pfsense block sites random

lp.14

Hi all,

I saw a lot of topic about this but I didn't find the answer, so i ask you.
pfsense randomly block sites ( eg parallels.com ) why ? how can i solve this ?

i tried a lot of tricks like
Disables the PF scrubbing option which can sometimes interfere with NFS traffic.
and
Disable hardware checksum offload

but it didn't work

any solution please ?

thanks
best regards

rcoleman-netgate

@lp-14 what packages are you running? Is the pfSense doing your DNS? Do you have other DNS-assisting programs installed like pfBlockerNG?

lp.14

thanks for the reply

no i don't have packages added .. only nmap or acme or openvpn
my dns setup in general setting point to google dns or isp dns and in dhcp setting no specify dns. no dns resolver or forwarder configured

thanks
best regards

rcoleman-netgate

@lp-14 If you're bypassing the internal DNS altogether then your pf is likely not blocking anything but your DNS is not resolving and that's upstream.

Check the domain that fails to resolve next against the Root server list on the pf -- Diagnostics->DNS Lookup

stephenw10

Check the causes here: https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html

Particularly the MTU on the WAN.

lp.14

i just did test with:

ping -f -l 1472 www.dslreports.com

from a windows vm in paralells app.. and i get the exact value of 1472 like mtu, i set up it in pfsense but nothing changed

sites like parallels.com is still unaccesable but from diagnostinc dns lookup i can get it easily

what's wrong ?
Please suggest me something
really thanks
best regards

michmoor

@lp-14 You are using something else other than pfSense for DNS, correct?
What happens when you configure your client to use pfSense for DNS?
Can you try a different browser on your client?

lp.14

ok solved, in services dhcp server for each network i specified manually what dns to use. I expected it used automatically the firewall

stephenw10

@lp-14 said in pfsense block sites random:

I expected it used automatically the firewall

It does. If you don't set a DNS server in the DHCP server it will pass the interface address or clients to use.

lp.14

let's say .. it should, cause in my case i have:
the firewall with dns in general setting
8.8.8.8
and 192.168.1.200
and block sites...

i add in dhcp server

8.8.8.8
192.168.1.200
and the ip of the firewall it self

and don't block sites

stephenw10

If you pass 3 DNS servers to the clients via DHCP like that it's entirely up to the client which one it uses. So potentially i could fail to resolve something depending on which one it uses.

The DNS settings in System > General Setup apply only to the firewall itself and not to clients behind it. With no DNS values in the DHCP server settings it will pass the pfSense interface IP which mean clients use Unbound in pfSense. That's the default setup.

lp.14

thanks for the reply

starting situation was:

dns in general setting of the firewall and no dns in dhcp server
sometimes failed to bring me to the sites

was normal ?

thanks

stephenw10

No, not if everything else was default. The DNS resolver is enabled with it's default config for example.

It resolves the IPs directly and passes those to clients. It also caches IPs so you wouldn't expect to see failures on the clients in quick succession.

lp.14

I solved setting dns in dhcp relay setting

thanks