• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewall blocking Quad9?

Scheduled Pinned Locked Moved Firewalling
10 Posts 3 Posters 913 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CreationGuy
    last edited by CreationGuy Oct 19, 2022, 3:04 PM Oct 19, 2022, 3:00 PM

    I was looking through the FW logs and noticed this:
    fwlog.JPG

    WAN interface is the source, why would this be blocked? I am not sure where this would be configured. I do have pfsense set to use DNS TLS / Quad9 using this guide. I don't see any deny's for 9.9.9.9.
    Screenshot 2022-10-19 at 10-59-44 TheWall.jrfam.lan - System General Setup.png

    J S 2 Replies Last reply Oct 19, 2022, 3:20 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @CreationGuy
      last edited by Oct 19, 2022, 3:20 PM

      @creationguy that is an out of state block notice the A, and then even the FA. The P stands for PUSH which has no effect.

      My guess would be your states/state for that connection reset so without a state then yes a ACK would be denied. It amounts to log spam..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      C 1 Reply Last reply Oct 19, 2022, 3:24 PM Reply Quote 0
      • C
        CreationGuy @johnpoz
        last edited by Oct 19, 2022, 3:24 PM

        @johnpoz I did reset the Firewall state, just troubleshooting from my other post.

        Any reason why the secondary Quad9 IP would be blocked? Is it because it was out of state? I don't see any more blocks now.

        J 1 Reply Last reply Oct 19, 2022, 3:38 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @CreationGuy
          last edited by Oct 19, 2022, 3:38 PM

          @creationguy are you asking why you didn't see block to the 9.9.9.9 address and only the 149 address. Maybe it recreated a state for that connection. Or maybe it was actively using the 149 when you reset the states.

          Its not like its going to be using both of them at the same time, etc. To be honest using the 2 different IPs like that can be problematic in the sense that the if they return different sort of results the .112 one is the same as 9.9.9.9 for features but if you were using say the 112.10 or 112.11 those are different than the 9999 one, one is edns enabled and the other is no blocking, etc..

          When you set more than one NS, need to make sure they return the exact same info. ie blocking with same lists, dnssec or not, edns or not, etc.. If you use different providers that you forward too you can run into inconsistencies

          But seeing ACK sort of blocks are somewhat common to see, they amount to log spam if your seeing a lot of them you might think about disable that logging. If you were seeing SA (SYN,ACK) then that would/could point to asymmetrical flow..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          C 1 Reply Last reply Oct 19, 2022, 3:46 PM Reply Quote 0
          • S
            SteveITS Galactic Empire @CreationGuy
            last edited by Oct 19, 2022, 3:44 PM

            @creationguy what John said, but https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 1
            • C
              CreationGuy @johnpoz
              last edited by CreationGuy Oct 19, 2022, 3:47 PM Oct 19, 2022, 3:46 PM

              @johnpoz
              I can remove it, Quad9 says that
              9.9.9.9 / 149.112.112.112 is

              "Recommended: Malware Blocking, DNSSEC Validation (this is the most typical configuration)"

              I figured that 149 was the secondary in case the primary was too slow or went down.

              S J 2 Replies Last reply Oct 19, 2022, 3:48 PM Reply Quote 0
              • S
                SteveITS Galactic Empire @CreationGuy
                last edited by Oct 19, 2022, 3:48 PM

                @creationguy said in Firewall blocking Quad9?:

                149 was the secondary in case the primary was too slow or went down.

                Correct. They do have others, such as .11 and .10
                https://www.quad9.net/service/service-addresses-and-features

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @CreationGuy
                  last edited by Oct 19, 2022, 4:13 PM

                  @creationguy said in Firewall blocking Quad9?:

                  I figured that 149 was the secondary in case the primary was too slow or went down.

                  Primary or Secondary are really meaningless terms when it comes do dns.. When you setup multiple NS for a system to use, you really have no way to know which one it will be using at any given time, etc.

                  Which is why you want to make sure they return the same info.. If one of the NS your using is blocking with list A, even if NS is also a blocking one, but it might be using list B for example - now sometimes something is blocked, and maybe other times its not, etc.

                  If you want to have more than one NS your forwarding too - that is fine, but 3 days from now you have no idea which one it might be using at the time, etc. So you want to make sure all the NS you list, return the same data. Does it do dnssec, or not, edns, blocking with the same list of bad sites/malware/etc - you mostly can get in trouble with that is when you use different services, opendns vs quad9 or google, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  S 1 Reply Last reply Oct 19, 2022, 4:15 PM Reply Quote 0
                  • S
                    SteveITS Galactic Empire @johnpoz
                    last edited by Oct 19, 2022, 4:15 PM

                    @johnpoz said in Firewall blocking Quad9?:

                    make sure they return the same info

                    The two he's using are the same list/service. It's the other IPs that are other variations.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    J 1 Reply Last reply Oct 19, 2022, 4:30 PM Reply Quote 1
                    • J
                      johnpoz LAYER 8 Global Moderator @SteveITS
                      last edited by Oct 19, 2022, 4:30 PM

                      @steveits exactly ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received