Certain websites not working
-
I've noticed that certain websites don't work on my network. I've already changed the DNS server (tried 1.1.1.1 and 8.8.8.8).
I don't really understand why. on certain days the websites actually load up after a couple of attempts, but most of the time it doesn't work at all. I just get a ERR_TIMED_OUTThe site I've noticed it on most often is telegram.org (the actual messenger works fine, just the website telegram.org doesn't)
Here's the traceroute output:
1 --------- (-.-.-.-) 6.193 ms 6.126 ms 5.950 ms 2 217.5.109.78 (217.5.109.78) 8.022 ms 8.228 ms 8.195 ms 3 80.157.201.182 (80.157.201.182) 15.516 ms 7.421 ms 7.568 ms 4 ae40.xcr1.dus.cw.net (195.2.20.177) 11.465 ms 11.660 ms 11.754 ms 5 ae9-tcr1.adr.cw.net (195.2.2.182) 12.715 ms 16.186 ms 13.013 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * *in comparison, here's a traceroute for a working website (google.com):
1 --------- (-.-.-.-) 6.062 ms 5.182 ms 4.973 ms 2 f-ed11-i.F.DE.NET.DTAG.DE (217.5.67.178) 7.270 ms 7.323 ms 7.239 ms 3 80.156.160.118 (80.156.160.118) 7.992 ms 7.893 ms 7.786 ms 4 142.251.48.237 (142.251.48.237) 7.978 ms 8.103 ms 7.982 ms 5 172.253.66.139 (172.253.66.139) 6.291 ms 6.089 ms 5.974 ms 6 fra24s22-in-f14.1e100.net (172.217.18.14) 6.985 ms 6.818 ms 6.739 msAnd here's nslookup, which seems fine:
> nslookup telegram.org Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: telegram.org Address: 149.154.167.99 Name: telegram.org Address: 2001:67c:4e8:f004::9 > nslookup telegram.org 8.8.4.4 Server: 8.8.4.4 Address: 8.8.4.4#53 Non-authoritative answer: Name: telegram.org Address: 149.154.167.99 Name: telegram.org Address: 2001:67c:4e8:f004::9pfsense 2.6.0
-
Same thing here :
dns works fine.C:\Users\Gauche>nslookup Serveur par dÚfaut : pfSense.xxxxxx.net Address: 192.168.1.1 > telegram.org Serveur : pfSense.xxxx.net Address: 192.168.1.1 Réponse ne faisant pas autorité : Nom : telegram.org Addresses: 2001:67c:4e8:f004::9 149.154.167.99Note that I didn't need to ask Google (8.8.8.8), I was resolving myself.
The resultant was the same : I can't visit www.telegram.org => time out.
When I launched a VPN client on my PC, www.telegram.org showed up right away.
Even better : on pfSense, using the console (SSH) access :
curl https://www.telegram.orgshowed the page just fine. That is, I saw the html page.
Using the options -4 and -6 : both worked.I found a way to make it work :
pfBlockerng-devel latest version +
and I flushed my local (PC) DNS cache.
Now : www.telegram.org opens up instantaneously.
It was an IPv6 issue, and most probably : telegram.org doesn't 'like' my IPv6, as I'm using tunnel.he.net a my IPv6 supplier. It could been seen as a "VPN-over-IPv6". I'm pretty convinced now telegram.org was firewalling my IPv6.
edit :
I removed the noAAAA option, and reload.
On the command line :curl -6 --interface 2001:470:dead:beef::2 https://www.telegram.orgwhere 2001:470:dead:beef::2 is my IPv6WAN (my gif0 interface), it showed the html page just fine.
again : -6 means : use IPv6So, this excluded tunnel.he.net ?!!
I'm puzzled ...
-
I've been having similar issues, but I don't even have the pfBlockerng installed on mine. The strangest one for me is Fast.com (Netflix bandwidth test) will load, but the test itself will come back and say "Are you sure you're online?" sometimes. I've also got a couple of Android games that refuse to login while behind the PFSense, while if I connect directly to the cable modem's wifi have no issues.
Seeing absolutely no blocks in the Firewall, even did a packet capture but couldn't see anything too strange.
I thought like you did, it was related to ipv6, but just to test I disabled all ipv6 on my firewall, trying to force everything to use ipv4. No change in the behavior, and there aren't too many things out there that REQUIRE ipv6 yet AFAIK.
-
Yeah, I don't have pfBlocker installed either. But you pushed me closer to finding the root cause. It's IPv6.
curl https://telegram.org doesn't work
curl -6 https://telegram.org doesn't work
curl -4 https://telegram.org works!deactivating ipv6 in my OS immediately opens up the site in the browser as well.
Not exactly sure what's wrong with my IPv6 config. I don't use a 4-to-6 tunnel either. And every other site works flawlessly.
Then I've tried opening up https://ipv6-test.com/ to see if I can narrow the problem even further. Strangely, the site gives me different test results every time I refresh. Sometimes IPv6 doesn't work, sometimes it works fine. Sometimes the fallback doesn't work, sometimes DNS4+ IP6 doesn't work, and other times it does. The results differ in firefox and chrome.
It's very weird to me and I can't make heads or tails of it -
@sector8899 The issue on my side was the dhcpv6 server was only giving out fe80 addresses, not the public ones. Since that only works internally the pfsense wouldn't let it route out, and dropping the packets.
Can't figure out why dhcpv6 isn't working properly, never used it before.
-
@fatherprax no, that's not my problem. I don't use DHCPv6 either. I use RA. My WAN interface requests a 56 prefix instead of just 1 address. and my LAN interfaces are just set to 'track interface' and they get a bunch to give out to their devices.
You can go to https://ifconfig.co/
or do a
curl -6 https://ifconfig.co/
That should work on your machine, if it doesn't, then you don't have a valid ipv6
