4. Using pfSense in a Domain environment - wrt DNS

Using pfSense in a Domain environment - wrt DNS

  • S

    Good afternoon. I have a 250 user network at a school that uses pfSense to block their kids from accessing inappropriate sites. I have used squid and squidGuard pretty successfully to do this. The problem I'm having now is that when they take online NWEA state tests or other sites like Renaissance and thelearningodyssey, they continually get a blank screen or kicked off, so that the app needs to be stopped and restarted. As you can imagine, this disrupts testing and for state tests, sort of invalidates the test. This has been a big frustration. I have added all the required sites to a white list also. Please be gentle about being in the correct forum. I am posting this in the squid/cache forum also. The type of error I get on the screen, if not blank, is an ERR_SSL_PROTOCOL_ERROR or something that has to do with SSL. The error seen in the test log is an SSL failed handshake or other SSL problem. So I'm sure you are saying this is a squid problem but could this also be a problem with DNS and rotating sites?

    The setup is (WAN) outside port -- pfSense FW/web filter -- inside port (LAN) -- Flat network with Domain server and client workstations. The pfSense outside interface is dynamic/DHCP'd and DNS is setup as 127.0.0.1. The LAN is DHCP'd from the pfSense and assigns the DC DNS server as the internal DNS. The DC DNS is setup to forward all DNS requests to the pfSense. Before today, I had the DHCP also assigning the pfSense as a secondary DNS just in case the DC had problems. But I removed that today.

    It is like you wouldn't normally see this problem if you were just browsing and unless you were locked into a website process and then got kick out.

    Has anyone seen this type of situation and how did you fix it?

    Thanks for your thoughts in advance... Sig

    0
  • LAYER 8

    They can be the result of expired session, expired key, connectivity hiccup, lost packets, etc
    maybe changing Firewall Optimization Options to conservative could help.
    but also i found this 3d that can be of help
    https://forum.netgate.com/topic/130757/intermittent-err_ssl_protocol_error/
    where Steve suggested:
    *When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

    https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log*

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy