Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using pfSense in a Domain environment - wrt DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 123 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sig Labhart
      last edited by

      Good afternoon. I have a 250 user network at a school that uses pfSense to block their kids from accessing inappropriate sites. I have used squid and squidGuard pretty successfully to do this. The problem I'm having now is that when they take online NWEA state tests or other sites like Renaissance and thelearningodyssey, they continually get a blank screen or kicked off, so that the app needs to be stopped and restarted. As you can imagine, this disrupts testing and for state tests, sort of invalidates the test. This has been a big frustration. I have added all the required sites to a white list also. Please be gentle about being in the correct forum. I am posting this in the squid/cache forum also. The type of error I get on the screen, if not blank, is an ERR_SSL_PROTOCOL_ERROR or something that has to do with SSL. The error seen in the test log is an SSL failed handshake or other SSL problem. So I'm sure you are saying this is a squid problem but could this also be a problem with DNS and rotating sites?

      The setup is (WAN) outside port -- pfSense FW/web filter -- inside port (LAN) -- Flat network with Domain server and client workstations. The pfSense outside interface is dynamic/DHCP'd and DNS is setup as 127.0.0.1. The LAN is DHCP'd from the pfSense and assigns the DC DNS server as the internal DNS. The DC DNS is setup to forward all DNS requests to the pfSense. Before today, I had the DHCP also assigning the pfSense as a secondary DNS just in case the DC had problems. But I removed that today.

      It is like you wouldn't normally see this problem if you were just browsing and unless you were locked into a website process and then got kick out.

      Has anyone seen this type of situation and how did you fix it?

      Thanks for your thoughts in advance... Sig

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        They can be the result of expired session, expired key, connectivity hiccup, lost packets, etc
        maybe changing Firewall Optimization Options to conservative could help.
        but also i found this 3d that can be of help
        https://forum.netgate.com/topic/130757/intermittent-err_ssl_protocol_error/
        where Steve suggested:
        *When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

        https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log*

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.