Amazon and LinkedIn Android apps do not go through PFSense router

Comfy · Jan 17, 2021, 10:55 AM

As above. PFSense infant here. Networking is my weakest suit so have taken it upon myself to try to learn. Using this at home on a NUC with a USB Ethernet dongle to the outside world. If ive posted in the wrong place could a grown up move it for me please? :)

Both apps wont go through the pfsense but work when the phone is on its external connection. These are the only 2 that ive found so far.

Not really too sure where to start looking.

I dtiched my traditional router for this and am very very impressed with the speed and flexibility that it offers. Lots of YT vids also to further the learning..!

Thanks to anyone that chips in.

kmarston · Jan 17, 2021, 11:20 AM

A quick test is to put at the top of your lan rules an any rule that you disable but turn on to prove something important is not getting blocked.
Worth changing protocol TCP to any in your test rule too.
With phones I always ask are your sure what is actually going on... Also with APs these can NAT if they are in the wrong mode often - do all the things that may provide WiFi have different SSIDs so you know which one you are actually connected to?

phone -> WiFi AP (Is this in bridge / Access point mode not router mode?)-> pfSense -> home network (any other WiFi?) -> ISP Router (WiFi?) -> Internet

I assume the above is possibly your phones route to the internet?

Comfy · Jan 17, 2021, 11:36 AM

@kmarston Hi - Thanks for the quick reply.....totally lost...

Looked in the interfaces and couldnt see what you were getting at...then looked in the Rules and still couldnt see what you were telling me to look for...

With regards to the AP....ive got one EnGenius Ap that does the wireless (soon to be 2) as i need a bit more coverage.

As for the phone - no, not really too sure whats going on...but, thats why im here..! :)

stephenw10 · Jan 17, 2021, 11:05 PM

It's probably something DNS related or IPv6.

How are you handling DNS on the firewall? The default is to pass the interface IP to client to use via dhcp which then use Unbound (the resolver) running on the firewall. Somethings are hard coded to use, for example, 8.8.8.8 abd will fail if you're blocking that without re-directing it.

Do you have IPv6 at all? Some things will always try to use it if they have a v6 IP even if the connection is invalid/misconfigured.

Steve

Comfy · Jan 17, 2021, 11:27 PM

Hi - thanks for the reply - i was using 1.1.1.1 (trying to stay away from google) but ill try 8.8.8.8 - see what happens....thanks for the suggestion...

Oh - no im not using IPV6

Comfy · Jan 17, 2021, 11:26 PM

@comfy Just tried - still the same...good idea though...

stephenw10 · Jan 17, 2021, 11:59 PM

How are you setting that DNS server though?

By setting any external server directly you may be overriding whatever they are trying to reach.

Steve

Comfy · Jan 23, 2021, 11:37 AM

@stephenw10 Hi - im was setting 1.1.1.1 but then did try 8.8.8.8 and it was still the same. Go with me here (as im next to useless with networking) but if you set DNS server "A" and not "B" then it should still be able to make it to where its going...or am i wrong ( i suspect i am)....

stephenw10 · Jan 23, 2021, 2:28 PM

Where are you setting that address for DNS?

Comfy · Jan 23, 2021, 6:54 PM

@stephenw10 Services>DHCP server and then in there....currently set to 1.1.1.1

stephenw10 · Jan 23, 2021, 9:00 PM

Ok. Are you blocking access to other DNS?

Something there may be hardcoded and failing.

Comfy · Jan 23, 2021, 9:09 PM

@stephenw10 If i am im not sure where im doing that (blocking DNS) - where do i look to see if i am.?

Just to add (and i dont know if it helps) the app will briefly load up then error...not sure if that helps....ie i briefly saw my orders then got the "oops" message...

stephenw10 · Jan 23, 2021, 9:26 PM

You would have to be blocking it deliberately in the LAN side firewall rules or redirecting it as shown here:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

Can you set another client to use a different DNS server and test that?

Are you sure there is no IPv6 on the clients hitting this?

Steve

Comfy · Jan 23, 2021, 9:42 PM

@stephenw10 ok- went through and added the rule (im not really sure what im doing at this point but doing a monkey see monkey do) but its still the same....amazon on my laptop works fine though....

So, just tried it on my wifes Ipad and it works on there so, it could be my phone S9+ its not been rooted or reflashed but ill just try an app reinstall....strange that it does work on the 4g connection though....

Comfy · Jan 23, 2021, 9:47 PM

@comfy Same with a reinstall....works on 4g no dice on the Lan

stephenw10 · Jan 23, 2021, 11:54 PM

Using that redirect rule would more likely break this. I was pointing out you have to have that in place to break other DNS servers. You should remove it if you don't need that.

What if you don't pass any alternative DNS servers to the client and allow it to use the Resolver in pfSense?

If there's no change it's probably not DNS in which case my second best suspect is still IPv6. Check the phone does not have an IPv6 address.

Steve

Comfy · Jan 24, 2021, 10:16 AM

@stephenw10 yeah = once i found out it didnt work i removed the rule....i did look on the phone and couldnt find any connectivity for ipv6 - would it just be easier to disable ipv6 on the pfsense.?

stephenw10 · Jan 24, 2021, 3:26 PM

Yes you can. It will only hand out v6 if it has anything to hand out though.

Checking the phone verifies that.

Steve

Comfy · Jan 24, 2021, 3:30 PM

@stephenw10 ok - wheres that setting on the PF ? i did go looking earlier on...as im new to it theres a multitude of settings...!

stephenw10 · Jan 24, 2021, 4:06 PM

Services > DHCPv6 Server & RA.

With that disabled you can set the LAN interface IPv6 to 'none' rather than track WAN. Then you can set the WAN v6 to none.

Steve