Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site cant be reached

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sharjeel
      last edited by sharjeel

      First page load on some websites will throw the error that the "Site cannot be reached" - but within a few seconds will usually load on it's own. Sometimes if I refresh a few times it will also load. I have checked logs, disabled/removed squid/squidGuard. I verify DNS from local machine does a lookup fine on the name.
      I have "Clear invalid DF bits instead of dropping the packets" checked in Adv->Firewall/NAT, also Disable Firewall Scrub is checked and I set Firewall Optimization to 'conservative' (per a few articles I've found)

      pfSense is my DNS server - I have several VLANs - have tried a couple of them and exhibit same behavior on same site.
      (CNN.com for example will give ERR_CONNECTION_RESET and "This site can't be reached" on GUEST wifi as well as Private wired)
      I have combed thru firewall rules - but nothing stands out. And I'd assume if it is blocked it would stay blocked instead of letting traffic pass after initial load.
      There does seem to be a difference in behavior from mobile on Wifi vs Wired PC tho. On mobile - cnn.com won't load at all - after several refreshes still fails. On PC wired, it auto-loaded within a couple seconds of the initial failure. Also on PC seems once it loads it's ok it seems to work after th

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You should remove 'Clear invalid DF bits' and enable pf scrub again unless you have a very good reason not to. Both those things will probably be causing more problems than they solve.

        Do you have any other packages installed besides Squid/squidguard?

        Can you port-test to those sites from Diag > Port Test in pfSense on 443?

        Steve

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          Just for clarity here, before someone comes back and says there is no port test.. Its "Test Port" on the diag menu ;)

          Also are you actually trying to go to cnn.com or www.cnn.com, cnn.com should redirect to www.cnn.com

          But dns is different, while cnn.com will return multiple IPs in a roundrobin, www.cnn.com is a cname that points to

          ;; ANSWER SECTION:
          www.cnn.com. 30 IN CNAME turner-tls.map.fastly.net.
          turner-tls.map.fastly.net. 30 IN A 151.101.185.67

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Doh! Test Port indeed. 😉

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.