[SOLVED] Browsing problems after 2.0.2 update

  • I was using 2.0.1 without any problems.

    Since the upgrade to 2.0.2 I've noticed most websites are unavailable. (Oddly, not all.)
    There's no filtering in place on the pfsense box; no entry in the logs showing anything being blocked.

    If I request, say, http://www.google.com then I'm redirected to https://www.google.co.uk (that's normal)
    When I request that, there is no reply. But it can't be a routing problem - I can ping OK.
    Packet capture on the LAN shows the connection to <whatever google.co.uk's="" ip="" is="">on port 443, but it doesn't appear in packet capture on WAN.

    Here's the odd bit  ??? : If I connect a laptop straight to my router, it works fine, every time, so it must be something to do with the pfsense box… But every site works if I use TOR from behind the pfsense box.

    I found an image of an old pfsense build (1.2.3), span that up - and things work perfectly well.

    Bright ideas?</whatever>

  • Do you have any package installed?  ???

  • The only packages installed were openvpn and snort… but they were both disabled - as were all the other services except DNS - and it didn't make a difference.

    Odd, eh?

  • Can you check with firebug what errors you get on these sites.

  • If you can get a packet capture showing the problem, I'd be willing to take a look. Can email pcap with a link to this thread to cmb at pfsense dot org. LAN or WAN, probably LAN first.

  • Rebel Alliance Developer Netgate

    Have you made any MTU and/or MSS clamping setting changes?

    It sounds like an MTU issue, and the only possibly-relevant thing I can think of that changed there between 2.0.1 and 2.0.2 is that we altered how the scrub rule was being used in the background.

    Though it should be working better now, not worse.

  • Thanks for the suggestions, folks - and the kind offer of analysing a capture.

    I fixed it (sort of) by rebuilding from scatch after I completely failed to save the backup xml file.
    For the benefit of those who follow (and perhaps devs, who knows?):

    I captured on both interfaces and saw that DNS answers were being rx'd by the WAN, but very few were being tx'd by LAN; usually one would be returned to the client before it timed out.
    Uninstalled snort; same effect.
    Took a backup - failed to save the file. Do'h.
    Reset to "factory" defaults - still unable to browse, inbound packets arriving at WAN not being forwarded.
    Once inbound NAT redirects were set up, LAN was blocking outbound traffic and showing that in logs.
    Interestingly, although snort wasn't installed, and the box had been reset to factory, saw various snort errors on console on boot.

    Rebuilt from the live CD; set up inbound NAT redirects as before, all tested OK.

    Is there a way to mark this as "solved"

  • Edit first post subject field with [SOLVED]

  • Just uninstalling Snort doesn't clear the block offenders IIRC, that sounds like the symptoms of overblocking with Snort. There aren't any DNS-related changes or anything else that would cause that symptom on 2.0.2 when it didn't happen on 2.0.1, it's not version-related. The reinstall just did the same thing a reboot would have minus Snort.