Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense blocks an address on the netgate machine

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    14 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmesquita
      last edited by jmesquita

      I have a Netgate sg-3100 machine, with this machine I cannot access an external service. With the same configuration, on a normal machine the service works.
      I have already reset the factory settings on the sg-3100, copied the settings on the other machine and reset on the sg-3100. The service also doesn't work. The diference is the version of pfsense, in the sg-3100 is used 2.4.5-RELEASE-p1 (arm) in the other machine is used the 2.3.5-RELEASE (i386).
      What will be the problem?

      Thank you

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What is the service giving you difficulties? Where is it?

        Probably one of these: https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html

        Steve

        1 Reply Last reply Reply Quote 0
        • J
          jmesquita
          last edited by

          The service is:

          https://cartaocidadao.sechoolingserver.com:55080

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ok, what error do you see when you try to access it?

            Can you resolve that FQDN from the client? From pfSense?

            Do you have multi-wan there?

            Steve

            J 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              That domain does not resolve for me. I get an NX response (non-existent domain). Are you sure the URL is spelled correctly?

              J 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yup me too. Is that an internal resource?

                Steve

                J 1 Reply Last reply Reply Quote 0
                • J
                  jmesquita @bmeeks
                  last edited by

                  @bmeeks I'm sory.

                  Is this.

                  https://cartaocidadao.eschoolingserver.com:60068

                  1 Reply Last reply Reply Quote 0
                  • J
                    jmesquita @stephenw10
                    last edited by

                    @stephenw10 No. In pfsense I only use a wan that is divided into two lanes.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jmesquita @stephenw10
                      last edited by

                      @stephenw10 Good afternoon, This address returns the citizen card information for an internal application.

                      Thank you

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by stephenw10

                        Ok, so what error do you see?

                        Does it resolve to an IP correctly from either the client or the host?

                        It fails here:

                        steve@steve-MMLP7AP-00 ~ $ host cartaocidadao.eschoolingserver.com
                        cartaocidadao.eschoolingserver.com has address 127.0.0.1
                        
                        steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 cartaocidadao.eschoolingserver.com
                        
                        ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> @8.8.8.8 cartaocidadao.eschoolingserver.com
                        ; (1 server found)
                        ;; global options: +cmd
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43658
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                        
                        ;; OPT PSEUDOSECTION:
                        ; EDNS: version: 0, flags:; udp: 512
                        ;; QUESTION SECTION:
                        ;cartaocidadao.eschoolingserver.com. IN	A
                        
                        ;; ANSWER SECTION:
                        cartaocidadao.eschoolingserver.com. 3599 IN A	127.0.0.1
                        
                        ;; Query time: 145 msec
                        ;; SERVER: 8.8.8.8#53(8.8.8.8)
                        ;; WHEN: Thu Jul 09 17:17:42 BST 2020
                        ;; MSG SIZE  rcvd: 79
                        

                        That is obviously never going to be reachable.

                        I would suggest that your old firewall might have a host override for it that is not on the SG-3100.

                        If not the DNS for it is broken. Nothing to do with pfSense.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by bmeeks

                          Your DNS entry for this domain is configured incorrectly. I can resolve the TLD (top-level domain of eschoolingserver.com) as having IP address 194.107.127.172. However, the child domain of cartaocidadao.eschoolingserver.com resolves to 127.0.0.1, which is localhost. That address can never be reached by any client as that implies a local address on the specific client making the DNS request. I don't mean to sound condescending, but are you new to networking? IP address 127.0.0.1 should really never be handed out by any DNS server for a domain query. Maybe for some special edge-case of ad blocking, but never to supposedly point to a web server or other host.

                          nslookup cartaocidadao.eschoolingserver.com
                          
                          Non-authoritative answer:
                          Name:    cartaocidadao.eschoolingserver.com
                          Address:  127.0.0.1
                          
                          nslookup eschoolingserver.com
                          
                          Non-authoritative answer:
                          Name:    eschoolingserver.com
                          Address:  194.107.127.172
                          

                          So your DNS setup is wrong for this domain.

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            jmesquita @bmeeks
                            last edited by

                            @bmeeks The address https://cartaocidadao.sechoolingserver.com/165080 is a service used by an internal application that sends information from the citizen's card and receives that information in the application.
                            This service is made available by the software house. We just use it.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @jmesquita
                              last edited by

                              @jmesquita said in pfsense blocks an address on the netgate machine:

                              @bmeeks The address https://cartaocidadao.sechoolingserver.com/165080 is a service used by an internal application that sends information from the citizen's card and receives that information in the application.
                              This service is made available by the software house. We just use it.

                              You are not understanding what I wrote. There is no way your LAN clients can connect to a 127.0.0.1 address on a remote machine. Not possible. So when a PC on your LAN looks up the IP address for the host name http://cartaocidadao.eschoolingserver.com/, and your DNS server returns the IP address 127.0.0.1, then no remote client can ever connect.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                That. 👆

                                It cannot possibly work unless it's intended to connect to a service that is on the client. (that would be horrible though)

                                It's nothing pfSense is doing, certainly not related to older vs newer versions. The only way this could have worked in 2.3.5 is if you had a host override for that fqdn.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.