Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to get to Amazon web site

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 1.6k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      aswede
      last edited by

      I am hoping someone can point me in the right direction. I am a novice when it comes to networking, having until recently relied on basic home routers (e.g. Asus RT-AC3100), but over the holidays got pfSense up and running.

      I have a simple set-up with a computer that has 5 NIC's, set up with 4 subnets. When I startup everything works fine, but about 12-24 hours after starting up pfSense i lose the ability to connect to amazon.com! Other web sites work fine; my speed is just where I expect it to be (using Speedtest.net), and accessing a server and printer that are on different sub-nets works fine.

      Currently I am fine allowing all traffic between subnets - at a future time I may put in restrictions. Right now my main goal is to set up subnets for different things I do, one for WiFi connections (with various home automation connections); one for the server & printer, HTPC's, gaming and work computers; one for the computer lab where I play around with different things and at some point the last sub-net will be for a web server running on a Raspberry PI.

      Everything works as intended right now, except for the fact that I lose connection to Amazon. Below I have included screenshots of my Firewall settings. I am wondering if potentially the setup I have for my VPN could create this issue, even though I am not accessing through the VPN? I followed the instructions I found online for setting up the NordVPN, but I have little idea what the settings do.

      I appreciate any ideas of guidance where to start looking.

      Picture1.png
      Picture2.png
      Picture3.png
      Picture4.png

      Thanks!!

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Has nothing to do with whatever your issue is... But why do you have source of your other vlans on the different vlans.

        For example how would opt1,2 or 3 ever be the source of traffic entering your LAN interface?

        Your rules wouldn't allow traffic from lan to any of your opt networks, because your forcing traffic out either wan or vpn.

        When you loose access to amazon - does it still resolve? Can you ping its ip?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          aswede @johnpoz
          last edited by

          @johnpoz
          Thanks for your feedback.
          I can still ping amazon! (see below).
          2021-01-07 15_05_11-Command Prompt.png

          As for your first question, I do not have a good answer ... I set up rules best I could based on how I understood things, but I am a neophyte as it relates to networking. I followed some instructions I found online, and thought I got things set up right.

          My goal is for each subnet to be able to get out to the Internet, as well as to be able to access resources on each of the subnets (LAN. OPT1, OPT2 and OPT3). Would appreciate your input / recommendations on what I need to change.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @aswede
            last edited by johnpoz

            Well remove those rules... vlan X would never or could never be a source of traffic into vlan Y.

            If you want lan to reach opt X network, then you have have a rule that allows that before you force traffic out a gateway.

            So for example put a rule above those those rules that allows lan net to opt 1 net, then another that allows lan net to opt 2 net.

            Or you could just create a alias that contains the opt networks and do it in one rule.

            Well if you can ping amazon, then your getting there.. your problem is not pfsense. Sure you browser not using a proxy, or doh for dns that is failing.. What sort of error do you get in your browser..

            With such rules - how do you even talk to pfsense for dns? When your forcing traffic out wan or vpn.. Unless your client is using something other than pfsense for dns - not even sure how you could resolve anything.

            You should have a rule above those rules as well that allows your lan net to talk to pfsense for dns tcp/udp 53 lan address

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            A S 2 Replies Last reply Reply Quote 0
            • A Offline
              aswede @johnpoz
              last edited by

              @johnpoz
              The error I get from Amazon is timeout:
              2021-01-07 15_41_54-www.amazon.com.png
              No other DNS anywhere in the network, as far as I can tell.

              Could the issue be related to settings in the General setup .... when setting up the VPN connection the instructions I followed directed me to make edits in the DNS Server fields - see below:
              2021-01-07 15_47_34-pfSense.localdomain - System_ General Setup.png

              1 Reply Last reply Reply Quote 0
              • S Offline
                SteveITS Galactic Empire @johnpoz
                last edited by

                @johnpoz said in Unable to get to Amazon web site:

                doh

                Concur, disable DNS over HTTPS in your browser and test, or try a browser like IE that doesn't support it. Like he said if ping is working then the connection is fine and DNS is working.

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 1
                • A Offline
                  aswede
                  last edited by

                  @teamits
                  Just tried disabling DNS over HTTPS, and same result, cannot get to amazon.com. Using MS Edge, same result.

                  In Edge, running Windows Network Diagnostics the identifies the problem as: "resouce (www.amazon.com) is online but isn't responding to connection attempts."

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @aswede
                    last edited by johnpoz

                    @aswede said in Unable to get to Amazon web site:

                    "resouce (www.amazon.com) is online but isn't responding to connection attempts."

                    Well are you going through the vpn or not?

                    Do a traceroute.. Does the path go out your normal wan or your vpn..

                    Those dns changes are pointless if your just pointing your clients to pfsense.

                    Your not even letting pfsense use it self for dns - so how do you resolve any of your local resources?

                    What I would suggest you do is disable all of the vpn stuff.. do you have problems then - I mean unless your isp is going to send the black helicopters to your house when they see you going to amazon.com ;)

                    Are you using proxy or or ips/ids on pfsense?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      aswede @johnpoz
                      last edited by

                      @johnpoz
                      I think you are right about the VPN stuff ... my intent was to have a few static IP's that go through the VPN. Most of the traffic, including amazon.com should bypass the VPN .... :)

                      Did the traceroute and got an interesting result ... the first hop was not to the pfsense.localdomain - it was to 10.211.32.1

                      Then decided to go back to an earlier configuration (that also has the VPN client set up), as this has in the past restored my access to Amazon. Worked this time too, did the tracerroute again, and low and behold, this time pfsense.localdomain is the first hop. We will have to see if it still is working tomorrow ...

                      So, clearly I have something screwy going on, and I know I am not skilled enough to figure it out. Over the week-end I will do a clean install of pfSense, set up my subnets etc. make sure it all works, and then try to get the VPN up and running.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        I would make sure your default gateway in System > Routing > Gateways is set the WAN_GW. If it's still set to automatic it may switch the VPN gateway. That would affect all traffic that does not have a gateway set including DNS traffic from the firewall itself if you're still using Unbound in resolving mode.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.