Approach to troubleshoot a connection to a single website. - solved

mervincm

pfsense 2.5 dev build nightly oct-28
I am consistently unable to reach a specific public website from behind my pfSense firewall. I get a generic "connection took too long to respond message". The site is up as if I pop my phone to LTE it opens fine. The problem exists on wired / wireless devices.

It does not seem to be DNS as I can resolve the hostname via client devices and via pfsense diagnostics menu.
the hostname resolves to 7 ip but that shouldn't be an issue.

ping is not useful as this host appears to block icmp.

traceroute on my clients and pfsense diagnostic menu look similar.

It would be handy if the pfsense diagnostic had an open https page alas ...

no blocking packages loaded,

I see outbound connections that seem to be blocked that I can not explain, this might be related.

on the dashboard, add the firewall logs part and filter LAN and block and I see connections blocked that I am not sure why would be blocked.

I am not sure what to look at next.

looking at the firewall rules / LAN, I see the three base rules (anti-lockout, default allow LAN ipv4 and ipv6)

mervincm

As an example this is blocked but I am not sure why

10.0.3.5 is my iphone

JKnott

@mervincm

If it's just the one site, I would suggest it's not a pfSense issue, unless you have a specific rule blocking it. Have you tried that site from elsewhere? Or with a computer connected directly to your Internet connection?

FWIW, I can't reach that site either.

"Unable to connect

Firefox can’t establish a connection to the server at 142.229.173.56."

mervincm

I may have given misleading details. That was an example of unexplained blocking I see in my pfsense portal. I was just trying to point out that maybe I have a larger issue as I can't explain that either.

the specific site that I am trying to troubleshoot is https://meet.alberta.ca. I tried from other locations and it opens properly.

JKnott

@mervincm said in Approach to troubleshoot a connection to a single website.:

I tried from other locations and it opens properly.

Try with a computer connected directly to your Internet connection.

mervincm

I do not have another PC on my ISP directly, (I only get a single IP) but I can confirm widescale the site is up (via https://www.uptrends.com/tools/uptime) and I confirmed with another person who shares my ISP that they can reach it.

mervincm

@mervincm I also have a fiber-based (Telus) ISP, with no ISP gear in my house other than the optical transceiver I have in my switch. That switch port is in a port-based VLAN that only also includes the WAN port of my pfsense PC. There is no double NAT or a ISP router/firewall device to worry about.

mervincm

@JKnott
Your first thought seems to be correct.
I put a test system right on my ISP VLAN, and contrary to what I expected, I did get a second IP! This test PC was not using pfsense but demonstrated the same problematic behaviour. The problem site was still not reachable.

I can't explain it, but it seems not to be pfsense after all.

I will open a separate thread for the pfsense blocking that remains unexplained.

Thank you!

JKnott

@mervincm said in Approach to troubleshoot a connection to a single website. - solved:

@JKnott
Your first thought seems to be correct.
I put a test system right on my ISP VLAN, and contrary to what I expected, I did get a second IP! This test PC was not using pfsense but demonstrated the same problematic behaviour. The problem site was still not reachable.

I can't explain it, but it seems not to be pfsense after all.

I will open a separate thread for the pfsense blocking that remains unexplained.

Thank you!

If you've proven that pfSense is not the problem, why are you opening another thread? If it fails with your computer directly connected to the modem, then it has absolutely nothing to do with pfSense. You could try traceroute, to see where the probelm might be. It sounds more like a routing problem with Telus. Do you know anyone else with a similar connection who could try?

mervincm

@JKnott
I must be confusing with the details I added.

The single website issue (in the title) is explained and can be considered closed. I can't find anyone else that is having this issue, and I know several with the same ISP/service, but given it fails when I bypass pfsense, it is clearly not a pfsense issue. thus I closed the thread.

I still see a variety of outbound blocked packets that I can't explain. It made more sense to me to open a separate thread to avoid similar confusion.