Can't reach Apple services

pfguy2018

Something has been blocking network access to Apple services (facetime, app store, etc). I can't even ping apple.com (request timeouts all the way through). Other sites are reachable without a problem (e.g. google.com). DNS lookups from pfSense seem to return the correct IP addresses for apple. I thought that Snort might be blocking the access, but I have disabled Snort on all interfaces and rebooted, and no change in this behaviour. I also have pfBlockerNG running, not sure if this is somehow responsible? Any ideas for how I can troubleshoot this?

user_three

You can check your pfblockerNG alerts under the reports tab on the pfsense->pfblocker page.

I don't know if you are able in your environment, but I would test with pfblockerNG disabled.

pfguy2018

Good suggestions. There was nothing for apple under the pfBlocker alerts page. I disable pfBlocker and rebooted pfSense, ensured that pfBlocker had not started - still unable to ping apple.com. As before, all other sites I can think of ping just fine other than Apple.

pfguy2018

Also, not sure if this is related, but I notice that none of my pfBlocker feeds can update. I can't figure out what is blocking them.

user_three

It definitely sounds like a package issue. I would check the logs for each package you have installed.

I am still kind of an intermediate noob to pfense, but I think my judgement is sound (usually).

Gertjan

I propose the step that will show you the reason :
Backup your config.
Re instal; pfSense clean. No edits - no where. Ok to change the password. That's it.
Do not import the backup yet .

Prepare a mirror.
Now, test your Internet connection : can you ping apple.com ?
It works ?! No more issues ?! Look in the mirror : there is your reason.
It still doesn't work ?! Look in the same mirror, and tell that guy to chose another up stream "WAN" provider (iSP).

Btw : apple.com doesn't reply to ping for me neither.
That's purely because replying to ping is a choice.
The admin who maintains these devices :
17.172.224.47
17.178.96.59
17.142.160.59
decides not to reply on incoming ping requests.
Why not. It's a free world after all.

Aple.com - or any other site, is not blocked by pfSense.

user_three

I can ping www.apple.com.

However, I cannot ping apple.com.

pfguy2018

Never occurred to me to try the www - but that did work for me as well. So I am guessing the ping issue might have nothing to do with the difficulty connecting with Facetime and other Apple services. I disabled pfBlocker to see if that might help.

jdeloach

@pfguy2018 said in Can't reach Apple services:

Never occurred to me to try the www - but that did work for me as well. So I am guessing the ping issue might have nothing to do with the difficulty connecting with Facetime and other Apple services. I disabled pfBlocker to see if that might help.

Did you reboot your pfSense after you disabled pfBlockerng, I can't remember, but the reason I bring it up is that if pfBlockerng is in fact blocking Facetime and other Apple services, these blocks may still be cashed in memory and a reboot will clear them out. Just my 2 cents worth.

pfguy2018

Yes, I did reboot after disabling and uninstalling.

Gertjan

apple.com is a host - probably a front host like a proxy with some IP's.
It's a host name NOT be be used or known to the public.

host apple.com

does show why it exists : it has to do with 'mails' ;)

like blabla@apple.com

apple.com has address 17.172.224.47
apple.com has address 17.142.160.59
apple.com has address 17.178.96.59
apple.com mail is handled by 10 nwk-aaemail-lapp01.apple.com.
apple.com mail is handled by 10 nwk-aaemail-lapp02.apple.com.
apple.com mail is handled by 10 nwk-aaemail-lapp03.apple.com.
apple.com mail is handled by 10 ma1-aaemail-dr-lapp01.apple.com.
apple.com mail is handled by 10 ma1-aaemail-dr-lapp02.apple.com.
apple.com mail is handled by 10 ma1-aaemail-dr-lapp03.apple.com.

These hosts do not reply to any form of ping.
Note : only ancient IPv4 are avaible.

www.apple.com is another animal.

No need to explain it has a lot to do with the customers ? ;)

www.apple.com is an alias for www.apple.com.edgekey.net.
www.apple.com.edgekey.net is an alias for www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net is an alias for e6858.dsce9.akamaiedge.net.
e6858.dsce9.akamaiedge.net has address 23.215.180.234
e6858.dsce9.akamaiedge.net has IPv6 address 2a02:26f0:2b00:29c::1aca
e6858.dsce9.akamaiedge.net has IPv6 address 2a02:26f0:2b00:28e::1aca

These all reply on ping (ICMP).
One might say : why should it ? ... it's just a web server.

Remember : it's nice if a host replies to ping - but there is no law that says it has to.

pfguy2018

@Gertjan

Thanks. This makes the ping issue very clear. I am still trying to figure out whether I solved my FaceTime issue by uninstalling pfBlockerNG.

user_three

ok.