Website blocked until login to console

dcoens

I'm a noob. I have a netgate SG-1100 and some web sites will not let me access to them even with a continual refresh of the browser. I then log into the pfsence console and goto ping and put the site it there. it come back as a good ping. Then on my browser, it will connect. I've had this happen on several occasions and several websites.

Gertjan

Hi,

You received the SG-1100, hooked it up WAN to WAN, LAN to LAN, changed the password, and you set up your WAN interface, the connection method, if needed.
And that's it.

It's useful to detail how you set it up. You being a noob (your words) does not dispense you from detailing. To the contrary, in fact.
Right now, you give us room for just one answer : you made a mistake.

You never touched DNS, you never saw DNS, you know it would work out of the box : you did not change anything. Nothing.
It worked.
Right ?

@dcoens said in Website blocked until login to console:

goto ping and put the site it there

What is "the site" ? It's IP ? The URL ?

stephenw10

Do you see the same thing if instead of ping you go to Diag > Test Port and run a test against that same site on port 80 or 443?

What if you try to ping from the client instead of pfSense, does that also 'open' the connection?

When you see pings work but TCP fail you may be hitting:

Asymmetric routing
MTU issues
TCP offloading problems

Since the connection succeeds after pinging it's most likely asymmetric routing where an ICMP redirect allow connection to work for a short time.

How exactly do you have the SG-1100 hooked up?

Steve

dcoens

@stephenw10

Yesterday I did this. Paypal.com is is one example that stopped going to the site and would not connect. I don't know If I really fixed it by doing this, but so far, so good.

Disable DNS Forwarder: I checked this to on, Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall.

Even though DNS Forwarder, General DNS Forwarder Options, Enable, Enable DNS forwarder is "not checked".

I have the SG-1100 Setup mostly by default with my System

General Setup> DNS Servers set to 9.9.9.9 with quad 9 secondary. I also am using PF BlockerNG devel.

I did Diag > Test Port and run a test on paypal.com on port 443 and it came back successful. But of course this is after the above setting and things seem to be working so far.

If it come back as not returning the site, I am at a loss of the "ICMP redirect". When I looked that up it had to do with setting up firewall rules - I have not done that directly as PF BlockerNG has set some stuff up in their that says do not edit.

Appreciate your help.

Thank you.

stephenw10

@dcoens said in Website blocked until login to console:

Disable DNS Forwarder:

When you set that in Sys > General setup you are telling the firewall to use the defined external DNS servers for it's own connections. Like from Diag > Ping or firmware checks etc.
It will otherwise ot's own DNS server, either the forwarder or the resolver whichever is enabled.

It's unlikely that change would have any effect on client connectivity.

Steve