• First page load on some websites will throw the error that the "Site cannot be reached" - but within a few seconds will usually load on it's own. Sometimes if I refresh a few times it will also load. I have checked logs, disabled/removed squid/squidGuard. I verify DNS from local machine does a lookup fine on the name.
    I have "Clear invalid DF bits instead of dropping the packets" checked in Adv->Firewall/NAT, also Disable Firewall Scrub is checked and I set Firewall Optimization to 'conservative' (per a few articles I've found)

    pfSense is my DNS server - I have several VLANs - have tried a couple of them and exhibit same behavior on same site.
    (CNN.com for example will give ERR_CONNECTION_RESET and "This site can't be reached" on GUEST wifi as well as Private wired)
    I have combed thru firewall rules - but nothing stands out. And I'd assume if it is blocked it would stay blocked instead of letting traffic pass after initial load.
    There does seem to be a difference in behavior from mobile on Wifi vs Wired PC tho. On mobile - cnn.com won't load at all - after several refreshes still fails. On PC wired, it auto-loaded within a couple seconds of the initial failure. Also on PC seems once it loads it's ok it seems to work after th

  • Netgate Administrator

    You should remove 'Clear invalid DF bits' and enable pf scrub again unless you have a very good reason not to. Both those things will probably be causing more problems than they solve.

    Do you have any other packages installed besides Squid/squidguard?

    Can you port-test to those sites from Diag > Port Test in pfSense on 443?

    Steve

  • LAYER 8 Global Moderator

    Just for clarity here, before someone comes back and says there is no port test.. Its "Test Port" on the diag menu ;)

    Also are you actually trying to go to cnn.com or www.cnn.com, cnn.com should redirect to www.cnn.com

    But dns is different, while cnn.com will return multiple IPs in a roundrobin, www.cnn.com is a cname that points to

    ;; ANSWER SECTION:
    www.cnn.com. 30 IN CNAME turner-tls.map.fastly.net.
    turner-tls.map.fastly.net. 30 IN A 151.101.185.67

  • Netgate Administrator

    Doh! Test Port indeed. 😉