unfortunately, I don't have any experience with VLANs. Will my cell phones still be able to communicate with devices on the other VLAN?
-
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
-
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
That's exactly my story.
WAP, IPv6, iPhone's, all of it.Notable difference : I did not disable he.net because I need (an IPv6) it. I'm using their access point in Paris - I'm connecting from France.
I disabled Netflix .... and will come back when they changed their access politics. I know, this might take a while. -
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
@bmeeks said in The firewall appears to be blocking outgoing text messages from my phone ...:
My ISP does not offer IPv6, so I was using a Hurricane Electric tunnel for a couple of years to put IPv6 on my LAN. My Apple iOS devices worked fine with it after I got Ubiquiti WAPs that fully supported IPv6. I initially had some old hand-me-down corporate WAPs from a manufacturer I can't remember, but they did not work correctly with IPv6.
But because of the geo-fencing stuff done by Netflix and others, and because some of my streaming devices were wanting to use IPv6, I was encountering difficulties sometimes with streaming content on my LAN. This is because many of the big streaming providers block Hurricane Electric's IP blocks because of the geo-fencing stuff. So I have, for now, disabled my IPv6 HE tunnel.
That's exactly my story.
WAP, IPv6, iPhone's, all of it.Notable difference : I did not disable he.net because I need (an IPv6) it. I'm using their access point in Paris - I'm connecting from France.
I disabled Netflix .... and will come back when they changed their access politics. I know, this might take a while.I still have my Hurricane Electric tunnel configured. I've just disabled the gif0 interface on my firewall for now and removed the IPv6 DHCPv6 scopes from my DHCP server so my local devices don't grab routable IPv6 addresses. I did not disable the protocol itself on my devices.
The only real issue I had was a rare occasion when some dual-stack web site would not work with IPv6 but would with IPv4 (hello US Social Security site a couple of years ago ... ). Truth be told the main streaming client issues were with my grandkids trying watch Netflix cartoons on their iPads. When they wanted to watch their favorite cartoon and Netflix blocked my Hurricane Electric IPv6 network, then something had to give and that something was my IPv6 setup ... .
-
@bmeeks : You saw https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module ? I'm using that feature. No AAAA for netflix sites forces IPv4 access.
@gweempose sorry for the thread jacking.
-
Funny that I found this thread because I have had the same thing at my house. My step-son's older Samsung Galaxy could not send text messages when at home on the WIFI. My wife's new Galaxy could. My Pixel could and my old Moto could as well. I never did figure out why. Maybe it is time for a second look. If it was my phone I would be going crazy trying to figure it out...but the kid? He'll survive.
-
Still, a real SMS goes over the 2G/3G/4G carrier - even is if the phone is connectioned to some second Internet source (Wifi, Bluetooth, whatever)
edit : after the Whatapp / Telegram / Messenger : who's using SMS these days ?
-
@Gertjan said in The firewall appears to be blocking outgoing text messages from my phone ...:
Still, a real SMS goes over the 2G/3G/4G carrier - even is if the phone is connectioned to some second Internet source (Wifi, Bluetooth, whatever)
SMS uses WiFi, if WiFi calling is enabled.
edit : after the Whatapp / Telegram / Messenger : who's using SMS these days ?
What's Whatapp/Telegram/Messenger?
-
@JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:
SMS uses WiFi, if WiFi calling is enabled.
Not every phone has wifi calling. If the OP of a thread is using wifi calling I for one would suggest that they mention that in the first post.
I myself carry a Sonim basic 4G phone which does not have WIFI calling.. but also a tablet that gets all my sms along with my phone as a 4G only device and does get SMS over wifi. Verified yesterday in a no cell coverage basement of a building. :)
-
@chpalmer said in The firewall appears to be blocking outgoing text messages from my phone ...:
Not every phone has wifi calling. If the OP of a thread is using wifi calling I for one would suggest that they mention that in the first post.
I mentioned it in the second post as soon as I realized it was pertinent.
-
@gweempose said in The firewall appears to be blocking outgoing text messages from my phone ...:
I mentioned it in the second post as soon as I realized it was pertinent.
I see that now. And my post is in a generalization kind of way and not directed at you totally. Others that come by might benefit.
:)
Im wondering though if you looked at your state table to see what your phone is trying to connect to??
Could you try static port on that particular connection to see if that helps.. My tablet seems to work out of the box on my Verizon account.
-
@chpalmer You are right
-
Interesting thread. Two family members have Samsung phones that choked intermittently on wifi calling and SMS. Three other phones, Google Pixels from versions 2 to 3, work just fine.
Seeing that this could be an IPv6 bug from Samsung on my IPv6-enabled network, I assigned them static IPv4 addresses. So far this seems to have cured the problem without causing me to disable IPv6 for the rest of my devices.
You would think after all these years everything would work on IPv6. Apparently not.
-
Is IPv6 used for your WiFi calling? It isn't on mine. You can use Packet Capture to see what's used.
-
@JKnott Apparently this is an intermittent problem, the phone pulled an IPv6 address, and failed to receive a wifi call. So I rebooted it, after which it received a wifi call fine. I don't know if the call is going over IPv4 or v6. Really all I can tell at this point is the problem appears to be confined to Samsung phones, and rebooting seems to make it work for a while. I don't currently have a firewall rule passing WAN net inbound to LAN net on 500 and 4500, as it seems to work intermittently with or without these rules.
-
My Pixel 2 always gets an IPv6 address, whether on my home network or the cell network. It has nothing to do with the problem. You can run Packet Capture on UDP port 4500 to see if IPv4 is used or IP protocol 50 (IIRC) to see if IPv6 is used. The reason for the difference is that UDP is used to get around NAT on IPv4.
However, given that it only applies to the Samsung phone and a reboot fixes it, that's likely where your problem is, and not with pfSense. Regardless, packet captures can often tell you a lot.
-
@JKnott Yeah, especially on Verizon, phones are IPv6. If I FTP into my media server using my Pixel 2 it shows an IPv6 address on Filezilla FTP server. I'm sure it is a Samsung problem and not pFsense, but there must be some way to work around it. I don't recall having this problem with my ancient Draytek Vigor 2130 router.
Is packet capture a pFsense utility? Never tried it before. Tried to use Wireshark once, but gave up - incredibly complicated to figure out.
-
If the problem is with the phone I doubt there's anything you could do in pfSense to get around it. PfSense includes Packet Capture, on the Diagnostics page. However, by itself, it provides limited info and it's better to download the capture to read with Wireshark. Yes, Wireshark is complicated, but it does a lot of useful stuff for working on networking problems. I use it regularly.
-
I use the software firewall untangle as my router firewall for my home network. I found over the last several months that all of the phones in my house that use Wi-Fi calling will sometimes have problems either sending or receiving pictures via SMS. I'm not trying to hijack this post, I'm trying to point out that it's not just pfsense that's causing this problem, nor is it just older phones because I just had the issue 5 minutes ago on my note 10 plus. It's also not limited to carrier because the original poster is on Verizon and I am on AT&T.
-
@red3recon said in The firewall appears to be blocking outgoing text messages from my phone ...:
I use the software firewall untangle as my router firewall for my home network. I found over the last several months that all of the phones in my house that use Wi-Fi calling will sometimes have problems either sending or receiving pictures via SMS. I'm not trying to hijack this post, I'm trying to point out that it's not just pfsense that's causing this problem, nor is it just older phones because I just had the issue 5 minutes ago on my note 10 plus. It's also not limited to carrier because the original poster is on Verizon and I am on AT&T.
Ah, you have Samsung too. It is my slightly-informed opinion that Samsung has a problem with wifi calling (which is SMS-over-wifi as well) with an IPv6-enabled network. But I'm neither tech-savvy enough, or interested enough to become more wireshark-skilled, to prove this with certainty.
My solution will be to ditch the only Samsung phone in our household, which will come at a price. But I can't have the darn thing not receiving calls to one of my kids, and I'm not interested in trying to accommodate Samsung's stupidity.
-
Wifi calling uses the same protocol as VoLTE. It's VoIP encrypted with IPSec and then encapsulated in UDP, if passing through NAT. I don't know what's used when directly on the cell network, but on my WiFi, it uses IPv4, even though I have IPv6 available. I don't know much about the protocols used beyond that. Perhaps someone else here does.
-
@JKnott said in The firewall appears to be blocking outgoing text messages from my phone ...:
Wifi calling uses the same protocol as VoLTE. It's VoIP encrypted with IPSec and then encapsulated in UDP, if passing through NAT. I don't know what's used when directly on the cell network, but on my WiFi, it uses IPv4, even though I have IPv6 available. I don't know much about the protocols used beyond that. Perhaps someone else here does.
I know Verizon uses IPv6 on their mobile network, as an FTP login to my server from my phone connected to a mobile tower yields an IPv6 address. I'm not sure how I could ever tell if IPv6 is used for VoLTE, though, as I don't have that level of access to their network.
I do know that my mother-in-law's Samsung phone doesn't have a problem on her home wifi, but that is your typical consumer router <2 years old. I think it is common for such gear to default to IPv4 on the LAN. It may be there is a Samsung bug with wifi calling that is triggered by the availability of IPv6, even if it isn't using it. To be honest, it is academic once it is isolated to a Samsung problem rather than pfSense - the Samsung phone must go.
-
@lifespeed said in The firewall appears to be blocking outgoing text messages from my phone ...:
I know Verizon uses IPv6 on their mobile network, as an FTP login to my server from my phone connected to a mobile tower yields an IPv6 address. I'm not sure how I could ever tell if IPv6 is used for VoLTE, though, as I don't have that level of access to their network.
My cell company (Rogers) also has IPv6 and I get a /64, when I tether to it. Like you, I have no way to see what's on the cell network.
I do know that my mother-in-law's Samsung phone doesn't have a problem on her home wifi, but that is your typical consumer router <2 years old. I think it is common for such gear to default to IPv4 on the LAN.
Actually, routers these days should handle IPv6, thought some people don't enable it. It's the client that normally defaults to IPv6, not the router.