Using pfSense in a Domain environment - wrt DNS



  • Good afternoon. I have a 250 user network at a school that uses pfSense to block their kids from accessing inappropriate sites. I have used squid and squidGuard pretty successfully to do this. The problem I'm having now is that when they take online NWEA state tests or other sites like Renaissance and thelearningodyssey, they continually get a blank screen or kicked off, so that the app needs to be stopped and restarted. As you can imagine, this disrupts testing and for state tests, sort of invalidates the test. This has been a big frustration. I have added all the required sites to a white list also. Please be gentle about being in the correct forum. I am posting this in the squid/cache forum also. The type of error I get on the screen, if not blank, is an ERR_SSL_PROTOCOL_ERROR or something that has to do with SSL. The error seen in the test log is an SSL failed handshake or other SSL problem. So I'm sure you are saying this is a squid problem but could this also be a problem with DNS and rotating sites?

    The setup is (WAN) outside port -- pfSense FW/web filter -- inside port (LAN) -- Flat network with Domain server and client workstations. The pfSense outside interface is dynamic/DHCP'd and DNS is setup as 127.0.0.1. The LAN is DHCP'd from the pfSense and assigns the DC DNS server as the internal DNS. The DC DNS is setup to forward all DNS requests to the pfSense. Before today, I had the DHCP also assigning the pfSense as a secondary DNS just in case the DC had problems. But I removed that today.

    It is like you wouldn't normally see this problem if you were just browsing and unless you were locked into a website process and then got kick out.

    Has anyone seen this type of situation and how did you fix it?

    Thanks for your thoughts in advance... Sig


  • LAYER 8

    They can be the result of expired session, expired key, connectivity hiccup, lost packets, etc
    maybe changing Firewall Optimization Options to conservative could help.
    but also i found this 3d that can be of help
    https://forum.netgate.com/topic/130757/intermittent-err_ssl_protocol_error/
    where Steve suggested:
    *When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

    https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log*


Log in to reply