Unable to reach facebook.com and linkedin.com
-
Starting about yesterday or the day before, I've been unable to reach facebook.com and linkedin.com using Chrome, even in Incognito mode, despite not having changed any configurations.
I'm able to reach those sites using Tor and through Chrome on mobile when not going through my network, though, so I'm baffled as to what may be going on.
I've whitelisted both facebook.com and linkedin.com along with some of their IP ranges. One odd thing I've noticed is that the linkedin.com IP ranges (eg 108.174.0.0 - 108.174.15.255) are being passed but linkedin.com still comes up as unreachable. In addition, facebook.com IP ranges (eg 157.240.0.0 - 157.240.255.255) are still being blocked (by pfB_DNSBLIP auto rule) for TCP but passed for UDP. That traffic is also showing up as coming from my router's WAN IP (I don't know if that's expected or not).
Also,
nslookupfor both domains comes back fine.Any suggestions on what I can do to investigate? There's lots I'm still ignorant about and lacking in understanding in this space so please take that into consideration (ie err on assuming I haven't thought of trying something out yet or don't know something).
-
Safari is also unable to reach those sites. This got me to realize why Tor may be able to.
-
This post is deleted! -
linkedin.comandmeetup.comare now reachable after I changed my router's DNS to8.8.8.8and back (although this latter part may be due to DNS caching).
facebook.comisn't reachable even when my router's DNS is set to8.8.8.8. -
@November said in Unable to reach facebook.com and linkedin.com:
Also, nslookup for both domains comes back fine.
Then you not getting there has nothing to do with dns, so why are you changing it? Do you think the IP returned is bad or something?
Here is a simple test.. Try and go to facebook.com while sniffing on your pfsense wan.. Do you see it send a syn? What do you get back - anything? If you send and don't get anything back its not pfsense problem. If you don't send, then you have something on pfsense or your network that is causing the problem.
-
Changing the order of the firewall rules (such that the whitelist rule is applied before the DNSBLIP rule) fixed the
facebook.comissue. -
@johnpoz , like I said, there's lots to be gained in my understanding. In the past, when a site wasn't reachable, whitelisting the site sometimes allowed it to be reachable.
Some of the confusion also stemmed from assuming the
linkedin.comandmeetup.comissues were related to thefacebook.comissue (since they were both noticed around the same time).Anyway, changing the precedence of the firewall rules fixed the issue for me.
Thanks for pointing me to the packet capture tool. That'll come in handy in the future.
-
@johnpoz said in Unable to reach facebook.com and linkedin.com:
Do you see it send a syn? What do you get back - anything? If you send and don't get anything back its not pfsense problem. If you don't send, then you have something on pfsense or your network that is causing the problem.
I did the packet sniffing and am not seeing the IPs I'm expecting for linkedin.com or meetup.com. What else can be done to track down this issue?
-
And what IPs are you seeing?
C:\>dig meetup.com +short 151.101.66.110 151.101.194.110 151.101.2.110 151.101.130.110 C:\>dig linkedin.com +short 108.174.10.10What is happening in the browser - are you getting a host not found? Can you ping them by name.. etc.. Love to help you but with no info there is nothing to help with.
Keep in mind those sites are going to be served by large CDNs - so yeah IPs could be different where your at in the world, time you query, etc. etc..
NetRange: 108.174.0.0 - 108.174.15.255 CIDR: 108.174.0.0/20 NetName: LINKEDINmeetup is hosted via fastly.. which is a huge CDN..
NetRange: 151.101.0.0 - 151.101.255.255 CIDR: 151.101.0.0/16 Organization: Fastly (SKYCA-3)Also keep in mind exactly were you going.. for example www.linkedin.com is going to be different than just linkedin.com
C:\>dig www.linkedin.com +short www-linkedin-com.l-0005.l-msedge.net. l-0005.l-msedge.net. 13.107.42.14 -
$ dig meetup.com ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> meetup.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51481 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;meetup.com. IN A ;; ANSWER SECTION: meetup.com. 46 IN A 151.101.130.110 meetup.com. 46 IN A 151.101.2.110 meetup.com. 46 IN A 151.101.194.110 meetup.com. 46 IN A 151.101.66.110 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Aug 08 21:30:00 PDT 2020 ;; MSG SIZE rcvd: 103From Chrome:
$ ping meetup.com PING meetup.com (151.101.130.110) 56(84) bytes of data. 64 bytes from 151.101.130.110 (151.101.130.110): icmp_seq=1 ttl=55 time=11.2 ms 64 bytes from 151.101.130.110 (151.101.130.110): icmp_seq=2 ttl=55 time=12.2 msFWIW, meetup.com forwards to www.meetup.com in the browser.
dig www.meetup.com ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.meetup.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.meetup.com. IN A ;; Query time: 6 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Aug 08 21:40:28 PDT 2020 ;; MSG SIZE rcvd: 43I'd like to focus on investigating what's going on with meetup.com for now. Hopefully I can learn enough to be able to troubleshoot what's going on with linkedin.com.
-
I'm not seeing any of the linkedin.com IP addresses in the packet capture even though currently it's loading in the browser for me so there's something I'm not understanding.
-
Oh, also, one reason I'm thinking this is DNS related is because when I switch my router to use
8.8.8.8as its DNS server, I'm able to reach both linkedin.com and meetup.com. But my understanding could be missing something that would allow this symptom but the problem is still not with DNS itself. -
@November said in Unable to reach facebook.com and linkedin.com:
;; QUESTION SECTION:
;www.meetup.com. IN A;; Query time: 6 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)Well your never going to get to www.meetup.com if it doesn't resolve.. you didn't get an answer..
As to why you didn't see anything in your sniff to linked in.. You didn't show how you did your sniff so not sure what your doing wrong.. Are you forcing traffic out a vpn? Did you sniff on the wrong interface? Did you sniff only tcp only and its using quic (udp) etc.
On pfsense do a dig +trace for www.meetup.com
Which has a cname that points to
www.meetup.com. 30 IN CNAME f4.shared.global.fastly.net.So then do trace to that.. They have horriblely low TTLs - so those IPs most likely going to change all the time..
-
The following is what I've been using to capture packets:
Interface: WAN
Promiscuous: unset
Address Family: Any
Protocol: Any
Host Address:
Port:
Packet Length: 0
Count: 100
Level of Detail: Normal
Reverse DNS Lookup: unsetThe low TTLs for meetup.com explains why they become unreachable after switching my router's DNS server back while linkedin.com continues to resolve for a while.
I'll do the
digandtracewhen I get a chance.Thanks so much for the help and guidance.
-
With such a capture you would be capturing everything but only 100 packets, so you would prob miss your traffic.. Since I would assume lots of traffic is going in and out of your wan. Even just pings would fill that up quickly since you monitor 2 pings every second, etc.
On your sniff set the host to the IP it resolves too so you only see traffic to and from that IP.
