Google play store and download blocked



  • Hi,
    I am very new to the pfsense and installed it few days ago. While running it, I found that it is blocking google play store downloads and even google play store page from the desktop.
    Here is what I see when I visit google play store page.
    e86de915-1888-460e-96a3-58bf08e66eca-image.png

    No console errors of any kind
    78e4cdc8-a666-4166-bd98-bbb888819e31-image.png

    From mobile, google play store loads but when I try to download any app, download never starts.

    I have DNS resolver enabled and using opendns as my DNS server in General setup. I checked logs on opendns server and nothing is blocked there. I even try removing the DNS server from the general setup and use the google's. No luck. So looks like pfsense is blocking it somewhere.

    How can I see what urls are being blocked for a particular device in real time?
    Also I have pfblockerng installed and enabled Easy list and Easy privacy list
    Also here are my few custom feeds.
    b3cbfc54-fab2-4b79-bca2-eaf8840b5f59-image.png

    Here are my IPv4 rules
    5b06b1fb-76a1-48c9-b045-7ca3f9675011-image.png

    Can someone please help me figure out what is really blocking it? I will truly apprecviate it.

    Thanks


  • Netgate Administrator

    Do you see anything in the firewall log when you try to connect?

    Do you have logging enabled in pfBlocker-ng for it's rules? Enable it if not.

    Do you see anything in the alerts in pfBlocker when you try to connect?

    It's almost certainly something you're blocking in pfBlocker but you could just disable it to prove that.

    Steve



  • Steve,
    Thanks for your quick response.
    I didn't enable the logs in pfblocker. I just enabled it.
    5a565e0d-a43c-4f29-82f4-e7b1196741bc-image.png

    There are no alerts generated when I am trying to download an app from my cell phone. Here are the alerts I see:

    25b08aa3-6c71-4545-bd5c-9494415be621-image.png

    I tried completely disabling pfblockerNG and I still can't download anything
    be2f27b5-921c-4cec-a3ea-da8cd71fbf98-image.png

    Do I need to do anything after diabling pfblocker? Clear cache of any kind OR run force update OR wait for few minutes?

    Thanks
    Andy


  • Netgate Administrator

    If it was something in DNS-BL you might need to wait for any cached DNS responses to time-out on the host.

    If it was blocked by a firewall rule without logging enabled that should apply immediately.

    Steve



  • Steve,
    I will keep my pfblocker to stay disabled and wait for some time to see if it fixes an issue. Once I know that pfblocker is causing an issue, I will slowly start enabling one feed at-a-time.
    Here are my LAN rules
    c273af25-5581-469d-a63a-4c92105746d3-image.png


  • Netgate Administrator

    So if you have logging enabled on those pfBlocker rules (in pfBlocker) you should see anything rejected by them in the firewall log.
    Anything blocked by DNS-BL should appear in the pfBlocker alerts.

    If you see neither of those it might be something else entirely.
    https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html

    Steve



  • Steve,
    I followed your guideline and also looked at everything mentioned in the url you specified. Still no luck. Is there any log do you want me to post to look at?
    This is really a weird issue. Do you also want me to disable all feeds? Because, I removed DNS-BL rules from my IOTVLAN but it still exists on WAN.
    I infact tried disabling it for few minutes and tryied it with no luck.
    I didn't feel comfortable disabling the DNS-BL on WAN for a longer time.
    Thanks again sir.
    Andy



  • Steve,
    Looks like I got littler closer now..
    As soon as I completely disable DNS-BL (not pfBlocker), it starts working.
    8b00312a-f8f3-4955-92d3-e9c48df22b8c-image.png

    But as you see below, I only selected DNS-BL for my LAN and not IOTVLAN.
    9a593c43-f48b-4635-bfc7-512405ebce88-image.png

    I am still scratching my head on why it wouldn't work while I am connected to IOTVLAN. None of the DNS-BL should apply on my IOTVLAN (I would like to apply on that interface as well eventually if I can pinpoint the issue with google play and when I know how to debug an issue with url access)

    So looks like, something is applied somewhere as soon as I enable DNS-BL and it is applying on all interfaces even if that interface is not selected. as seen in above picture.
    Now I enabled DNS-BL back and download from google play store is blocked back again in IOTVLAN as well as LAN

    Here is my DNS Resolver settings..
    1741dec6-9b5d-482c-87a7-a5329607b23e-image.png

    This is a learning process for me as I am new to the pfsense.

    Thanks
    Andy


  • Netgate Administrator

    That setting only selects where to add firewall rules which DNS-BL will add for any IPs in the lists. The main purpose of DNS-BL though is to add lists to the DNS resolver to prevent it resolving bad fqdns. Mostly ad sites and malware but could be anything in the lists. Those apply to Unbound which all interfaces use identically.
    By checking 'TLD' you also block any subdomains of listed domains from being resolved.

    One of you lists has a domain in it that is required by the play store and it cannot be resolved. I would expect it to show in the alerts though where it would show which list contains the domain.

    Steve



  • Steve,
    I see the following in the alerts:
    093483b3-7936-4e20-9c5b-e153019d3c77-image.png

    I think the offending list is FireHoLevel3? I don't know if denied list is for the Google play..
    But this is the first time something showed up in the Deny list.. I was watching it since you mentioned about it.
    Do you want me to disable that list and see if it makes any difference?
    Do I have to run update manually after disabling this list OR it is just a time game?

    Thanks
    Andy



  • I have disabled the FireHoLevel3 and Reload all with no avail
    899ce9f9-0f75-4522-88d5-72d6de5ccfa1-image.png


  • Netgate Administrator

    Mmm, unlikely access to facebook would be required for Google Play.

    One of those lists is the issue. If it comes to it disable them one at a time until you find it.

    You could try turning up the logging in Unbound to query level then filter the resolver logs by IP of the host trying to connect.
    Looks for urls resolving the 10.10.10.1. If you find them you can create a whitelist in pfBlocker to allow them to resolve correctly.

    Steve



  • Steve,
    How can I turn up the logging to query. This was the option I am looking for so that I can query each host real-time and see what is being blocked.
    Also How can I see filter resolver logs? what I see is just this in system logs:

    Here are pfblocker logs
    78a7c27c-5d4c-4ab1-ba3c-8cf3539cf472-image.png

    Here are system logs for Resolver
    de99d7ab-8e5d-4ec7-934f-ff56725486e8-image.png


  • Netgate Administrator

    In the Unbound Advanced Settings:

    Selection_763.png

    The logs will get VERY busy when you enable that so you will need to check them immediately after trying to connect.

    Steve


Log in to reply