Site cant be reached
-
First page load on some websites will throw the error that the "Site cannot be reached" - but within a few seconds will usually load on it's own. Sometimes if I refresh a few times it will also load. I have checked logs, disabled/removed squid/squidGuard. I verify DNS from local machine does a lookup fine on the name.
I have "Clear invalid DF bits instead of dropping the packets" checked in Adv->Firewall/NAT, also Disable Firewall Scrub is checked and I set Firewall Optimization to 'conservative' (per a few articles I've found)pfSense is my DNS server - I have several VLANs - have tried a couple of them and exhibit same behavior on same site.
(CNN.com for example will give ERR_CONNECTION_RESET and "This site can't be reached" on GUEST wifi as well as Private wired)
I have combed thru firewall rules - but nothing stands out. And I'd assume if it is blocked it would stay blocked instead of letting traffic pass after initial load.
There does seem to be a difference in behavior from mobile on Wifi vs Wired PC tho. On mobile - cnn.com won't load at all - after several refreshes still fails. On PC wired, it auto-loaded within a couple seconds of the initial failure. Also on PC seems once it loads it's ok it seems to work after th -
You should remove 'Clear invalid DF bits' and enable pf scrub again unless you have a very good reason not to. Both those things will probably be causing more problems than they solve.
Do you have any other packages installed besides Squid/squidguard?
Can you port-test to those sites from Diag > Port Test in pfSense on 443?
Steve
-
Just for clarity here, before someone comes back and says there is no port test.. Its "Test Port" on the diag menu ;)
Also are you actually trying to go to cnn.com or www.cnn.com, cnn.com should redirect to www.cnn.com
But dns is different, while cnn.com will return multiple IPs in a roundrobin, www.cnn.com is a cname that points to
;; ANSWER SECTION:
www.cnn.com. 30 IN CNAME turner-tls.map.fastly.net.
turner-tls.map.fastly.net. 30 IN A 151.101.185.67 -
Doh! Test Port indeed.