Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocking websites when it should not be

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KyferEz
      last edited by

      I have hundreds of logs like the below in my firewall logs. This is for a PC attempting to access facebook. I have the firewall outbound WIDE OPEN! Still it keeps blocking these outbound requests. I am pulling my hair out! It makes no pfsense!

      Blocked–-Aug 23 15:04:53---LAN---192.168.1.106:50712---69.171.228.70:80---TCP:FA

      I have no packages added that would interfere (I did but have since removed them, such as pfBlocker and snort).
      I have all LAN rules disabled except those shown.
      I have only the few shown WAN2 rules
      I have no Floating rules (used to have load balance but removed all of that except the gateway group)

      What could this be? I have about had it with pfsense. It's caused me enormous problems...
      ScreenShot006.png
      ScreenShot006.png_thumb
      ScreenShot007.png
      ScreenShot007.png_thumb
      ScreenShot008.png
      ScreenShot008.png_thumb
      ScreenShot009.png
      ScreenShot009.png_thumb

      Home Lab:
      Dell r310 Quad core 32GB RAM & 4 3TB SAS
      Intel Server 2 Quad core 24GB RAM & 6 2TB SAS
      Dell r410 Dual Hex core 24GB RAM & 4 1TB SAS
      HP Proliant DL380 Gen7 2 Quad core 24GB RAM & 6 1TB SAS
      28port POE Gb Cisco SG300-28P
      24port POE Gb Managed Netgear
      24port Catalyst Switch
      Cicso 1900 router
      OPNsense
      Sophos UTM
      6 NetScaler VPX3000
      2 VOIP phones Cisco SPA500
      Cisco Air SAP1602 AP

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Have you rebooted since you uninstalled snort?

        1 Reply Last reply Reply Quote 0
        • A
          arthur1472
          last edited by

          Question: Why did you add another wan?

          The things I have in mine are:
          On the wan tab, tcp wan address to everything with ports 80 and 443.
          Udp wan address to everything with port 53.
          Picture for wan: http://puu.sh/Y8GK

          Then on the lan remove the default gateway.
          Picture for lan: http://puu.sh/Y8Ik

          Hope it works.

          1 Reply Last reply Reply Quote 0
          • K
            KyferEz
            last edited by

            Yes, I rebooted since uninstalling snort.

            I have the 2nd wan because I used to use dual wan connections and upgraded to a new faster provider and when I hooked up the new modem it ended up in wan2.

            I did your second suggestion. Maybe that will help, but if it does, it points to an unexpected firewall configuration issue; it should work when I set the gateway manually.

            Your suggestion for the WAN tab sounds like a iffy one. Won't that make the network vulnerable?

            Home Lab:
            Dell r310 Quad core 32GB RAM & 4 3TB SAS
            Intel Server 2 Quad core 24GB RAM & 6 2TB SAS
            Dell r410 Dual Hex core 24GB RAM & 4 1TB SAS
            HP Proliant DL380 Gen7 2 Quad core 24GB RAM & 6 1TB SAS
            28port POE Gb Cisco SG300-28P
            24port POE Gb Managed Netgear
            24port Catalyst Switch
            Cicso 1900 router
            OPNsense
            Sophos UTM
            6 NetScaler VPX3000
            2 VOIP phones Cisco SPA500
            Cisco Air SAP1602 AP

            1 Reply Last reply Reply Quote 0
            • P
              podilarius
              last edited by

              I would setup wan for the new provider info. Save it. Reinstall and restore that config. You have snort and a major interface change. Hopefully that will clean up the system and things back the way it should be.

              1 Reply Last reply Reply Quote 0
              • K
                KyferEz
                last edited by

                So the recommendation is "reinstall". Wow. If pfSense can't handle configuration changes and package installs/removals cleanly and without bugs, that opens up the entire network it's used with to potentially major and difficult to find networking problems and that is simply intolerable in a business environment. Does this mean I'm looking for a new firewall and going to stop recommending pfSense to all my IT cohorts? I hope not… but I can't deal with something that breaks just from configuration changes.

                Edit: I was hoping to start using pfsense with multiple clients and was going to recommend it for use with a chain store I support, which would most likely have lead to support contract with pfSense, but this has me backing away fast...

                Home Lab:
                Dell r310 Quad core 32GB RAM & 4 3TB SAS
                Intel Server 2 Quad core 24GB RAM & 6 2TB SAS
                Dell r410 Dual Hex core 24GB RAM & 4 1TB SAS
                HP Proliant DL380 Gen7 2 Quad core 24GB RAM & 6 1TB SAS
                28port POE Gb Cisco SG300-28P
                24port POE Gb Managed Netgear
                24port Catalyst Switch
                Cicso 1900 router
                OPNsense
                Sophos UTM
                6 NetScaler VPX3000
                2 VOIP phones Cisco SPA500
                Cisco Air SAP1602 AP

                1 Reply Last reply Reply Quote 0
                • P
                  podilarius
                  last edited by

                  Well I hope it does not scare you away. Most are going to install only what they need. I have installed and uninstalled snort, squid, and quite a few other packages without it stopping anything. I have even changed providers a couple of times with my existing config and I have had 0 issues. Personally, I have only re-installed twice, once when I was moving the server from 2.0 (i386) to 2.1 (x64), and the other was a HDD failure. I am saying that something didn't go the way it is supposed to in this instance. Hardware issues or something may have interfered. Same thing has happened to me with Cisco ASA, Microsoft ISA, and even Juniper FWs.  I have not used many others though, but I would imagine it happens with them also.
                  It also may not fix the issue and there is a config problem. I am only thinking that a clean up would help you find the problem. Or you can dig around in your current config, its up to you.
                  I would not be so final on your judgement until the problem has been discovered. Even then, if it is a bug, submit it and make things better.

                  I also don't work for pfSense, and if you have a support contract, they will help you fix the problem, most likely without re-installing. There has been nothing but praises for their support. In here, we are just trying to help.
                  I have been using pfSense since 2006 or somewhere around in there. Parts of my current config are from then, although it is only a few rules.

                  Edit: forgot to ask what version are you running?

                  1 Reply Last reply Reply Quote 0
                  • K
                    KyferEz
                    last edited by

                    Running 2.1 x86.

                    Ok, I see what you're sayin now. I would like to avoid a reinstall, but at the same time I've gotta get the website blocking issues fixed. It seems to be happening primarily with MAC users. Those using windows don't seem to have the trouble.

                    Home Lab:
                    Dell r310 Quad core 32GB RAM & 4 3TB SAS
                    Intel Server 2 Quad core 24GB RAM & 6 2TB SAS
                    Dell r410 Dual Hex core 24GB RAM & 4 1TB SAS
                    HP Proliant DL380 Gen7 2 Quad core 24GB RAM & 6 1TB SAS
                    28port POE Gb Cisco SG300-28P
                    24port POE Gb Managed Netgear
                    24port Catalyst Switch
                    Cicso 1900 router
                    OPNsense
                    Sophos UTM
                    6 NetScaler VPX3000
                    2 VOIP phones Cisco SPA500
                    Cisco Air SAP1602 AP

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      The original "problem" happens with every real firewall, and is nothing more than out of state traffic:
                      http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                      If there actually is a problem, those firewall logs aren't it. Need more info on the actual problem.

                      1 Reply Last reply Reply Quote 0
                      • P
                        podilarius
                        last edited by

                        If that is the case perhaps changing state table optimization from normal to conservative would help in this case.

                        1 Reply Last reply Reply Quote 0
                        • K
                          KyferEz
                          last edited by

                          Ok, well here's the full backstory.

                          Original setup: 2 DSL connections each with 6Mbps down and 786kbps up. Using multi wan with load balancing traffic shaper. Works, but with everyone there during the day internet is extremely slow. Traffic logs show a virtual wall at 1Mbps per modem. Traffic shaper settings verified. However using bandwidth testers show 6Mbps per connection. During off-hours, I can download at full speed. Only plausible theory is provider bandwidth limiting during peak hours.

                          Also around this time Ethernet MFP stops being able to fax to email. Email server used has been verified working and all settings in the printer have been verified, checked, and triple checked. Firewall shows no blocked packets for that IP. I had installed snort around this time and it may have been the cause of the problems, I didn't think to check it until a few days ago and haven't been back to location yet. However, a computer setup to connect to the same mail server using the same information was able to send emails no problem. Assumed a printer issue, but none has been found and we brought in another mfp printer that was working at another location to scan to email and it no longer works here either.

                          Moved to new provider. Reconfigured router. Sustained 18Mbps down, 4Mbps up on bandwidth tests. No more bandwidth issues for users since the change.

                          Then MAC users begin having trouble viewing web pages. Their cache is cleared, we release and renew IPs, we remove and reconnect to WiFi, and we verify they can do dns lookups. However they cannot browse random websites. Windows users work fine; most of the time.

                          Logs are attached.

                          ScreenShot010.png
                          ScreenShot010.png_thumb

                          Home Lab:
                          Dell r310 Quad core 32GB RAM & 4 3TB SAS
                          Intel Server 2 Quad core 24GB RAM & 6 2TB SAS
                          Dell r410 Dual Hex core 24GB RAM & 4 1TB SAS
                          HP Proliant DL380 Gen7 2 Quad core 24GB RAM & 6 1TB SAS
                          28port POE Gb Cisco SG300-28P
                          24port POE Gb Managed Netgear
                          24port Catalyst Switch
                          Cicso 1900 router
                          OPNsense
                          Sophos UTM
                          6 NetScaler VPX3000
                          2 VOIP phones Cisco SPA500
                          Cisco Air SAP1602 AP

                          1 Reply Last reply Reply Quote 0
                          • C
                            cmb
                            last edited by

                            @podilarius:

                            If that is the case perhaps changing state table optimization from normal to conservative would help in this case.

                            That should rarely be touched and almost certainly not in this case.

                            1 Reply Last reply Reply Quote 0
                            • C
                              cmb
                              last edited by

                              @KyferEz:

                              Then MAC users begin having trouble viewing web pages. Their cache is cleared, we release and renew IPs, we remove and reconnect to WiFi, and we verify they can do dns lookups. However they cannot browse random websites. Windows users work fine; most of the time.

                              This sounds very much like a general PMTUD problem, where you need MSS clamping to prevent connection stalls, and at times flat out failures. Put in 1400 in the MSS clamping field on the WAN(s) in question and see if that fixes it.

                              1 Reply Last reply Reply Quote 0
                              • P
                                podilarius
                                last edited by

                                I had to use that on my phones for a while. Eats a lot more memory. Evenually found a setting to keep the connection alive before the end of the state timeout period. Switched back to normal after. Would not hurt to try it, you can always set it back. Same for cmb's setting suggestion. his is a lot more secure ;).

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.