Access denied for HTTPs sites



  • hi guys

    its really weird issue that every time i restarted my dsl modem once a week, HTTPs sites are not access for a couple of hours. only http sites can access easily ang smoothly. it took 4hrs  or at most 8hrs waiting for HTTPs site to go back to its normal access. i tried reinstalling my pfsense box twice but the problem still persist. any idea or solution why is this happening?

    pfsense 2.1 64bit
    packages installed: squid3 & squidguard-squid3


  • Netgate Administrator

    Are you using https proxying with squid3?

    Steve



  • @stephenw10:

    Are you using https proxying with squid3?

    Steve

    no
    i used only http.
    i just use the default settings for squid3 for the purpose of running squidguard as web filtering.
    i dont know how to resolve this so called weird issue.
    i setup pfsense to my fellow friends but they never experience this issue.
    although i setup their pfsense same as what i setup in my own box.
    same internet provider but different only on dsl plan (download speed).


  • Netgate Administrator

    Hmm, the fact that it only does it for a few hours seems to point to something timing out or a cache expiring.
    Have you tried multiple OS's and browsers? Does your public IP change when you restart the modem?

    More sinister thought: something else is proxying your https traffic and it breaks when your connection goes down. (unlikely)

    Steve



  • @stephenw10:

    Hmm, the fact that it only does it for a few hours seems to point to something timing out or a cache expiring.
    Have you tried multiple OS's and browsers? Does your public IP change when you restart the modem?

    More sinister thought: something else is proxying your https traffic and it breaks when your connection goes down. (unlikely)

    Steve

    • only windows 7
    • yes tried firefox and IE still it could not access immediately https sites
    • i dont know if public ip change when i reset the modem…its a static ip given by the provider

    before when i have 2 dsl lines, i never encounter this issue even if i have squid running. but when i add 3 dsl lines (that is 5dsl lines currently), i encounter this issue. really weird for me.


  • Netgate Administrator

    Ah, OK. You're load balancing across all 5? Not that I can explain why that would make any difference.  ::)

    Steve


  • Rebel Alliance Global Moderator

    So this happens on just 1 client machine running windows 7?  Or ALL clients running windows 7 and other machines say running XP or Vista or Linux or OS X, etc.. work  Or you do not have any other clients?  Is this affecting 1 client machine or multiple?

    This makes no sense at all that would have anything to do with pfsense or connectivity in general if your saying http works.  And more to possible time/date issues on machines that cause them to have problems with ssl certs.

    What sort of errors do you get in firefox or ie when you try and access a ssl site?  What do you get when you go to say this site?

    https://www.ssllabs.com/ssltest/viewMyClient.html



  • For me, before we even get into PFsense, my question is why are you rebooting your modem once a week?  That's the first red flag for me.


  • Netgate Administrator

    Doesn't seem that unusual to me. Many modem/routers actually have an option for a scheduled reboot. I've seen plenty of router problems solved by 'turning it off and on again' though admittedly no modem only boxes.

    Steve



  • @steve

    im not doing loadbalancing. instead i only use policy base routing.
    the browsing ports are routed to its dedicated dsl line.
    the rest of the 4dsl lines are dedicated for games alone.
    so when ever they play online games, while others are watching online movies, anime, facebook, youtube, they will not experience lag in online games or high latency in game.

    this is my lan rule looks like:
    http://postimg.org/image/d93rihkg3/

    @johnpoz

    its an internet cafe. so all of the PCs here are in windows 7 64bit.
    after rebooting the modem and waited for how many hours to come back error page will come out "This webpage is not available" when trying to access https site like https://www.facebook.com/..but when you change to http, you can access immediately.

    @marvosa

    i dont know why our internet provider here rebooted our modem. even the one who installed our dsl told us to reboot the modem once a week.
    but when i notice this issue, i just reboot my modem if there were days that are not much customers.



  • On your pfSense box, is the DSL line dedicated to HTTPS traffic also the default Internet gateway of the box?  Have you tried falling back to using only 2 DSL lines, and then try reproducing the problem after adding one DSL line at a time?



  • @josekym:

    On your pfSense box, is the DSL line dedicated to HTTPS traffic also the default Internet gateway of the box?  Have you tried falling back to using only 2 DSL lines, and then try reproducing the problem after adding one DSL line at a time?

    • the default wan in gateway is PLDT4 only.
    • i haven't tried anymore.

    all of these dsl/router are in routing mode (not in bridge mode)
    i tried connecting directly my netbook to PLDT4 modem/router and it could browse freely https sites.



  • @stephenw10 - To each their own I guess, we all have our tolerances, but in my experience, and admittedly I'm picky, but for residential equipment as soon as the modem needs to be rebooted more than once every 2-3 months I'm on the phone with my ISP to have the modem replaced or have the line tested for signal loss.  Every time… it's either one or the other... bad modem or weak signal... I wouldn't tolerate it.

    If you have a business line, having to reboot once a week is even more unacceptable IMO.

    @cheonne - How many PC's are you supporting?  My guess is you're not supporting enough PC's to even make squid useful.  Having squid in front of only a handful of PC's can actually hinder performance instead of enhancing it.  Not to mention, there's so much dynamic content now-a-days I'll bet the squid cache is hardly being used anyway.

    You may be better off dumping squid and enabling QoS.

    I have a few questions:

    • The squid3 and squidGuard-squid3  packages say they are "beta" and "Experimental" respectively, is this behavior a possible bug? shrug… who knows.  1a) what happens when you disable or remove those packages?  1b) Also, have you tried v2.x?

    • You have noted that you've re-installed the box twice, what happens with a clean install with no packages?

    • This probably won't change anything, but just for sh*ts and giggles, but have you tried the 32 bit version of 2.1?  You never know.


  • Netgate Administrator

    @marvosa:

    … I wouldn't tolerate it.

    Neither would I and I'm in no way condoning the behaviour of a modem that needs constant rebooting. I'm just saying that, unfortunately, it's not that uncommon.  ::)
    I once had to deal with a wifi access point that used to lock up with such regularity that I eventually just put it on an electrical timer that turned it off for an hour each night.

    Steve



  • You could also take a look at the squid and/or firewall logs and see if there is anything unusual on there while trying to access HTTPS…



  • @marvosa

    atm 72 PCs running.
    and the purpose of having squid3 is not just for caching priority but for squidguard-squid3 - web filter to block sites like porn, gambling and some torrent sites.

    1. squid3 & squidguard-squid3, not the "dev" packages
    1.a. havent tried it yet
    1.b. not yet
    2. i have not tried because squidguard is very important for me. so whenever i reinstalled my box, i immediately install squid3 & squidguard-squid3
    3. i have not tried 32bit in 2.1 since i have 4gb of ram

    @josekym

    yo kakabayan ill try to see if this squid thing causes this issue

    @all

    ill try to reboot my modem/router soon.
    but before rebooting ill disable first squid3 & squidguard. i will update here soon.
    thank you guys



  • this is now resolved.
    i deleted squid3 & squidguard and now every time i rebooted my pf box HTTPs can now browse immediately.


  • Netgate Administrator

    Good to know.

    Did this start happening immediately when you installed the Squid3 package then or maybe after some package update.

    You could use the Squid2 package instead, that is supported by the devs and this sort of issue would be a show stopper.

    Steve



  • @stephenw10:

    Good to know.

    Did this start happening immediately when you installed the Squid3 package then or maybe after some package update.

    You could use the Squid2 package instead, that is supported by the devs and this sort of issue would be a show stopper.

    Steve

    no.. i think it takes at least 1 month or 2 after squid installation.
    atm we use handycafe filter to block porn sites, etc. so pfsense handles only for policy routing, firewall, ntp server, dhcp server