Internet navigation problem using browser on LAN client host
-
Dear Users,
I'm having a problem with a LAN client and Pfsense v.2.5.2.
I will try to explain my issue:- WAN is configured to accept any protocols, from any sources to any destinations
- LAN client is able to download and upload files via FTP with a fast rate
- LAN client ping everything in acceptable time
- nslookup is working fine
BUT when I open a browser to navigate on internet, navigation is very very slow or, in some case (randomly), navigation is not possible.
If I disable firewall and I let pfsense to act as a simple router, everything works like a charm.
It seems that there is a "hidden" firewall rule that block the navigation, but there is only any-any-any rule.I just deployed a simple scenario using Pfsense:
- WAN interface (with the public IP) is directly connected to a Cisco ME3400 ethernet switch;
- LAN interface (with a private IP) is directly connected to the LAN client that is experiencing the issue;
- WAN default gateway has been set correctly.
Could you please help me to understand where is the cause of the problem?
Thank you in advance,
Mauro -
@mauro-tridici said in Internet navigation problem using browser on LAN client host:
It seems that there is a "hidden" firewall rule that block the navigation,
Indeed there is one. It's called default deny rule, but it is not shown in the GUI.
If this rule blocks something you will find an entry in the firewall log, assumed logging of the default deny rule is enabled.
Is there anything?Your issue seems to me like an asymmetric routing problem. But if so you should find blocks in the log.
-
@viragomann thank you very much for your reply.
I'm a newbie and, unfortunately, I don't understand the meaning of asymmetric routing problem or how to solve it.Anyway, you can find in attachment the screenshots of firewall rules related to WAN and LAN.
Is this the right way (the simplest at this testing moment) to say that the LAN client should be able to reach anything is on the internet?
-
@mauro-tridici
These screens are showing the firewall rules. But as mentioned, we are talking about a hidden rule. So naturally you will not be able to see it there. But you can possibly find respective blocks in the logs though.So check in Status > System Logs > Settings if the option "Log firewall default blocks" is enabled. If it isn't, check it, save the setting and initiate some traffic.
Then go to Status > System Logs > Firewall and look if there are block entries:
-
@viragomann many thanks for your patience, I really appreciated it.
Log collection is enabled for the default rule, but no "blocks" have been detected.I juust read something about ASR mentioned by you, but I think (or I hope) that it is not related to my issue because, if I configure pfsense to act as a router, it works without problem (I'm not an expert, sorrry If I made a mistake). Something happens when I revert pfsense to act as a router+firewall
I was thinking about a DNS problem, but nslookup executed from client works fine. Any other idea? :) thank you for the time you are spending for my case
-
@mauro-tridici
Blocks regarding asymmetric routing would logged if default deny logging is enabled.
And yes, if you disable the firewall, they would gone. Therefor I was assuming it's an ASR issue.Do you have any other package like pfBlockerNG or IDS/IPS enabled?
Some hints in the System log?
-
@viragomann thank you. No, no pfblockerNG, no IDS/IPS.
It's a fresh and basic installation.It is very strange that I have no problem with FTP, ping, nslookup, SSH and other kind of "sessions" started from the LAN client.
The problem appears only when I open the browser and I try to navigate.
Browser navigation is impossible and in the most part of cases the browser is unable to reach the target site.Why this happens only with HTTP/HTTPS protocol?
-
@viragomann said in Internet navigation problem using browser on LAN client host:
Blocks regarding asymmetric routing would logged if default deny logging is enabled.
Sorrry, I forgot to ask you what kind of message I should see in this case in the logs :)
-
@mauro-tridici said in Internet navigation problem using browser on LAN client host:
I forgot to ask you what kind of message I should see in this case in the logs :)
Pretty anything, since I have no idea what could be the reason for now.
Usually there are not really much lines written into the system log during normal operation anyway.Is this pfSense running in a VM?