Issues with two external websites on same subnet
I am using version 2.4.4-RELEASE-p3 of pfsense
since last week I have issues with two specific websites (web applications)... the update to the last release was made recently .... could coincide with problem, but unfortunately I don't have the mathematical certainty.
Two sites are: http://app.cocif.com and https://configuratoreweb.cocif.com:8090/web-rubik-eff/LoginWeb
(both are externally hosted on same public subnet 220.127.116.11/29)
I can reach the two webserver but I have an infinite timeout for the complete page loading, using the FF diagnostics I checked that the html page was loaded immediately, but the linked files like css, js, ico, etc ... remain pending
On pfSense I tried to disable proxy, disable all rules to permit all traffic from any host to the subnet on any port, but the problem still remain.
I tried also to bypass pfsense connecting directly to the router, and the site load correctly... so the mistake is due to somewhat in pfSense.
On all the other sites of various kinds I don't encounter any problem ...
I don't know where hit my head any more ... every idea is well appreciated! thanks!!!
Does it work properly if you test from WAN instead of LAN?
@KOM yes, if I connect pc directly to ISP's router, it's work fine!
So then pfSense is not part of the problem directly if it's working fine when you test it from WAN. What packages are you running? You said proxy which is squid. Anything else? Snort, suricata, pfBlocker?
@KOM sorry but I'm very confused...
I can't understand why do you think that pfSense is not part of the problem...
perhaps I don't have clearly described my situation:
LAN PC -----> pfSense ----> ISProuter ----> internet ----> provider subnet ----> webserver (issue)
LAN PC ----> ISProuter ----> internet ----> provider subnet ----> webserver (no issue)
Regarding packages, I tried to disable squid wihout success... I don't have anymore.... today I tried to install snort in alert mode for testing purposes... but the problem was present before...
I can't understand why do you think that pfSense is not part of the problem
I didn't ask you to disconnect pfSense. I asked you to test from the WAN side, not the LAN side. For example, if you were testing from your LAN and you go through squid and squid causes the problem, then your external users won't have the same problem since they're not going through your proxy on LAN. Whenever you're testing forwarded servers, it's best to test from the public Internet, not your LAN.
sorry @KOM ... but the subnet with the two web servers is outside my network... it's not connected directly to myPfSense... it's hosted somewhere over the internet... (the two webservers are not mine!)
I've done other test...
My ISP give me an Huawei AR1220E router with different interfaces...
pfSense WAN is connected to Huawei GE8, which is set in transparent mode (so pfSense WAN IP is the public ip).
Huawei GE0 is set in routed mode with DHCP.
So if I connect PC to GE0 all works fine.... but if I set PC's NIC with public address (the same who use pfSense) and I connect to Huawei GE8, the problem occours...
At this point I think that there is a mistake in Huawei configuration... actually problem is not related to pfSense... do test on different router interfaces from different one used by pfSense tricked me
Ah, sorry I thought they were your servers on your network. Duh for me.
So is squid still running or not? I tried both sites you listed and they work fine for me. They load and no timeouts, unless your problem is deeper in the site. I don't have a login.
You seem to have a LOT of LAN rules. If you block all by default and then only specifically allow traffic then you're going to have these types of problems.
And yes, maybe it's a problem with your ISP or their equipment.
I tried both situation... squid running and not... nothing change at all!
The problem occours at first stage... login page don't load completly...
I tried also to remove all firewall rules... but problem is still present...
tomorrow morning I'll call ISP for verify router configuration...
OK then for sure I can say that these pages load fine for me behind pfSense.
I hope you get it sorted out.
Both are working well from my side now with fastweb. ciao beppe