FIOS connectivity issue

cyrus104

I have Verizon FIOS that is connected to a pfSense VM (ethernet to the ONT, no FIOS router). pfSense gets an ip address and dns from FIOS and my LAN gets an address from pfSense with the DNS pointing to 1.1.1.1 and 8.8.8.8.

I can get to everything on my LAN without issues.
I can get to most of the internet without issues.
I can't get to https://www.engadget.com/ or the apple authentication sever (apple.com works).

I changed DNS severs and even tried the verizon DNS server without any luck.
After talking on the phone with Verizon, I decided to plug my laptop directly into the ONT (ethernet). I get the same IP and DNS as my pfSense gets but all websites work. I'm not suing pfblocker-ng or any other DNS.

Any thoughts or places to look to troubleshoot this issue. Could it be my VM or hypervisor(XCP-ng)?

stephenw10

Probably a bad subnet mask somewhere creating routing conflict. Could also be an MTU issue.

Check: https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html

Steve

Jarhead

@cyrus104 said in FIOS connectivity issue:

I get the same IP and DNS as my pfSense gets

Are you sure about that? Almost impossible unless you're spoofing your MAC. Might point to the problem.
Turn off the ONT for a few minutes and see if you get a different address.
Or, if you plug pfSense back in, release and relenquish the address.

cyrus104

@stephenw10

I went through the steps listed and have verified that everything seems to be as expected. I went through the MTU testing and can get up to 1470 without fragmenting from my workstation and from the pFsense console.

I confirmed the internal subnets for my VLANs are 192.168.1.0/24 and 172.16.0.0/24.

I'm running on a XCP-ng as a hypervisor and have ensured to turn off all hardware offloading.

Not resolved yet.

stephenw10

You have any VPNs defined? I've seen incorrectly setup IPSec grabbing traffic that should be publicly routed.

Can you define a particular IP address that is failing you can use for testing?

cyrus104

So I powered down and then up the ONT and this time I did get a different WAN address.

Still no luck with the issue at hand.

cyrus104

@stephenw10 No VPNs on this setup.

ping secure2.store.apple.com

Pinging secure2.store.v.aaplimg.com [17.32.220.182] with 32 bytes of data:
Ping statistics for 17.32.220.182:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Interesting:
Ping www.engadget.com works but the site fails to load on any browser. It does seem to work via a curl from the pfsense.

stephenw10

secure2.store.apple.com doesn't respond to ping for me either but I can test port on 443 to it from Diag > Test Port.

cyrus104

@stephenw10
So both the secure2.store.apple.com and the www.engadget.com work on the Test Port. So it seems to be all devices hanging off the LAN that aren't getting the data passed through properly.

stephenw10

Well the port test only checks the initial TCP handshake. It could still be failing later in the sequence for clients.
I would probably be trying to get a packet capture of a client failing to connect and seeing exactly how it's failing.

Steve