• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Internet navigation problem using browser on LAN client host

Scheduled Pinned Locked Moved Firewalling
9 Posts 2 Posters 857 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mauro.tridici
    last edited by Nov 25, 2021, 8:37 PM

    Dear Users,

    I'm having a problem with a LAN client and Pfsense v.2.5.2.
    I will try to explain my issue:

    • WAN is configured to accept any protocols, from any sources to any destinations
    • LAN client is able to download and upload files via FTP with a fast rate
    • LAN client ping everything in acceptable time
    • nslookup is working fine

    BUT when I open a browser to navigate on internet, navigation is very very slow or, in some case (randomly), navigation is not possible.

    If I disable firewall and I let pfsense to act as a simple router, everything works like a charm.
    It seems that there is a "hidden" firewall rule that block the navigation, but there is only any-any-any rule.

    I just deployed a simple scenario using Pfsense:

    • WAN interface (with the public IP) is directly connected to a Cisco ME3400 ethernet switch;
    • LAN interface (with a private IP) is directly connected to the LAN client that is experiencing the issue;
    • WAN default gateway has been set correctly.

    Could you please help me to understand where is the cause of the problem?

    Thank you in advance,
    Mauro

    V 1 Reply Last reply Nov 25, 2021, 8:58 PM Reply Quote 0
    • V
      viragomann @mauro.tridici
      last edited by Nov 25, 2021, 8:58 PM

      @mauro-tridici said in Internet navigation problem using browser on LAN client host:

      It seems that there is a "hidden" firewall rule that block the navigation,

      Indeed there is one. It's called default deny rule, but it is not shown in the GUI.
      If this rule blocks something you will find an entry in the firewall log, assumed logging of the default deny rule is enabled.
      Is there anything?

      Your issue seems to me like an asymmetric routing problem. But if so you should find blocks in the log.

      M 1 Reply Last reply Nov 25, 2021, 9:51 PM Reply Quote 0
      • M
        mauro.tridici @viragomann
        last edited by Nov 25, 2021, 9:51 PM

        @viragomann thank you very much for your reply.
        I'm a newbie and, unfortunately, I don't understand the meaning of asymmetric routing problem or how to solve it.

        Anyway, you can find in attachment the screenshots of firewall rules related to WAN and LAN.

        Is this the right way (the simplest at this testing moment) to say that the LAN client should be able to reach anything is on the internet?
        Screenshot 2021-11-25 at 22.44.01.png Screenshot 2021-11-25 at 22.43.54.png

        V 1 Reply Last reply Nov 25, 2021, 10:01 PM Reply Quote 0
        • V
          viragomann @mauro.tridici
          last edited by Nov 25, 2021, 10:01 PM

          @mauro-tridici
          These screens are showing the firewall rules. But as mentioned, we are talking about a hidden rule. So naturally you will not be able to see it there. But you can possibly find respective blocks in the logs though.

          So check in Status > System Logs > Settings if the option "Log firewall default blocks" is enabled. If it isn't, check it, save the setting and initiate some traffic.

          Then go to Status > System Logs > Firewall and look if there are block entries:
          0da8124f-192b-43c5-8526-5d1043303baf-grafik.png

          M 1 Reply Last reply Nov 25, 2021, 10:21 PM Reply Quote 1
          • M
            mauro.tridici @viragomann
            last edited by Nov 25, 2021, 10:21 PM

            @viragomann many thanks for your patience, I really appreciated it.
            Log collection is enabled for the default rule, but no "blocks" have been detected.

            I juust read something about ASR mentioned by you, but I think (or I hope) that it is not related to my issue because, if I configure pfsense to act as a router, it works without problem (I'm not an expert, sorrry If I made a mistake). Something happens when I revert pfsense to act as a router+firewall

            I was thinking about a DNS problem, but nslookup executed from client works fine. Any other idea? :) thank you for the time you are spending for my case

            V 1 Reply Last reply Nov 25, 2021, 10:36 PM Reply Quote 0
            • V
              viragomann @mauro.tridici
              last edited by Nov 25, 2021, 10:36 PM

              @mauro-tridici
              Blocks regarding asymmetric routing would logged if default deny logging is enabled.
              And yes, if you disable the firewall, they would gone. Therefor I was assuming it's an ASR issue.

              Do you have any other package like pfBlockerNG or IDS/IPS enabled?

              Some hints in the System log?

              M 2 Replies Last reply Nov 25, 2021, 10:49 PM Reply Quote 1
              • M
                mauro.tridici @viragomann
                last edited by Nov 25, 2021, 10:49 PM

                @viragomann thank you. No, no pfblockerNG, no IDS/IPS.
                It's a fresh and basic installation.

                It is very strange that I have no problem with FTP, ping, nslookup, SSH and other kind of "sessions" started from the LAN client.
                The problem appears only when I open the browser and I try to navigate.
                Browser navigation is impossible and in the most part of cases the browser is unable to reach the target site.

                Why this happens only with HTTP/HTTPS protocol?

                1 Reply Last reply Reply Quote 0
                • M
                  mauro.tridici @viragomann
                  last edited by Nov 25, 2021, 10:54 PM

                  @viragomann said in Internet navigation problem using browser on LAN client host:

                  Blocks regarding asymmetric routing would logged if default deny logging is enabled.

                  Sorrry, I forgot to ask you what kind of message I should see in this case in the logs :)

                  V 1 Reply Last reply Nov 26, 2021, 12:13 PM Reply Quote 0
                  • V
                    viragomann @mauro.tridici
                    last edited by Nov 26, 2021, 12:13 PM

                    @mauro-tridici said in Internet navigation problem using browser on LAN client host:

                    I forgot to ask you what kind of message I should see in this case in the logs :)

                    Pretty anything, since I have no idea what could be the reason for now.
                    Usually there are not really much lines written into the system log during normal operation anyway.

                    Is this pfSense running in a VM?

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received