Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unable to access some sites when going through pfsense

    General pfSense Questions
    6
    14
    4269
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      christopheb last edited by

      Hi,
          We have a pfsense configured with Captive Portal which worked fine, until somebody pointed out that they couldn't access some sites. When bypassing the pfsense box (i.e connecting directly to the internet), we are able to access these sites, but while going through, even when captive portal is disabled, it's not possible to access these sites or they load partially.
      One example of a site which can't be accessed is: http://www.vogue.co.uk/
      I tried rebooting the box but behavior is the same.

      Any idea what it could be?

      Thanking you in advance.

      1 Reply Last reply Reply Quote 0
      • F
        firewalluser last edited by

        Anything show up in the logs which might give a clue?

        What other packages do you have installed if any?
        If you have Snort or Suricata installed, see if the problem sites are getting blocked.

        What sort of config do you have?

        I'm not familiar with captive portal, but logs might give you a clue and if not, the other info might help out others familiar with CP to help you out, ie known conflict with a package, or not configured properly, that sort of thing.

        1 Reply Last reply Reply Quote 0
        • stephenw10
          stephenw10 Netgate Administrator last edited by

          I'd check for subnet, DNS or MTU issues. See:
          https://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites

          Steve

          1 Reply Last reply Reply Quote 0
          • C
            christopheb last edited by

            Hi,
                The problem occurs whether captive portal is enabled or not. There are no additional packages installed. It's the default basic installation. It's only while going through pfsense that we experience this issue, but the connection itself is good since when we connect directly it works fine.

            In the resolver logs, I see filterdns: different hostnames resolve to same ip address.

            I added this hostname to the captiveportal whitelist. Does it mean that dns is not being resolved for this host?

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis last edited by

              Try
              nslookup www.vogue.co.uk.

              from a client.

              That will tell you if it resolves or not.

              For me that resolves like:

              nslookup www.vogue.co.uk.
              Server:  testoffice-rt-wifi.np.net.inf.org
              Address:  10.49.212.250
              
              Non-authoritative answer:
              Name:    d2o72irmaclxq5.cloudfront.net
              Addresses:  54.230.190.135
                        54.230.190.27
                        54.230.190.134
                        54.230.190.121
                        54.230.190.28
                        54.230.190.210
                        54.230.190.44
                        54.230.190.172
              Aliases:  www.vogue.co.uk
              

              Try browsing to one of those addresses directly and see if a page starts loading at all…
              Try "tracert" to one of those addresses - see if it is getting far.

              Then you will know if you have a DNS problem or a routing problem or firewall block or...

              1 Reply Last reply Reply Quote 0
              • M
                muswellhillbilly last edited by

                Do you have a proxy (Squid?) operating on your pfSense system and are your users accessing the web via the proxy? Also, are you using a local DNS server - such as the pfSense firewalls - to do your DNS forwarding or are you using an outside proxy server? Your nslookup as mentioned by Phil should indicate what your primary DNS server is.

                1 Reply Last reply Reply Quote 0
                • C
                  christopheb last edited by

                  No Squid or other proxy and the DNS field is left blank in the DHCP config, meaning that it's the pfsense interface which forwards the requests. I'll send the nslookup output from the sites which can't be accessed as soon as can get it.

                  1 Reply Last reply Reply Quote 0
                  • M
                    muswellhillbilly last edited by

                    Ok, so if there's no DNS server mentioned in the DHCP config then I assume your clients have to have static DNS entries in their network settings in order to resolve hostnames, is that right? Something to note is that in my experience DNS won't pass until after your clients have authenticated through the captive portal. For instance, in my own case the primary DNS server in my DHCP config on the firewall is the firewall itself, which acts as a DNS forwarder. This means that in order for the landing page to come up, the client has to be able to resolve DNS names so that when the first request is made for a page, the user is taken to the login page directly.

                    Post your nslookup results and we'll see what that tells us.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10
                      stephenw10 Netgate Administrator last edited by

                      Leaving the DNS field blank in the pfSense DNS server config page means 'pass the pfSense interface address'. So clients use the pfSense DNS forwarder. That's the default setup.
                      At least that's how I read it.  ;) The results shall tell all.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • jahonix
                        jahonix last edited by

                        Which DNS does your pfSense actually use?

                        If I look at the vogue UK site I see different IPs as compared to phil.davis because the CDN seems to resolve differently from regional locations.

                        Non-authoritative answer:
                        www.vogue.co.uk canonical name = d2o72irmaclxq5.cloudfront.net.
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.200.241
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.201.38
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.200.160
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.239.168.104
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.201.187
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.201.180
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.202.80
                        Name: d2o72irmaclxq5.cloudfront.net
                        Address: 54.230.201.110

                        1 Reply Last reply Reply Quote 0
                        • C
                          christopheb last edited by

                          Hi,
                              Thanks all for your responses. stephenw10 is right about leaving the DNS field blank in DHCP. The pfsense interface is passed and pfsense is the DNS forwarder. I'll send the nslookup results as soon as I can.

                          Christophe.

                          1 Reply Last reply Reply Quote 0
                          • F
                            firewalluser last edited by

                            @jahonix:

                            Which DNS does your pfSense actually use?

                            If I look at the vogue UK site I see different IPs as compared to phil.davis because the CDN seems to resolve differently from regional locations.

                            Non-authoritative answer:
                            www.vogue.co.uk canonical name = d2o72irmaclxq5.cloudfront.net.
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.200.241
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.201.38
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.200.160
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.239.168.104
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.201.187
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.201.180
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.202.80
                            Name: d2o72irmaclxq5.cloudfront.net
                            Address: 54.230.201.110

                            Waitrose is another company that hosts some of their website on cloudfront, so if you use the firefox addon called noscript,  allow waitrose.com but dont allow anything else ie blocking trackers and advertisers, you cant shop at Waitrose which cant be good for sales!

                            1 Reply Last reply Reply Quote 0
                            • C
                              christopheb last edited by

                              Hi, I finally got around to going on-site for this issue. Narrowed it down to Safari. It seems that the DNS forwarder doesn't like the Safari prefetching feature. Sometimes It would get "Query refused" from the DNS forwarder. Was resolved by setting the default gateway of my ISP as the DNS in dhcp settings.

                              http://support.apple.com/en-us/HT203387

                              C:\Users\ChristopheB>nslookup espn.co.uk
                              Server:  pfsense.localdomain
                              Address:  10.0.0.1

                              *** pfsense.localdomain can't find espn.co.uk: Query refused

                              C:\Users\ChristopheB>nslookup espn.co.uk
                              Server:  pfsense.localdomain
                              Address:  10.0.0.1

                              Non-authoritative answer:
                              Name:    espn.co.uk
                              Address:  80.168.92.140

                              1 Reply Last reply Reply Quote 0
                              • stephenw10
                                stephenw10 Netgate Administrator last edited by

                                Thanks for coming back with that useful info. Must be quite a few people that have been hit by this. Safari 5.0.1 was released in 2010 though so almost everyone using would be affected you'd think.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense Plus
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy