pfSense blocking addic7ed, but how ?

chudak · May 14, 2021, 4:44 PM

I noticed that https://www.addic7ed.com/ is blocked by my FW lately.

The problem persists even after disabling pfBNG and snort, I see FW passing traffic to it's IP 46.105.102.174.

Scratching my head WTH ? What can be blocking it?

 wget www.addic7ed.com
--2021-05-14 09:41:11--  http://www.addic7ed.com/
Resolving www.addic7ed.com (www.addic7ed.com)... 46.105.102.174
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80... failed: Connection timed out.
Retrying.

--2021-05-14 09:43:23--  (try: 2)  http://www.addic7ed.com/
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80...

Anybody knows what's going on?

Happy Friday !

johnpoz · May 14, 2021, 4:55 PM

Why would you think pfsense is blocking..

If you see traffic passing.. Then its not pfsense blocking.

Do a simple sniff on pfsense wan when you try that.. Do you see your syn go out? What do you get back - with timeout would assume not getting back anything, not a RST, etc.

If you see traffic to that IP leave pfsense, then its not pfsense.

KOM · May 14, 2021, 4:58 PM

@chudak said in pfSense blocking addic7ed, but how ?:

https://www.addic7ed.com/

Works fine for me with pfB enabled.

chudak · May 14, 2021, 5:03 PM

@johnpoz said in pfSense blocking addic7ed, but how ?:

Why would you think pfsense is blocking..

If you see traffic passing.. Then its not pfsense blocking.

Do a simple sniff on pfsense wan when you try that.. Do you see your syn go out? What do you get back - with timeout would assume not getting back anything, not a RST, etc.

If you see traffic to that IP leave pfsense, then its not pfsense.

Yeah I guess you are right, I should have said "Something is blocking..."

I see this hanging ...

wget www.addic7ed.com
--2021-05-14 09:57:17--  http://www.addic7ed.com/
Resolving www.addic7ed.com (www.addic7ed.com)... 46.105.102.174
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.addic7ed.com/ [following]
--2021-05-14 09:57:18--  https://www.addic7ed.com/
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:443... connected.
HTTP request sent, awaiting response...

I also saw CLOSED:SYN_SENT in states
So it maybe/must be something else.

Just trying to understand all this

How do I "Do a simple sniff on pfsense wan" ?

Thx

KOM · May 14, 2021, 5:11 PM

@chudak You're not getting a response back from them according to wget. To do a packet capture, go to Diagnostics - Packet Capture. Leave it all at defaults except for Host Address, which you should plonk in 46.105.102.174. Click Start at the bottom. Then use a browser or wget to fetch that site again. When it fails, stop the capture and then look at what it says. We can help with that if you post the output with your public IP obscured.

johnpoz · May 14, 2021, 5:19 PM

Do it on the WAN side.. lan side not going to validate pfsense sent it on

chudak · May 14, 2021, 5:26 PM

@kom said in pfSense blocking addic7ed, but how ?:

@chudak You're not getting a response back from them according to wget. To do a packet capture, go to Diagnostics - Packet Capture. Leave it all at defaults except for Host Address, which you should plonk in 46.105.102.174. Click Start at the bottom. Then use a browser or wget to fetch that site again. When it fails, stop the capture and then look at what it says. We can help with that if you post the output with your public IP obscured.

I did it on WAN and does not show too much only like this many lines:

10:21:58.350108 IP WAN_IP.1089 > 46.105.102.174.80: tcp 0

KOM · May 14, 2021, 5:28 PM

@chudak That site is https with an http redirect. Try your test again using a browser and go to https://www.addic7ed.com

chudak · May 14, 2021, 5:41 PM

@kom @johnpoz

See this, better ?

10:36:38.601908 IP WAN_IP > ISP_IP: ICMP echo request, id 3384, seq 43306, length 9
10:36:38.604259 IP ISP_IP > WAN_IP: ICMP echo reply, id 3384, seq 43306, length 9
10:36:38.637137 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.640579 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 423
10:36:38.641853 IP 9.9.9.9.853 > WAN_IP.64380: tcp 0
10:36:38.641899 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.642325 IP WAN_IP.64380 > 9.9.9.9.853: tcp 293
10:36:38.644763 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 32
10:36:38.646518 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 34
10:36:38.646678 IP 9.9.9.9.853 > WAN_IP.64380: tcp 0
10:36:38.647248 IP 9.9.9.9.853 > WAN_IP.64380: tcp 1448
10:36:38.647262 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.647265 IP 9.9.9.9.853 > WAN_IP.64380: tcp 1436
10:36:38.647278 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.651608 IP WAN_IP.64380 > 9.9.9.9.853: tcp 80
10:36:38.656734 IP 9.9.9.9.853 > WAN_IP.64380: tcp 239
10:36:38.656751 IP WAN_IP.64380 > 9.9.9.9.853: tcp 152
10:36:38.656756 IP 9.9.9.9.853 > WAN_IP.64380: tcp 239
10:36:38.656765 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.665453 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 535
10:36:38.665795 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 69
10:36:38.666163 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 40
10:36:38.667843 IP WAN_IP.24273 > 172.217.6.46.443: UDP, length 34
10:36:38.671232 IP 172.217.6.46.443 > WAN_IP.24273: UDP, length 26
10:36:38.682128 IP 9.9.9.9.853 > WAN_IP.64380: tcp 84
10:36:38.682140 IP WAN_IP.64380 > 9.9.9.9.853: tcp 0
10:36:38.682866 IP WAN_IP.21724 > 34.199.142.162.1883: tcp 549
10:36:38.688527 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 1350
10:36:38.710016 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 1350
10:36:38.711884 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 1350
10:36:38.712253 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 462
10:36:38.716607 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 612
10:36:38.716623 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 76
10:36:38.716875 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 29
10:36:38.717267 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 33
10:36:38.734409 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 375
10:36:38.734733 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 25
10:36:38.735170 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 35
10:36:38.759637 IP 34.199.142.162.1883 > WAN_IP.21724: tcp 53
10:36:38.761106 IP WAN_IP.31640 > 142.250.72.195.443: UDP, length 33
10:36:38.764603 IP 142.250.72.195.443 > WAN_IP.31640: UDP, length 25
10:36:38.903124 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 304
10:36:38.903134 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 1452
10:36:38.903234 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 1452
10:36:38.907129 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.907248 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.907546 IP WAN_IP.10538 > 66.115.176.155.51820: UDP, length 832
10:36:38.911514 IP 66.115.176.155.51820 > WAN_IP.10538: UDP, length 96
10:36:38.965953 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.965976 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.965993 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966010 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966021 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966066 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966079 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1155
10:36:38.966309 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.966320 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.966721 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966752 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966857 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.966881 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1233
10:36:38.966974 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.967573 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.967612 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.967643 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:38.967746 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 832
10:36:38.967882 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:38.970822 IP WAN_IP.21724 > 34.199.142.162.1883: tcp 0
10:36:39.010108 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.038817 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038872 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038905 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038925 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038949 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.038978 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039005 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039031 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039135 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039149 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039160 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039177 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039188 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039201 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039212 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039231 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039239 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039266 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039292 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039319 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039451 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039460 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039590 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039609 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039722 IP WAN_IP.13554 > EXTERNAL_BOX_VNC.9901: tcp 0
10:36:39.039724 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039741 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039754 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039769 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039781 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448
10:36:39.039793 IP EXTERNAL_BOX_VNC.9901 > WAN_IP.13554: tcp 1448

```:

Always wanted to improve on packet capture, thank you for helping !

johnpoz · May 14, 2021, 5:49 PM

you should filter on the IP your trying to go too.. this 46.105.102.174

Or its going to only log everything - default to only 100 packets. So quite possible you miss what your looking for.

Also you can then download that in wireshark and get more details.. If there is an answer, was it RST or FIN, etc.

chudak · May 14, 2021, 6:36 PM

@johnpoz said in pfSense blocking addic7ed, but how ?:

you should filter on the IP your trying to go too.. this 46.105.102.174

Or its going to only log everything - default to only 100 packets. So quite possible you miss what your looking for.

Also you can then download that in wireshark and get more details.. If there is an answer, was it RST or FIN, etc.

I still see only

11:31:06.926814 IP WAN_IP.1089 > 46.105.102.174.80: tcp 0

and assuming that I understood you correctly for "If there is an answer, was it RST or FIN, etc." i see in pfTop:

pfTop: Up State 1-8/8 (571), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
tcp       In  192.168.90.8:56162            46.105.102.174:443            ESTABLISHED:FIN_WAIT_2   00:08:17  00:10:08     3745  3625782
tcp       Out WAN_IP:14382          46.105.102.174:443             FIN_WAIT_2:ESTABLISHED  00:08:17  00:10:08     3745  3625782
tcp       In  192.168.90.3:32870            46.105.102.174:443                 CLOSED:SYN_SENT     00:00:37  00:00:24        6      360

Maybe using Packet Capture incorrectly ?!

KOM · May 14, 2021, 6:38 PM

@chudak Why is it going to port 80 when I asked you to go to https? Set your packet capture to WAN and host address 46.105.102.174 then start it, then go to your browser and try the address https://www.addic7ed.com and don't forget the S.

chudak · May 14, 2021, 6:44 PM

@kom

no clue why it shown port 80

hit in FF https://www.addic7ed.com/

11:42:51.219581 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0
11:42:51.469814 IP WAN_IP.38930 > 46.105.102.174.443: tcp 0
11:42:52.238682 IP WAN_IP.4881 > 46.105.102.174.443: tcp 0

johnpoz · May 14, 2021, 6:48 PM

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

chudak · May 14, 2021, 6:55 PM

@johnpoz said in pfSense blocking addic7ed, but how ?:

And you get no answer.. from that last sniff.. So pfsense is NOT blocking anything..

I agreed with that !

The question after that was what is blocking ?

I checked on a remote ubuntu box and it works fine. Could it be my ISP +/- upstream DNS servers ?

KOM · May 14, 2021, 7:01 PM

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

chudak · May 14, 2021, 7:16 PM

@kom said in pfSense blocking addic7ed, but how ?:

@chudak I had a guy last week with this same problem. It turned out his IP address was blocked for too many bad logins. He had other IPs available and when he switched to another, the remote site responded and worked. Do you have a VPN you could try going there through?

That maybe a different issue.
I can use a remote system (not on my net) and can login from it.
Also in my case I can't even get to a login page...

johnpoz · May 14, 2021, 7:28 PM

What is upstream of your pfsense? Just your ISP? Could be connectivity issue with that site from your isp, ie peering. Or the site themselves might of blocked your IP, etc.

DNS is not involved once you resolve the fqdn.. If you got the correct IP when you resolved, then dns is no longer in the picture.. I show that resolving to the same IP.

And works just fine here as far as connectivity is connected, get redirect to 443 when hit it on 80 via a 301 and then index is downloaded

user@NewUC:/tmp$ wget http://www.addic7ed.com/
--2021-05-14 14:28:08--  http://www.addic7ed.com/
Resolving www.addic7ed.com (www.addic7ed.com)... 46.105.102.174
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.addic7ed.com/ [following]
--2021-05-14 14:28:08--  https://www.addic7ed.com/
Connecting to www.addic7ed.com (www.addic7ed.com)|46.105.102.174|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                         [  <=>                                                                                               ] 329.76K   968KB/s    in 0.3s    

2021-05-14 14:28:10 (968 KB/s) - ‘index.html’ saved [337672]

user@NewUC:/tmp$

chudak · May 14, 2021, 7:44 PM

@johnpoz

I have Sonic fiber ISP
Good point about DNS - withdrawn

Dunno, flaky, we will see

Thanks guys @johnpoz @KOM for walking me thru Packet Capture
I don's use too often.

Although this case maybe not had been a good example

KOM · May 14, 2021, 7:48 PM

@chudak

I can use a remote system (not on my net) and can login from it.

Well, that would make sense if your WAN address is blocked. The remote system isn't blocked.

Also in my case I can't even get to a login page...

In the other guys' case, they were blocking his IP at the external firewall so he didn't get a login page either.