Some web sites do not work

swmspam

Running pfsense community 2.4.5-p1 in basic configuration on Celeron J4105. Some web sites do not work. I searched several forums (including this one) and found numerous references for help. Nothing has helped yet. Major baseline settings:

ISP is Metronet fiber optic
DNS resolver enabled with forwarding mode
System DNS set to cloudflare 1.1.1.1
System/Advanced Allow IPv6 not checkmarked
DHCP serves local IP addresses to LAN

After searching the formus, the following changes were applied:
System/Advanced "Clear invalid DF bits instead of dropping packets"
System/Advanced "Disable the PF scrubbing option"
Interfaces/WAN MTU = 576
Firewall Rule ICMP * * * * * allow all

The test website is for clients to order dog food at purinaforprofessionals.com

From a LAN workstation, "ping purinaforprofessionals.com" results in successful DNS IP address resolve (199.83.128.185) but all requests timeout. Running ping from pfsense/diagnostics results in successful DNS resolve IP address but all requests timeout.

Running tracert from a windows command interface finds the IP address and destination unreachable. Running traceroute from pfsense/diagnostic results in successful DNS IP resolve and changes hostname to xfbbc.x.incapdns.net and no other results.

We now have 2 websites that are important for our clients to use that are inoperable. As a side note, iHeart radio doesn't work either.

Tzvia

@swmspam I am not familiar with your ISP, but your wan MTU looks mighty low. I can get to that website with my MTU at the default (blank). My tracert completes with the same name resolved as you see and I can get the site. I don't think the PF scrubbing is going to help with this situation either so would set that and MTU back to default. Is the DNS set to forwarding mode for DNS over TLS? I don't think DNS is the issue (it does resolve) just looking for more info on the setup. Any IDS or PFBlocker installed, VPN, proxy? If so, I would save my config, remove all the extra packages and set it back to the defaults, and then only set what is needed to get internet (PPPOE account, static IP...) and test it that way before making any changes.

stephenw10

@swmspam said in Some web sites do not work:

MTU = 576

Yeah, 576 is the absolute minimum value for most things. All TCP connections should work with that but it would not surprise me to find some that don't.
Why are you using that?

Steve

swmspam

There are some forum entries on this forum and others that the pfsense developers suggest alternative MTU settings. Apparently, this has solved some user problems. I have tried a variety of settings, including the default blank settings, with 576 being the lowest, but apparently my problem is not related to MTU.

stephenw10

When you visit purinaforprofessionals.com it redirects to www.purinaforprofessionals.com which is cname xfbbc.x.incapdns.net. However both IPs should respond to ping so if you are not seeing that it's not an MTU issue. But 576 is ridiculous, you should set that back to the default.
Run a pcap for those IPs on WAN while you try to ping them from a client. Do you see the requests leaving?
If you don't then check for Snort or pfBlocker etc blocking that on the firewall.
If you do and there are no responses then you have an upstream routing issue perhaps or those sites are blocking your IP somewhere.

Steve