[SOLVED] Need help troubleshooting a web site access problem
-
Hmm. I have no difficulty accessing that site and I am using default MTU settings.
Was the site ever reachable through pfSense?
Steve
-
the prolexic reverse lookup is a big clue: they are in the business of mitigating DDOS attacks for their clients, and i'd guess client.schwab.com is a client of theirs.
I suspect you are right in thinking you are tagged as a bad guy and are being blocked. DDOS bad guys are known to use IP spoofing to try to get around IP based blocks. I don't know much about mitigation methods, but could they be looking at your MAC address? I don't think prolexic clients are routed full-time through prolexic servers, but only when the client is under attack, so you may not have the problem when traffic goes back to the client.
Maybe try to swap in a different nic into your pfsense machine? Or change your MAC?
-
Hmm. I have no difficulty accessing that site and I am using default MTU settings.
Was the site ever reachable through pfSense?Yes. The problem started happening some time in the last week or so. Up until then, I could reach the site, including times both before and after updating to pfsense 2.1.
-
… I suspect you are right in thinking you are tagged as a bad guy and are being blocked. DDOS bad guys are known to use IP spoofing to try to get around IP based blocks. I don't know much about mitigation methods, but could they be looking at your MAC address? ...
I'm pretty sure they can't see my MAC address, however you gave me an idea: I tried plugging my laptop directly into the cable modem again, and my laptop got a different IP address from the one my router gets!!! (When I plugged the router back in, it got its usual IP address.)
Since I want to go through the router, and I want to keep its current IP address, I think I need to take this up with the destination web site's tech support.
-
You guys beat me to the punch. Usually your ISP is going to assign you a IP based on your MAC address. If you change your mac address that should force your ISP to give you a new IP. Once you get a new IP try to access the site. If you can access the site then you know that they are blocking you. Is there a reason that you need the IP address that you have. If you are allowing incoming connections into your network, think about using dynamic DNS. I find it a lot more convenient and there are services out there that are free of charge.
Also I would ask the question why you? There has to be a reason why they are blocking you. It could be IP spoofing but could it be that one of the machines in your network is compromised? Just asking, it is probably worth taking a look at your systems to make sure there is nothing unusual going on.
-
I've got the problem fixed now.
Thanks to everyone for your help.
For those who are interested, here's the last chapter of the story.I learned from Schwab tech support: (1) a number of other customers in my area can't log in as of a couple of days ago, (2) prolexic does occasionally block their customers, and (3) they have no way to make prolexic unblock individual IP addresses. They readily accepted my statement that I get through when I come in via one IP address and get blocked when I come in via a different one. They suggested I try to change my IP address and said someone else would call back in a day or two with more ideas for working around the problem.
My ISP's tech support said they can't change my IP address. They say their IP addresses change, although I've observed that they don't change often, if at all. I've also now observed that different devices get different IP addresses, and if you swap back and forth, each device continues to get the IP address originally assigned to it.
Putting this all together, I decided to swap the LAN and WAN ports on my pfsense router, so that the upstream device would see a different MAC address and thus assign me a new IP address. I tried this, and it did, indeed, solve my problem!
So … the moral of this story is ... if you can't log in to schwab.com, swap the LAN and WAN ports on your pfsense router! ;)
W.r.t. the possibility that we may have a compromised computer behind the firewall: I'm as careful as I know how to be with the computers on this network. I do have a walled-off wireless network for house guests, whose traffic also flows through this router, but we haven't had any guests recently. If this new IP address gets black-listed, then I'll have to re-visit my security policy.
-
Nice. :)
Thanks for completing the story.Steve
-
so that the upstream device would see a different MAC address and thus assign me a new IP address.
I know with DD-WRT every time I needed a new IP address from my ISP I could simply just change the mac address of the WAN connection. Not sure if pfSense can do this or not.
-Jamie M.
-
Yes you can just spoof the MAC of the existing NIC which is probably easier for a test, no swapping cables and reassigning interfaces. However moving away from the real MAC can cause problems if only in remembering what it was!
Steve
-
and
In some cases, spoofing the MAC may require running the NIC in promiscuous mode.
from: https://doc.pfsense.org/index.php/Interface_Settings
that caught me for a while on one system a few months ago. -
My ISP's tech support guy said that, if a given MAC address isn't seen for a day or two, it's likely that it will get a different IP address the next time it's connected. Thus, if I ever need to change IP addresses again, I can probably just swap LAN and WAN again. It was very easy and quick with the pfsense GUI.