Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suddenly unable to connect to random websites

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JustinHoMi
      last edited by

      A day or two ago one of my clients who is using pfSense reported that they're unable to connect to seemingly random websites. Some work, some don't. It's consistent (the same domains continue to not work).

      They're running snort, squid, and havp, however there's no indication in the logs that they're the culprit. I went ahead and disabled all three services, but to no avail. There are no records in the firewall logs with the IP addresses of these websites.

      FYI, DNS is working, and I went ahead and tried different DNS servers (no luck).

      Any idea what is going on? I'm pretty stumped at the moment.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Try lowering your MTU.  Start with like 1390 and see if that fixes the problem.  If it does, you can slowly raise the MTU until you get the breakage.

        1 Reply Last reply Reply Quote 0
        • X
          XIII
          last edited by

          like submicron said: mtu
          this issue is most likely always an mtu issue

          -Chris Stutzman
          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
          Check out the pfSense Wiki

          1 Reply Last reply Reply Quote 0
          • J
            JustinHoMi
            last edited by

            I set the mtu to 1390, and it didn't resolve the issue.

            I noticed that a traceroute to each of these trouble domains ends at in about 5 hops at the upstream provider. I gave them a call, and they were able to duplicate the issue… so their engineers are looking into it.

            1 Reply Last reply Reply Quote 0
            • X
              XIII
              last edited by

              like i said most of the time it is an mtu issue. glad you found the problem. did you perform a tracert before changing mtu?

              -Chris Stutzman
              Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
              Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
              freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
              Check out the pfSense Wiki

              1 Reply Last reply Reply Quote 0
              • J
                JustinHoMi
                last edited by

                Yeah, I did perform the tracert before changing the mtu, but not afterwards. If the upstream provider doesn't find a problem, then I'll try again.

                Out of curiosity… if it is an MTU issue, why would it suddenly happen? These websites all worked a few days ago.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  MTU issues typically crop up suddenly due to ISP changes.  I've seen these issues suddenly appear for no good reason only to find that the ISP in question did a major backbone upgrade.  Glad you found your issue, however.

                  1 Reply Last reply Reply Quote 0
                  • J
                    JustinHoMi
                    last edited by

                    Oh, I haven't found the issue yet. The ISP was able to duplicate the problem, but neither I nor they know exactly what is causing it. They haven't gotten back in touch with me yet. I may mess around with changing the MTU again today. What is an acceptable range for the MTU?

                    1 Reply Last reply Reply Quote 0
                    • X
                      XIII
                      last edited by

                      it depends on what you are using (ethernet, wireless,jumbo frames etc) but heres a breakdown:
                      http://en.wikipedia.org/wiki/Maximum_transmission_unit and http://tools.ietf.org/html/rfc1191
                      though for most it is either 1492 or 1500

                      -Chris Stutzman
                      Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                      Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                      freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                      Check out the pfSense Wiki

                      1 Reply Last reply Reply Quote 0
                      • J
                        JustinHoMi
                        last edited by

                        Well, I tried a bunch of different MTU's on the WAN interface between 1000 and 1500, but no luck. This client has SDSL 1.1/1.1.

                        If the MTU is set in pfSense, would it make any difference to try setting it on the DSL modem also, since the traffic is all going through the pfSense router?

                        1 Reply Last reply Reply Quote 0
                        • X
                          XIII
                          last edited by

                          is the dsl modem doing the authentication or is pfsense? if the modem is bridged it should only have to be done in pfsense

                          -Chris Stutzman
                          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                          Check out the pfSense Wiki

                          1 Reply Last reply Reply Quote 0
                          • J
                            JustinHoMi
                            last edited by

                            I talked to the upstream provider again. It looks like we discovered a system-wide outage.

                            It's a lot more fun when I have control over the situation!

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Sounds a lot like the expected symptoms of IPv6 'brokeness'  ::)

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.