Some websites are not opening from LAN side of firewall

VersionBoy

I installed new firewall on a 6 user site for a friend.
After a week of running they are reporting various issues.

One issue is a small few internet websites do not load on mobile or Windows 10 PC browsers on the internal network

Example sites not loading:
https://www.eircode.ie/, https://www.idrive.com/, https://app.xink.io/

Note:
The sites that do not load, do respond to a ping and resolve a trace route.
The websites load if mobiles use 3G\4G and laptops also load the sites if Hotsport from mobile.

System Netgate 7100
Firmware 01.00.00.20
pfSense 22.01-RELEASE
DNS server(s) 1.1.1.1, 8.8.8.8, 9.9.9.9

Installed Packages
aws-wizard 0.10
ipsec-profile-wizard 1.0_4
Netgate_Firmware_Upgrade 0.51
openvpn-client-export 1.6_4

Outbound NAT Mode: Hybrid

I could realy do with a hand trouble shooting this, please.

SteveITS

@versionboy Are there any rules blocking traffic on the LAN interface?

Any chance it's an IPv6 issue? Is IPv6 configured and working? Doesn't seem like www.idrive.com has an AAAA record though.

Interesting you say ping works, since I can't ping that one either.
Pinging www.idrive.com [148.66.234.46] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

VersionBoy

@steveits
There is a rule from the LAN to allow all ipv4 traffic anywhere.
There is also a rule on the LAN to block all IPv6 traffic.

States 	Protocol 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description 	Actions
IPv6 * 	LAN net 	* 	* 	* 	* 	none 	  	Default Block LAN IPv6 to any rule 	
IPv4 * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow LAN to any rule

Apoligies, I had ping the other two sites but not idrive.
Your results match mine.

I have just used the Diagnostics \ Port Test to do a 443 test to the destination site on IPv4 and it worked.

IPv6 is off on the firewall. At least I believe it is disabled
Is it worth trying to reenable IPv6?

Regards

VersionBoy

@steveits Thanks for the advice and to look @ IPv6

Just wanted to let you all know I reenabled IPv6 on the firewall and the sites that would not load are now loading on mobiles and PC's.

Can anyone explain how this resolved the issue when the local network does not use IPv6?
Also why did this only affect the loading of a small number of websites.

Regards

SteveITS

@versionboy How did you disable/enable it? Something like, it’s resolving the AAAA record and the PC has an IPv6 address so tries to connect, but traffic is blocked on LAN that could do it. The drive site didn’t seem to have AAAA though.

VersionBoy

@steveits On the WAN interface I set "IPv6 Configuration Type" to none.
I had not changed the LAN IPv6 config default.

So I would have to disable IPv6 on all devives inside the network too I suppose!

Thanks for the advice. I'm still fairly new to pfsense and Netgates.

Regards

SteveITS

@versionboy If the PCs still had an IPv6 address assigned that hadn’t expired yet that might still try to use it?

At this point if you have 6 available I would just keep it active. :)