Random Website Outages?
-
There will be random external websites (spotify, office365, ect. ) that I am unable to get to and it will last for a week or two but from 4G or other networks the site is still up. I have tried everything I can think of to fix this and need some help.
My network has a few vlans and firewall rules but thats about it.
The things I have tried and findings:
- checked DNS resolving to correct address
- changed MTU and MSS but did not change anything
- all firewall rules are at zero blocked
- packet capture on LAN shows packets coming into interface
- packet capture on WAN does not have outgoing packets
What configuration mistake could I have made that would result in packets not being routed to the WAN interface.
-
Do you have any IPv6?
-
@stephenw10
I don't use it internally and my WAN is an IPv4 address... I see that WAN has DHCP6 turned on. Is that what you are referring to? -
Yes, if your WAN is pulling an IPv6 address pfSense will try to use it on the LAN. Most clients will prefer IPv6 if they see it as available so if it shows but is actually invalid connections can take a age to timeout and fail.
-
@stephenw10
My WAN connection is IPv4. I have turned off DHCP6 just for safety, but a reboot of everything has not solved the websites not being available. -
Ok, so when it fails you see packets coming into LAN but nothing leaving WAN? What packets exactly are you seeing there?
You would only see that traffic fail to leave if there is a bad route present or something else grabbing the traffic like IPSec. So I would check you don't have a bad subnet somewhere or a misconfigured VPN.Steve
-
@stephenw10
The clients having issues are not connected via VPN.
I'm kind of a wireshark newb, but the only thing I see on the WAN that could be troubling is that there is the occasional ICMP "destination host unreachable" to random places (not to the places im having issues with)
I did a capture on all of the interfaces and didn't see packets being sent anywhere... they are just disappearing? -
@stephenw10
OH FOUND IT. Snort had picked up the IP as suspicious and blocked it. Now just need to figure out how to add an FQDN to the snort pass list -
@jbob said in Random Website Outages?:
@stephenw10
OH FOUND IT. Snort had picked up the IP as suspicious and blocked it. Now just need to figure out how to add an FQDN to the snort pass listCreate a FQDN alias under FIREWALL > ALIASES in the pfSense menu. Then either create a new Pass List (or edit any existing one already assigned to the interface) and add the FQDN alias to the Pass List. When editing a Pass List, there are controls at the bottom of the page for adding, editing, or deleting IP addresses, networks, and host or network aliases.
Once the Pass List has been edited to include the FQDN alias, go edit the Snort interface and assign the Pass List using the drop-down selector for Pass List. Save the change and then restart Snort on the interface so that the binary daemon will see the change.
Note that FQDN aliases are resolved only once every 5 minutes. A host or domain that changes addresses more frequently than that may not be reliably resolved. Also, if the host or domain in question is part of a CDN (content delivery network), then the IP address will likely change too often to be effectively resolved for use in the Pass List.
Here is a post I created back a couple of years ago when the FQDN feature was added. There are some screenshots in the post of the feature in action, and from those you can also see how to configure them in a Pass List.
https://forum.netgate.com/topic/160771/new-often-requested-snort-feature-coming-soon