pfSense and Linksys Velop config - not working properly
-
Hello,
I've been trying to replace my IPS router with a Netgate 2100. I did it with someone (IT) helping since I'm a beginner.
When he changed the Linksys velop system (mesh system) to Bridge mode, it worked for a few hours then started not working properly.We've been trying to solve this issue for about a month and the system still doesn't work properly.
Currently, the netgate is connected to the IPS cable and the mesh system (in bridge mode) to the netgate.
The issue is that some devices (iphone, computer) can't load some website or app from time to time. It's totally random. Sometime it works and sometime no. I feel that if I turn of wifi and back on, it work again.
My IT guy don't have much more ideas of where could the issue come from and I Netgate guys did some limited recommendation (I don't have package with them).
Any ideas? Let me know if you need more info, happy to share anything.
Thanks!!
-
This post is deleted! -
Do you see anything blocked in the firewall logs when this happens?
Are you running any packages?
How exactly does it fail? What error is shown on the client?
Steve
-
@stephenw10 Hi Stephen,
Apology in advance for my response... I'm a newbie in computer :(
I'm not sure if it's the correct way but if I go to "Status/System" and then click on "Firewall", I see a lot of log entries (see attached a few ones).By fail, I mean the connection seems unstable, especially when lightsquid is enabled.
For example, when I'm on a device and lightsquid is enabled, if I try to connect to an app (let's say netflix for instance), it'll show me an error message "no internet connection". I restart the app, same result. If I disable lightsquid and try again, it works...
I just realized that 2 days ago so am running test with lightsquid disabled and it seems that wifi works much better.On the errors, I'm sorry but I have no idea how to see them (where should I look for these errors?).
Apology again for being so "dumb" with this.
-
Yes, the correct place to look. Those blocks are all on WAN though which is expected. Unsolicited incoming traffic from the public Internet should be blocked.
I think you mean Squid here. The Lightsquid package is only the report generating tool for Squid.
So it looks like a Squid problem. How is Squid configured? Full https intercept? Transparent mode?Do you actually need Squid? If not it's probably causing more problems than it will solve, I would disable it.
Steve
-
Thanks, good to know about the traffic.
Yes, I definitively meant squid. I actually installed pfsense to use this package so it’d be a pain if I have no way to enable it.
Yes, the transparent hytp proxy is enabled and HTTPS Interception is enabled with “splice all” option in “SSL/MITM Mode” to avoid installing certificates on each device.
I can donscreenshots of everything if it helps.
-
The most common issue with Squid traffic not passing is some sort of DNS mismatch:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html#sites-not-loading-with-splice-error-409-in-access-logYou should check the Squid real-time logs for that error.
Steve
-
@stephenw10 Thanks Steve!
I've reviewed on the Real Time log and didn't see this error when I had an issue for example with Netflix, which I launch from device 192.168.1.70...
Here are 2 screenshots showing what happened if you see anything weird.Also, as said before I'm a beginner and in the link you shared, they recommend to clear the cache and reinstall everything. I'd like to try but don't even know how to "use" the command lines...not sure if this is under Diagnostic/Command Prompt/Execute Shell command?
If so, do I enter line by line? Or all the lines in the green window at once?Thanks a lot for your help, really appreciate it!
-
All of those lines showing
NONE/409are that issue.make sure both Sqiud and clients are using the same DNS. And preferably that should be Unbound in pfSense so the results are cached and both get the same thing.
Steve
-
@stephenw10
OMG...I really feel you'll hate me and think I'm so dumb...Just want to let you know that I have no background in computer and started to use pfsense about 1 month ago but I learn a lot, especially with each of your comments, so thanks!I've looked for DNS in both Squid and General Configuration...I think -but am not sure- that they are the same since there is nothing filled in Squid/Use Alternate DNS Servers for the Proxy Server... Below screenshot.
Regarding "make sure client DNS is same as Squid" comment. Is the "Client" the device?
If so, my device Wifi says "Configure DNS - Automatic".So so sorry for being that bad :(
-
Mmm, do you have the DNS Resolver in forwarding mode? Check: Services > DNS Resolver.
By default it's in resolving mode so it resolves directly and ignores whatever you have set there in general setup.
If it's in forwarding mode it will use the servers configured there (Google's DNS) except you have
'DNS Server Override' enabled so you would be using whatever your ISP is passing you.I would try setting 127.0.0.1 in the Squid DNS settings to be sure it is using Unbound (the Resolver) and not Google.
Steve
-
So no, the forwarding mode isn't enabled.
Should I enable it?
Should I disable the "DNS Server Override" in the General Setup?
And/or
Add 127.0.0.1 in the Squid "Use Alternate DNS Servers for the Proxy Server"?I feel I'm close here thanks to you!
-
No resolving mode should work fine.
I would expect it to work with those settings but I would try setting the DNS in Squid to 127.0.0.1 to force it to also use Unbound.
Steve
-
@stephenw10 Great, I'll put 127.0.0.1 in the Squid "Use Alternate DNS Servers for the Proxy Server" and run some test to see if this solves my issue.
Thanks again Steve for your time, I really appreciated it!
-
@stephenw10
Hi Steve,So unfortunately it didn’t change anything.
When Squid server is enabled, I still have connectivity issues. Have to turn off wifi, use data, turn on wifi and I can access the website or app.As said before, it is irregular and happen from time to time.
Any other idea?
Thanks!
-
Hmm, well if you're seeing those 409 errors it's because of a DNS resolution mismatch so you need to ensure both Squid the clients are resolving to the same IPs.
However I would argue you don't need Squid at all and should just disable it.
Steve
-
@stephenw10
Hey!
So I don’t have error 409 or at least don’t see it often but have this error:
NONE/000 error:transaction-end-before-headersMagbe it helps?
My issue is that squid is the main reason I use pfsense!
-
Mmm, well that's something else. I'm not aware of anything in particular that might cause that.
Check the Squid logs.What are you using Squid for?
Steve
