Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems connecting to specific domains/IPs (*.ubuntu.com)?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    4
    10
    160
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JJ5588
      last edited by JJ5588

      From my home network I am unable to connect to archive.ubuntu.com. I first noticed this problem when I couldn't perform an apt-get update on one of my ubuntu hosts; the update times out when connecting. I had no issues setting up this host a few weeks ago and performing updates and installs. When I do a nslookup archive.ubuntu.com, I do see IPs that appear in the connection list whenever I try in a browser to head to archive.ubuntu.com and it looks like the connection is attempting to route over my wan connection.

      connect_to_archive.ubuntu.com.jpg
      nslookup_archive.ubuntu.com.jpg

      I'm sort of at a loss. I don't have issues connecting to other sites. When I hop on a vpn connection, I can sucessfully navigate to archive.ubuntu.com. I haven't made any pfsense changes when this started happening.

      I've tried restarting pfsense, rebooting the modem pfsense is connected to, restarting my laptop and the ubuntu host.

      system: 23.09.1-RELEASE on a sg-5100

      V M 2 Replies Last reply Reply Quote 0
      • V
        viragomann @JJ5588
        last edited by

        @JJ5588
        pfSense doesn't block the access. Otherwise it wouldn't create WAN state.

        However, the connection state is "SYN_SENT:CLOSED". So I assume, you don't get a reply for some reason outside of your network if the WAN is your only one upstream gateway. Or do you have any other upstream connection, maybe a VPNß

        You can verify this by sniffing the traffic on WAN, while you try to connect to this server.

        J 1 Reply Last reply Reply Quote 0
        • J
          JJ5588 @viragomann
          last edited by

          @viragomann said in Problems connecting to specific domains/IPs (*.ubuntu.com)?:

          @JJ5588
          pfSense doesn't block the access. Otherwise it wouldn't create WAN state.

          However, the connection state is "SYN_SENT:CLOSED". So I assume, you don't get a reply for some reason outside of your network if the WAN is your only one upstream gateway. Or do you have any other upstream connection, maybe a VPNß

          You can verify this by sniffing the traffic on WAN, while you try to connect to this server.

          Thank you for the info.

          I did sniff the traffic and saw the connection attempt on the WAN. I only have 1 upstream. I called my ISP and they said that the packets were routed correctly, but no response was coming back. I just don't get how my home IP would be blocked by archive.ubuntu.com

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @JJ5588
            last edited by

            @JJ5588 said in Problems connecting to specific domains/IPs (*.ubuntu.com)?:

            I called my ISP and they said that the packets were routed correctly,

            Run a traceroute to this IP and see, how far you get.

            J 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @JJ5588
              last edited by

              @JJ5588
              What packages do you have installed if any?
              Out of the box, pfsense is a basic SPI firewall. Allows or rejects packets on Layer3/Layer4 information. Thats it.
              Added packages change the nature of pfsense (pfblocker or suricata/snort).

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • J
                JJ5588 @viragomann
                last edited by

                @viragomann said in Problems connecting to specific domains/IPs (*.ubuntu.com)?:

                @JJ5588 said in Problems connecting to specific domains/IPs (*.ubuntu.com)?:

                I called my ISP and they said that the packets were routed correctly,

                Run a traceroute to this IP and see, how far you get.

                Not very far.
                tracepath.jpg

                @michmoor said in Problems connecting to specific domains/IPs (*.ubuntu.com)?:

                @JJ5588
                What packages do you have installed if any?
                Out of the box, pfsense is a basic SPI firewall. Allows or rejects packets on Layer3/Layer4 information. Thats it.
                Added packages change the nature of pfsense (pfblocker or suricata/snort).

                I believe this definitely isn't a pfsense problem. I connected directly to my modem, excluding pfsense, and I am seeing the same issue. I thought the issue might be pfblockng initially, but even in the logs there, I see the domain lookup working.

                V 1 Reply Last reply Reply Quote 1
                • V
                  viragomann @JJ5588
                  last edited by

                  @JJ5588
                  I don't know, what the last hop in your traceroute is. Is it even beyond your ISP?

                  When I trace 91.189.91.81, the last I get is

                   7  100ge0-59.core2.lon5.he.net (184.104.198.246)  48.185 ms  42.058 ms *
 8  port-channel4.core1.bos2.he.net (184.105.81.24)  104.393 ms * *
 9  canonical-group-limited.e0-50.switch1.bos2.he.net (216.66.14.218)  112.662 ms port-channel4.core1.bos2.he.net (184.105.81.24)  104.800 ms canonical-group-limited.e0-50.switch1.bos2.he.net (216.66.14.218)  113.180 ms
10  * * canonical-group-limited.e0-49.switch1.bos2.he.net (216.66.14.214)  106.600 ms
11  * * *
12  * * *

                  So I can reach Canonical.

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    JJ5588 @viragomann
                    last edited by JJ5588

                    @viragomann

                    Thank you! Are hops 1-6 just from your local network to your ISP's gateway?

                    I looked up that last IP, and it is owned by my ISP: AT&T.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      No, I just toke the last three lines for reptesentation.
                      I live in centrral Europe. I think, there are more hops outside of my ISP than these.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Can you ping that IP?

                        It feels like a server block on your public IP TBH.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post