pfsense blocks an address on the netgate machine
-
I have a Netgate sg-3100 machine, with this machine I cannot access an external service. With the same configuration, on a normal machine the service works.
I have already reset the factory settings on the sg-3100, copied the settings on the other machine and reset on the sg-3100. The service also doesn't work. The diference is the version of pfsense, in the sg-3100 is used 2.4.5-RELEASE-p1 (arm) in the other machine is used the 2.3.5-RELEASE (i386).
What will be the problem?Thank you
-
What is the service giving you difficulties? Where is it?
Probably one of these: https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html
Steve
-
The service is:
https://cartaocidadao.sechoolingserver.com:55080
-
Ok, what error do you see when you try to access it?
Can you resolve that FQDN from the client? From pfSense?
Do you have multi-wan there?
Steve
-
That domain does not resolve for me. I get an NX response (non-existent domain). Are you sure the URL is spelled correctly?
-
Yup me too. Is that an internal resource?
Steve
-
-
@stephenw10 No. In pfsense I only use a wan that is divided into two lanes.
-
@stephenw10 Good afternoon, This address returns the citizen card information for an internal application.
Thank you
-
Ok, so what error do you see?
Does it resolve to an IP correctly from either the client or the host?
It fails here:
steve@steve-MMLP7AP-00 ~ $ host cartaocidadao.eschoolingserver.com cartaocidadao.eschoolingserver.com has address 127.0.0.1 steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 cartaocidadao.eschoolingserver.com ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> @8.8.8.8 cartaocidadao.eschoolingserver.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43658 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;cartaocidadao.eschoolingserver.com. IN A ;; ANSWER SECTION: cartaocidadao.eschoolingserver.com. 3599 IN A 127.0.0.1 ;; Query time: 145 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jul 09 17:17:42 BST 2020 ;; MSG SIZE rcvd: 79That is obviously never going to be reachable.
I would suggest that your old firewall might have a host override for it that is not on the SG-3100.
If not the DNS for it is broken. Nothing to do with pfSense.
Steve
-
Your DNS entry for this domain is configured incorrectly. I can resolve the TLD (top-level domain of eschoolingserver.com) as having IP address 194.107.127.172. However, the child domain of cartaocidadao.eschoolingserver.com resolves to 127.0.0.1, which is localhost. That address can never be reached by any client as that implies a local address on the specific client making the DNS request. I don't mean to sound condescending, but are you new to networking? IP address 127.0.0.1 should really never be handed out by any DNS server for a domain query. Maybe for some special edge-case of ad blocking, but never to supposedly point to a web server or other host.
nslookup cartaocidadao.eschoolingserver.com Non-authoritative answer: Name: cartaocidadao.eschoolingserver.com Address: 127.0.0.1nslookup eschoolingserver.com Non-authoritative answer: Name: eschoolingserver.com Address: 194.107.127.172So your DNS setup is wrong for this domain.
-
@bmeeks The address https://cartaocidadao.sechoolingserver.com/165080 is a service used by an internal application that sends information from the citizen's card and receives that information in the application.
This service is made available by the software house. We just use it. -
@jmesquita said in pfsense blocks an address on the netgate machine:
@bmeeks The address https://cartaocidadao.sechoolingserver.com/165080 is a service used by an internal application that sends information from the citizen's card and receives that information in the application.
This service is made available by the software house. We just use it.You are not understanding what I wrote. There is no way your LAN clients can connect to a 127.0.0.1 address on a remote machine. Not possible. So when a PC on your LAN looks up the IP address for the host name http://cartaocidadao.eschoolingserver.com/, and your DNS server returns the IP address 127.0.0.1, then no remote client can ever connect.
-
That.
It cannot possibly work unless it's intended to connect to a service that is on the client. (that would be horrible though)
It's nothing pfSense is doing, certainly not related to older vs newer versions. The only way this could have worked in 2.3.5 is if you had a host override for that fqdn.
Steve
