Not able to visit some sites



  • Hi all,

    After using Smoothwall 3.0 for years I wanted something else, something with more features and such. So I installed Pfsense 2.0.2. What I notice is that, since I switched from Smoothwall to PFSense, I am unable to visit some sites (like Google, Pfsense). So I turned my smoothwall box back on, and everything worked fine again. I tried to change the MTU to 1500 on the WAN side, but that didnt fix it. I am only running the snort addon. Tried turning that off too, but it didnt work either. Any ideas? A traceroute gives this:

    Tracing route to google.nl [173.194.67.94]
    over a maximum of 30 hops:

    1    *        *        *    Request timed out.
      2    *        *        *    Request timed out.
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.
      5    *        *        *    Request timed out.
      6    *        *        *    Request timed out.
      7    *        *        *    Request timed out.

    The routing table shows this:

    IPv4
    Destination Gateway Flags Refs Use Mtu Netif Expire
    default 192.168.178.1 UGS 0 14408 1500 re0
    10.201.1.0/24 link#2 U 0 1960596 1500 re1
    10.201.1.253 link#2 UHS 0 0 16384 lo0
    127.0.0.1 link#7 UH 0 307 16384 lo0
    192.168.178.0/24 link#1 U 0 0 1500 re0
    192.168.178.1 32:b3:dc:92:e7:e3 UHS 0 2401 1500 re0
    192.168.178.37 link#1 UHS 0 0 16384 lo0

    Where 10.201.1.x is my home network and 192.168.178.x is the WAN network where my gateway (192.168.178.1) is on. The IP 192.168.178.37 is the IP the PFsense box has. The IP 10.201.1.253 is the PFsense box LAN IP.



  • Where are you running the traceroute from?



  • From a PC that is using the pfsense gateway. I just tried to disable hardware checksum offload as suggested by the Wiki page. But that didnt help.



  • Hmm, it seems that PFsense has 22% CPU usage upto 88% peek. That might be an explanation for websites not loading. I'm running Pfsense on Xenserver 5.6 FP2.



  • That traceroute indicates you have some kind of significant internal network issue most likely, no response from the first hop even. Unless your rules are blocking that destination. Packet capture to see if it even gets to the LAN.

    CPU usage has no relation to whether or not something will load, though that seems very high unless you're pushing a good deal of traffic through it.



  • I just reinstalled PFSense but I'm now running the AMD64 instead of i386. Even with a clean install it happens. I cannot reproduce it now, everything seems to work at the moment. But as soon as it happens again, I'll capture the packets. About the High CPU load, its stable at 25% (6% on host CPU), can it be that this occurs because XenTools cannot be installed (these values come from XenCenter, not PFsense itself, pfsense says 0 to 2% utilization)? Im running XS5.6 SP2. The first hop should be the PFsense box. And as said earlier, when I change my gateway to the smoothwall box, everything works fine again.



  • Just to add: The WAN side on my Pfsense box is a Fritzbox 7340 running in router mode (so NAT etc are on). I sadly can't change it to modem only modem since we also use is as our dect station / PBX. I only added an exposed host to it with the IP of the PFSense WAN interface. I just came acros a site I cant access via PFsense and made a capture of it with wireshark while tracerouting the hostname. But it contains confidential  info (hostnames). Any way to anonimize the pcap file?



  • Hostnames aren't exactly top secret info, but yeah at least be careful what you post for the entire Internet. I'd be willing to take a look if you email it to me with a link to this thread. cmb at pfsense dot org



  • Try rebooting your router infront of the pfsense box and try again.



  • I had some internet connection problems last week (not relating to PFsense), so I am sorry for my late reply. However I did some more research and it seems that SNORT did block that website. I disabled the http snort rules and now its working fine. Thanks for the help you guys gave me :) .


Locked