Weird client pc behavior



  • Hello,

    Last weekend I deployed a pfsense firewall to a company to protect their internal lan.
    Because they have many sites and in the future they want to use ipsec vpn between them,
    I have to change their internal lan subnet from 192.168.2.0/24 to 192.168.3.0/24 because
    other site uses the 192.168.2.0/24 subnet. And now the weird thing:
    after I put the the firewall in the network and I renumbered the LAN the original computers on LAN
    were not able to browse anyhing on the Internet except the companies mail server web interface (OWA) via https but other https based
    webpages did not come in. (computers getting ip from the correct range)

    My test notebook works well. With that on the same lan I can surf on the internet etc. etc.
    I have this default rule from LAN to WAN: allow any any. So everything should have worked but did not work.

    More weird: original PCs from local lan are able to communicate on other ports like TCP3389, DNS resolution also works, ICMP
    (ping) also works using with hostname or ip address to the WAN. I am suspecting that this is some virus activity but I do not
    know how to find information on the Internet about this.  ??? What I have not tried yet is netsh winsock reset on machines.

    Did anybody have same experience like this? (before ip renumbering everything worked)
    So it is definately not the pfsense what stops the traffic I can see in the logs that it is accepted and respones come back but
    the webpage does not show up in the browser. This happens all the machines in the lan.
    (not many approx. 5 machines: 4 windows xp and 1 windows 2008 server)

    Any help/response appreciated.
    klajosh


  • Netgate Administrator

    Windows policy lock down?
    Clients set to use a proxy?

    Could be a number of things.  :-\

    Steve



  • I have checked that and there is no proxy setup in the browsers.



  • I am still experiencing the same problem. A clean pc with freshly installed windows was brought there and showed the
    same symptoms. (everything worked but surfing on internet). what I tried so far:

    • reduce the MTU on WAN side
    • I checked this option under System: Advanced: Firewall and NAT: Clear invalid DF bits instead of dropping the packets
    • on client machines netsh winsock reset did not help either.

    I can see TCP:S from LAN to WAN what are allowed but nothing else.
    Please if you have any idea share with me.


  • Netgate Administrator

    I'm afraid I'm out of ideas.  :(
    Your own laptop works OK but a freshly installed client does not? What's the difference?

    Generally speaking if you aren't seeing anything in the logs then it's usually a routing problem. Re-check your subnets and gateways. That doesn't explain why DNS, for example, works though.

    Do you have a managed switch on this network? Is it doing something odd?

    Steve



  • Hi,

    finally I found the problem. The problem was the MTU size on the ISP's backbone.
    They set it to 1434 and web browsing works fine. There is still one concern.
    From some networks I cannot reach the web interface of the pfsense but ssh works.
    I found out if I lower the mtu on WAN interface I can reach the web interface of pfsense
    from networks where I was not able to reach. My question what should I setup on WAN
    side to reach the webinterface of pfsense from everywhere? Or can someone send me
    a link about MTU settings? A good explanation? (now the MTU on WAN has its default
    value (1500).

    Thanks,

    klajosh



  • I forgot to tell that the internet link is a Wimax link. There
    is a cisco 850 router between the pfsense firewall and the
    whole world.



  • If your ISP limits to 1434, set both MTU and MSS to 1434 on that WAN.


Locked