Applications on OSX startup issues on closed network since pfsense install

  • Hi,

    we're having a weird issue on a closed network segment with Mac OSX workstations that I narrowed down to the gateway and now I'm trying out if this an OSX specific thing or if I can change something in pfsense to fix it:

    So there's a VLAN with a bunch of workstations that need to get to a file server on the same VLAN but the can not reach the internet for security reasons. Before installing pfsense I did this with L3 switching with my Cisco SG300 acting as a DHCP server but no gateway which worked fine but was tricky to maintain across all the switches.

    So I wanted to streamline this by installing pfsense and go to L2 switching on the ciscos and controll the network via pfsense.

    Problems on this VLAN is that now all machines on this segment start super-sluggish and many apps have massive startup delay and some don't lauch at all incl. the Brave browser.

    I think it's because these apps try to "phone home" get no response and some have very long timeouts built in.
    When I manually delete the DNS-address (currently my pfsense at entry on a given client, everything's back to normal.

    So here's my question:
    Is there a way to avoid this issue without opening the VLAN to the internet? Can the DNS sever somehow let the clients know that there won't be a response from the WAN so stop waiting for it? Or can I tell the DHCP server to not provide a gateway into for that VLAN?

    Sorry for my unprofessional wording. Not an IT-Pro, nor native English speaker.

    Many thanks!

  • if it is a time-out issue, you could change your firewall rules from 'block' to 'reject'.

  • Thanks for the tip!
    At the moment I have just one allow rule source from that VLAN to that VLAN so I'm not actively blocking anything (apart from the networking gear's web interfaces access etc.). Is that a bad idea? Seemed easier than blocking everything and allowing every single thing I need open. Generally the machines on that segment should be able to get to each other and the file server just not the internet (unless I allow it for very specific needs. updates for example).

    It seems like as soon as the machine sees the DNS server entry it received from the DHCP server of pfsense it tries to connect if a given app has some kind of "phone home"-function under the hood. So I was wondering if I can tell the machines to don't bother. In a way that network has now become very annoying to use. It was better before with no gateway at all.

    But I'll definitely try the reject idea. I guess I'd need to add a rule to reject DNS ports on that network in my scenario?

    Thanks again!

  • Did a few tests.
    Rejecting port 53 for that network doesn't change anything. Also assigning no gateway at all by the DHCP server makes no difference.

    The only thing that does make a different is manually deleting the DNS server entry on the connecting Mac. That seems to prevent the system from saying "Hey everyone, there's internet, lets all try to connect". The latter just being me guessing.

    I do wonder how other people setup networks that can't get to the internet without this annoyance happening on the connecting clients side.
    There must be a way...

  • OK, so I think I found the solution. I added a rule to reject port 80 and 443 and bingo: no more waiting for time-outs on application launch! Rejecting port 53 didn't work because I guess these application connect to IP-addresses and therefor don't need the DNS.

Log in to reply