Firewall blocking websites when it should not be



  • I have hundreds of logs like the below in my firewall logs. This is for a PC attempting to access facebook. I have the firewall outbound WIDE OPEN! Still it keeps blocking these outbound requests. I am pulling my hair out! It makes no pfsense!

    Blocked–-Aug 23 15:04:53---LAN---192.168.1.106:50712---69.171.228.70:80---TCP:FA

    I have no packages added that would interfere (I did but have since removed them, such as pfBlocker and snort).
    I have all LAN rules disabled except those shown.
    I have only the few shown WAN2 rules
    I have no Floating rules (used to have load balance but removed all of that except the gateway group)

    What could this be? I have about had it with pfsense. It's caused me enormous problems...









  • Have you rebooted since you uninstalled snort?



  • Question: Why did you add another wan?

    The things I have in mine are:
    On the wan tab, tcp wan address to everything with ports 80 and 443.
    Udp wan address to everything with port 53.
    Picture for wan: http://puu.sh/Y8GK

    Then on the lan remove the default gateway.
    Picture for lan: http://puu.sh/Y8Ik

    Hope it works.



  • Yes, I rebooted since uninstalling snort.

    I have the 2nd wan because I used to use dual wan connections and upgraded to a new faster provider and when I hooked up the new modem it ended up in wan2.

    I did your second suggestion. Maybe that will help, but if it does, it points to an unexpected firewall configuration issue; it should work when I set the gateway manually.

    Your suggestion for the WAN tab sounds like a iffy one. Won't that make the network vulnerable?



  • I would setup wan for the new provider info. Save it. Reinstall and restore that config. You have snort and a major interface change. Hopefully that will clean up the system and things back the way it should be.



  • So the recommendation is "reinstall". Wow. If pfSense can't handle configuration changes and package installs/removals cleanly and without bugs, that opens up the entire network it's used with to potentially major and difficult to find networking problems and that is simply intolerable in a business environment. Does this mean I'm looking for a new firewall and going to stop recommending pfSense to all my IT cohorts? I hope not… but I can't deal with something that breaks just from configuration changes.

    Edit: I was hoping to start using pfsense with multiple clients and was going to recommend it for use with a chain store I support, which would most likely have lead to support contract with pfSense, but this has me backing away fast...



  • Well I hope it does not scare you away. Most are going to install only what they need. I have installed and uninstalled snort, squid, and quite a few other packages without it stopping anything. I have even changed providers a couple of times with my existing config and I have had 0 issues. Personally, I have only re-installed twice, once when I was moving the server from 2.0 (i386) to 2.1 (x64), and the other was a HDD failure. I am saying that something didn't go the way it is supposed to in this instance. Hardware issues or something may have interfered. Same thing has happened to me with Cisco ASA, Microsoft ISA, and even Juniper FWs.  I have not used many others though, but I would imagine it happens with them also.
    It also may not fix the issue and there is a config problem. I am only thinking that a clean up would help you find the problem. Or you can dig around in your current config, its up to you.
    I would not be so final on your judgement until the problem has been discovered. Even then, if it is a bug, submit it and make things better.

    I also don't work for pfSense, and if you have a support contract, they will help you fix the problem, most likely without re-installing. There has been nothing but praises for their support. In here, we are just trying to help.
    I have been using pfSense since 2006 or somewhere around in there. Parts of my current config are from then, although it is only a few rules.

    Edit: forgot to ask what version are you running?



  • Running 2.1 x86.

    Ok, I see what you're sayin now. I would like to avoid a reinstall, but at the same time I've gotta get the website blocking issues fixed. It seems to be happening primarily with MAC users. Those using windows don't seem to have the trouble.



  • The original "problem" happens with every real firewall, and is nothing more than out of state traffic:
    http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    If there actually is a problem, those firewall logs aren't it. Need more info on the actual problem.



  • If that is the case perhaps changing state table optimization from normal to conservative would help in this case.



  • Ok, well here's the full backstory.

    Original setup: 2 DSL connections each with 6Mbps down and 786kbps up. Using multi wan with load balancing traffic shaper. Works, but with everyone there during the day internet is extremely slow. Traffic logs show a virtual wall at 1Mbps per modem. Traffic shaper settings verified. However using bandwidth testers show 6Mbps per connection. During off-hours, I can download at full speed. Only plausible theory is provider bandwidth limiting during peak hours.

    Also around this time Ethernet MFP stops being able to fax to email. Email server used has been verified working and all settings in the printer have been verified, checked, and triple checked. Firewall shows no blocked packets for that IP. I had installed snort around this time and it may have been the cause of the problems, I didn't think to check it until a few days ago and haven't been back to location yet. However, a computer setup to connect to the same mail server using the same information was able to send emails no problem. Assumed a printer issue, but none has been found and we brought in another mfp printer that was working at another location to scan to email and it no longer works here either.

    Moved to new provider. Reconfigured router. Sustained 18Mbps down, 4Mbps up on bandwidth tests. No more bandwidth issues for users since the change.

    Then MAC users begin having trouble viewing web pages. Their cache is cleared, we release and renew IPs, we remove and reconnect to WiFi, and we verify they can do dns lookups. However they cannot browse random websites. Windows users work fine; most of the time.

    Logs are attached.




  • @podilarius:

    If that is the case perhaps changing state table optimization from normal to conservative would help in this case.

    That should rarely be touched and almost certainly not in this case.



  • @KyferEz:

    Then MAC users begin having trouble viewing web pages. Their cache is cleared, we release and renew IPs, we remove and reconnect to WiFi, and we verify they can do dns lookups. However they cannot browse random websites. Windows users work fine; most of the time.

    This sounds very much like a general PMTUD problem, where you need MSS clamping to prevent connection stalls, and at times flat out failures. Put in 1400 in the MSS clamping field on the WAN(s) in question and see if that fixes it.



  • I had to use that on my phones for a while. Eats a lot more memory. Evenually found a setting to keep the connection alive before the end of the state timeout period. Switched back to normal after. Would not hurt to try it, you can always set it back. Same for cmb's setting suggestion. his is a lot more secure ;).


Locked