Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some web sites do not work

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 631 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      swmspam
      last edited by

      Running pfsense community 2.4.5-p1 in basic configuration on Celeron J4105. Some web sites do not work. I searched several forums (including this one) and found numerous references for help. Nothing has helped yet. Major baseline settings:

      ISP is Metronet fiber optic
      DNS resolver enabled with forwarding mode
      System DNS set to cloudflare 1.1.1.1
      System/Advanced Allow IPv6 not checkmarked
      DHCP serves local IP addresses to LAN

      After searching the formus, the following changes were applied:
      System/Advanced "Clear invalid DF bits instead of dropping packets"
      System/Advanced "Disable the PF scrubbing option"
      Interfaces/WAN MTU = 576
      Firewall Rule ICMP * * * * * allow all

      The test website is for clients to order dog food at purinaforprofessionals.com

      From a LAN workstation, "ping purinaforprofessionals.com" results in successful DNS IP address resolve (199.83.128.185) but all requests timeout. Running ping from pfsense/diagnostics results in successful DNS resolve IP address but all requests timeout.

      Running tracert from a windows command interface finds the IP address and destination unreachable. Running traceroute from pfsense/diagnostic results in successful DNS IP resolve and changes hostname to xfbbc.x.incapdns.net and no other results.

      We now have 2 websites that are important for our clients to use that are inoperable. As a side note, iHeart radio doesn't work either.

      T 1 Reply Last reply Reply Quote 0
      • T Offline
        Tzvia @swmspam
        last edited by

        @swmspam I am not familiar with your ISP, but your wan MTU looks mighty low. I can get to that website with my MTU at the default (blank). My tracert completes with the same name resolved as you see and I can get the site. I don't think the PF scrubbing is going to help with this situation either so would set that and MTU back to default. Is the DNS set to forwarding mode for DNS over TLS? I don't think DNS is the issue (it does resolve) just looking for more info on the setup. Any IDS or PFBlocker installed, VPN, proxy? If so, I would save my config, remove all the extra packages and set it back to the defaults, and then only set what is needed to get internet (PPPOE account, static IP...) and test it that way before making any changes.

        Tzvia

        Current build:
        Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
        16 gigs ram
        500gig WD Blue nvme
        Using modded BIOS (enabled CSTATES)
        PFSense 2.72-RELEASE
        Enabled Intel SpeedShift
        Snort
        PFBlockerNG
        LAN and 5 VLANS

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          @swmspam said in Some web sites do not work:

          MTU = 576

          Yeah, 576 is the absolute minimum value for most things. All TCP connections should work with that but it would not surprise me to find some that don't.
          Why are you using that?

          Steve

          1 Reply Last reply Reply Quote 0
          • S Offline
            swmspam
            last edited by

            There are some forum entries on this forum and others that the pfsense developers suggest alternative MTU settings. Apparently, this has solved some user problems. I have tried a variety of settings, including the default blank settings, with 576 being the lowest, but apparently my problem is not related to MTU.

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by stephenw10

              When you visit purinaforprofessionals.com it redirects to www.purinaforprofessionals.com which is cname xfbbc.x.incapdns.net. However both IPs should respond to ping so if you are not seeing that it's not an MTU issue. But 576 is ridiculous, you should set that back to the default.
              Run a pcap for those IPs on WAN while you try to ping them from a client. Do you see the requests leaving?
              If you don't then check for Snort or pfBlocker etc blocking that on the firewall.
              If you do and there are no responses then you have an upstream routing issue perhaps or those sites are blocking your IP somewhere.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.