Why does my latest version of pfsense cause my internet to drop out and fail
Hi i decided to re-install my pfsense onto an intel d410 itx which has been running for quite a while but snort had failed.
The issue i have is that i install 1.2.3 with defaults (as thats the iso i have) then upgrade to 2.0.1 and all is well. I add snort and basically follow the smallnetbuilder IDS setup
i then enable ssh, disable pswd and enter a public key, then i add a firewall rule for 443 to allow as thats the port i use on putty to remote in.
the issue i have with my rebuild is that the internet works for a few mins then drops out and won't load say google though msn might work but then no sites will load - dns is beinf resolved but yet when it drops out my laptop, pc and pfsense box all ping but timeout no response.
During this time my son was able to play his cod multiplayer without issue.
I've checked rules, logs and removed snort to no avail the only rules set are default.
i found an old backup of my original build and its working fine .. yet i can't see whats different its the same version 2.0.1
can we tell from the backup files what subtle differences there are/
You have ssh running on port 443? That would clash with the default webgui https port unless you have changed it. There should be something in the logs if there's a problem though.
The obvious suspect here is that Snort is blocking connections incorrectly.
I would try re-installing but do not install Snort and see what happens.
hey thks for the reply think it may be snort but can narrow it down to any particular rule - the idea with ssh is that a secure tunnel over 443 fits in with the rest of the https traffic when i'm at different location and doesn't stick out or isnt blocked - should i stick to 22? and jujst add ssh in the firewall also i think it is fairly secure with a cert even though its open ??
It should be no problem as long as you're aware of the possible clash. In fact it's just that sort of unconventional setup I enjoy reading about. People run VPNs on 443 for that same reason.
Possibly Snort sees this as bad traffic? Just a guess.
If you do change it I wouldn't use 22 just because you'll see loads of login attempts that flood the firewall logs. Use 22222 or whatever is easy to remember.
just to update anyone who may have this problem turns out the snort rule (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE was blocking my legitmate web browsing i could see this by browsing the net and keeping an eye on the snort alerts and then seeing the sites appear in the block list. took me about 3 days to work this out as its never happened before. anyhow the below link shows the solution which in a nutshell is adding the sid of the rule into a suppress list and then picking the rule in the suppression and filtering dropdown in the snort interface.
i can sleep well again tonight was really annoying me this one..