No access to Zoom meetings
-
Re: Certain Zoom Meeting codes not working
On two occasions I have not been able to access Zoom via my Netgate/pfsense router. No other internet access concerns were noted.
After reboot of the router, I was able to access Zoom.
Thoughts?
-
@kwessel pfBlocker? DNS issue? Downstream router/filter? etc...?
-
@hieroglyph I have a fairly simple setup. With the exception of an OpenVPN to my office I am using default settins. I have not used bpBlocker. I had the ISP primary and secondary DNS servers set. I have now added 8.8.8.8 and 1.1.1.1. No downstream filter that I am aware of. What particularly puzzles me is that I can connect to Zoom immediately after a reboot. As such, it appears something happens with the router between a reboot, when I can access Zoom to a few weeks later when I cannot. In the interim I have made no changes to the router.
-
@kwessel Interesting. I just experienced the same thing today. Everything else worked, only zoom stopped working. This occurred about 4 days after I upgraded to the latest 21.02 release, but zoom worked for a few days after the upgrade.
A reboot of the PFsense appliance resolved my issue.
-
I use zoom pretty much every single day, multiple meetings normally.. (work from home since start of covid) Zero issues running 21.02p1, or any other previous version either.
Why would pfsense block access to some IP? Most likely your issue is dns related..
I had the ISP primary and secondary DNS servers set
So you disabled the default of pfsense using just the roots and being a resolver?
With the exception of an OpenVPN to my office
So you have pfsense setup as client to your work vpn - are you policy routing, routing all traffic through this work vpn?
-
@johnpoz I also have been using zoom zealously for a year, 2 people in the house, 6-10 meetings a day probably in total. Today was the first time I have seen that behavior where zoom stops connecting.
I agree about DNS being the likely culprit. I looked at the dropped packet log and compared it to Zoom's list of ports and IP addresses, and didn't see any overlap. I didn't do any further investigation before i rebooted the unit though.
-
@dredre said in No access to Zoom meetings:
I didn't do any further investigation before i rebooted the unit though.
Sometimes that is the quickest thing to try - but not good for getting to the root of the problem.
If next time it happens you have time to look into what is actually going on.. Packet capture - check that pfsense is sending syn, out the wan.. Could of been a temp thing on zoom side, or isp thing, or just peering across the internet. Or yeah dns, can validate that the fqdn your trying to connect to actually resolves, etc.
-
Running pfSense CE 2.5.1-RELEASE
I have found that after a boot "some time later" Zoom stops connecting. Nothing in the logs that I can see, nothing being blocked, DNS resolving, ETC.
HOWEVER: I have found that disabling IPv6 on the WAN interface makes Zoom work again without a pfSense reboot. Re-enabling IPv6 doesn't. Tested this client-side too: Disabling IPv6 forcing IPv4 only causes Zoom to suddenly start working again.
Obviously Zoom is prefering IPv6 on two different MacBooks and my iPhone and something is going bad with pfSense and IPv6 as far as Zoom is concerned, yet an IPv6 test shows nothing wrong (ping, DNS lookup, https://ipv6-test.com, http://test-ipv6.com, https://ipv6test.google.com.
Zoom's firewall requirements are here:
I just looked at the tests and logs again and added two rules:
WAN: Allow ICMP because IPv6 uses it a lot
LAN: IPv6 port 5353 Something seems to be hammering it?
Neither of these caused Zoom with IPv6 enabled to start working.Weirdly there's nothing in the firewall logs with IPv6 addresses on it.
That might explain why restarting unbound and/or pfBlocker doesn't seem to fix this either.
-
@daplumber said in No access to Zoom meetings:
something is going bad with pfSense
Says who? Is the ipv6 leaving the wan.. Then it has nothing to do with pfsense.
Did your ipv6 address change? You ever think its just your isp, or zoom and ipv6? Maybe your prefix changed or your address changed and zoom doesn't like it. etc..
Simple fix - don't use ipv6 ;)
-
@johnpoz Sorry, something is going wrong with IPv6 then. I timed it, it's repeatable, Zoom stops working with IPv6 enabled about 2 minutes after pfSense reboot.
-
Is your prefix changing? You say other things are working, like testipv6, etc. Are other ipv6 sites loading?
Can you reconnect to the zoom call?
If pfsense sends on the ipv6 traffic that your trying to send, and you get no response - or for whatever reason the other end doesn't like it. Not a pfsense thing.
-
@johnpoz said in No access to Zoom meetings:
Is your prefix changing? You say other things are working, like testipv6, etc. Are other ipv6 sites loading?
Can you reconnect to the zoom call?
If pfsense sends on the ipv6 traffic that your trying to send, and you get no response - or for whatever reason the other end doesn't like it. Not a pfsense thing.
Yes, a random selection of IPv6 sites work just fine plus ipv6.google.com.
Prefix is 64, which is supposed to be best for Comcast, but 60 works exactly the same. Prefix doesn't change unless I request it on pfSense. Comcast uses dhcpv6 not SLAAC by the way.
Interestingly I connected on my iPhone with WiFi off, the reenabled WiFi and turned of Cell data and the Zoom call stayed up. I could not reconnect if I left.
I can't turn off only IPv6 from an iPhone, but I can from a MacOS 11.2.3 MacBook with "networksetup -setv6off Wi-Fi". Forced to use IPv4 Zoom works fine. My cell provider hands out an IPv6 address too, which tests as good, so I know it's only when trying to put IPv6 through the pfSense box.
I can try connecting a MacBook directly to the Cable Modem, but I highly doubt Comcast has an adaptive filter running. That's one of the reasons I'm running pfSense in the first place.
SOMETHING is getting mangled/blocked in Zoom's rendezvous process when it goes though pfSense's IPv6 stack. The fact that it works for a short time after reboot suggest something like pfBlocker, but I can't find any evidence of that.
Zoom's connection process at a high level is documented here: link text
Any other ideas, I'm out?
