Suddenly unable to connect to random websites
-
A day or two ago one of my clients who is using pfSense reported that they're unable to connect to seemingly random websites. Some work, some don't. It's consistent (the same domains continue to not work).
They're running snort, squid, and havp, however there's no indication in the logs that they're the culprit. I went ahead and disabled all three services, but to no avail. There are no records in the firewall logs with the IP addresses of these websites.
FYI, DNS is working, and I went ahead and tried different DNS servers (no luck).
Any idea what is going on? I'm pretty stumped at the moment.
-
Try lowering your MTU. Start with like 1390 and see if that fixes the problem. If it does, you can slowly raise the MTU until you get the breakage.
-
like submicron said: mtu
this issue is most likely always an mtu issue -
I set the mtu to 1390, and it didn't resolve the issue.
I noticed that a traceroute to each of these trouble domains ends at in about 5 hops at the upstream provider. I gave them a call, and they were able to duplicate the issue… so their engineers are looking into it.
-
like i said most of the time it is an mtu issue. glad you found the problem. did you perform a tracert before changing mtu?
-
Yeah, I did perform the tracert before changing the mtu, but not afterwards. If the upstream provider doesn't find a problem, then I'll try again.
Out of curiosity… if it is an MTU issue, why would it suddenly happen? These websites all worked a few days ago.
-
MTU issues typically crop up suddenly due to ISP changes. I've seen these issues suddenly appear for no good reason only to find that the ISP in question did a major backbone upgrade. Glad you found your issue, however.
-
Oh, I haven't found the issue yet. The ISP was able to duplicate the problem, but neither I nor they know exactly what is causing it. They haven't gotten back in touch with me yet. I may mess around with changing the MTU again today. What is an acceptable range for the MTU?
-
it depends on what you are using (ethernet, wireless,jumbo frames etc) but heres a breakdown:
http://en.wikipedia.org/wiki/Maximum_transmission_unit and http://tools.ietf.org/html/rfc1191
though for most it is either 1492 or 1500 -
Well, I tried a bunch of different MTU's on the WAN interface between 1000 and 1500, but no luck. This client has SDSL 1.1/1.1.
If the MTU is set in pfSense, would it make any difference to try setting it on the DSL modem also, since the traffic is all going through the pfSense router?
-
is the dsl modem doing the authentication or is pfsense? if the modem is bridged it should only have to be done in pfsense
-
I talked to the upstream provider again. It looks like we discovered a system-wide outage.
It's a lot more fun when I have control over the situation!
-
Sounds a lot like the expected symptoms of IPv6 'brokeness' ::)
Steve