Unable to access some sites when going through pfsense



  • Hi,
        We have a pfsense configured with Captive Portal which worked fine, until somebody pointed out that they couldn't access some sites. When bypassing the pfsense box (i.e connecting directly to the internet), we are able to access these sites, but while going through, even when captive portal is disabled, it's not possible to access these sites or they load partially.
    One example of a site which can't be accessed is: http://www.vogue.co.uk/
    I tried rebooting the box but behavior is the same.

    Any idea what it could be?

    Thanking you in advance.



  • Anything show up in the logs which might give a clue?

    What other packages do you have installed if any?
    If you have Snort or Suricata installed, see if the problem sites are getting blocked.

    What sort of config do you have?

    I'm not familiar with captive portal, but logs might give you a clue and if not, the other info might help out others familiar with CP to help you out, ie known conflict with a package, or not configured properly, that sort of thing.


  • Netgate Administrator

    I'd check for subnet, DNS or MTU issues. See:
    https://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites

    Steve



  • Hi,
        The problem occurs whether captive portal is enabled or not. There are no additional packages installed. It's the default basic installation. It's only while going through pfsense that we experience this issue, but the connection itself is good since when we connect directly it works fine.

    In the resolver logs, I see filterdns: different hostnames resolve to same ip address.

    I added this hostname to the captiveportal whitelist. Does it mean that dns is not being resolved for this host?



  • Try
    nslookup www.vogue.co.uk.

    from a client.

    That will tell you if it resolves or not.

    For me that resolves like:

    nslookup www.vogue.co.uk.
    Server:  testoffice-rt-wifi.np.net.inf.org
    Address:  10.49.212.250
    
    Non-authoritative answer:
    Name:    d2o72irmaclxq5.cloudfront.net
    Addresses:  54.230.190.135
              54.230.190.27
              54.230.190.134
              54.230.190.121
              54.230.190.28
              54.230.190.210
              54.230.190.44
              54.230.190.172
    Aliases:  www.vogue.co.uk
    

    Try browsing to one of those addresses directly and see if a page starts loading at all…
    Try "tracert" to one of those addresses - see if it is getting far.

    Then you will know if you have a DNS problem or a routing problem or firewall block or...



  • Do you have a proxy (Squid?) operating on your pfSense system and are your users accessing the web via the proxy? Also, are you using a local DNS server - such as the pfSense firewalls - to do your DNS forwarding or are you using an outside proxy server? Your nslookup as mentioned by Phil should indicate what your primary DNS server is.



  • No Squid or other proxy and the DNS field is left blank in the DHCP config, meaning that it's the pfsense interface which forwards the requests. I'll send the nslookup output from the sites which can't be accessed as soon as can get it.



  • Ok, so if there's no DNS server mentioned in the DHCP config then I assume your clients have to have static DNS entries in their network settings in order to resolve hostnames, is that right? Something to note is that in my experience DNS won't pass until after your clients have authenticated through the captive portal. For instance, in my own case the primary DNS server in my DHCP config on the firewall is the firewall itself, which acts as a DNS forwarder. This means that in order for the landing page to come up, the client has to be able to resolve DNS names so that when the first request is made for a page, the user is taken to the login page directly.

    Post your nslookup results and we'll see what that tells us.


  • Netgate Administrator

    Leaving the DNS field blank in the pfSense DNS server config page means 'pass the pfSense interface address'. So clients use the pfSense DNS forwarder. That's the default setup.
    At least that's how I read it.  ;) The results shall tell all.

    Steve



  • Which DNS does your pfSense actually use?

    If I look at the vogue UK site I see different IPs as compared to phil.davis because the CDN seems to resolve differently from regional locations.

    Non-authoritative answer:
    www.vogue.co.uk canonical name = d2o72irmaclxq5.cloudfront.net.
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.200.241
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.38
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.200.160
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.239.168.104
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.187
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.180
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.202.80
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.110



  • Hi,
        Thanks all for your responses. stephenw10 is right about leaving the DNS field blank in DHCP. The pfsense interface is passed and pfsense is the DNS forwarder. I'll send the nslookup results as soon as I can.

    Christophe.



  • @jahonix:

    Which DNS does your pfSense actually use?

    If I look at the vogue UK site I see different IPs as compared to phil.davis because the CDN seems to resolve differently from regional locations.

    Non-authoritative answer:
    www.vogue.co.uk canonical name = d2o72irmaclxq5.cloudfront.net.
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.200.241
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.38
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.200.160
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.239.168.104
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.187
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.180
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.202.80
    Name: d2o72irmaclxq5.cloudfront.net
    Address: 54.230.201.110

    Waitrose is another company that hosts some of their website on cloudfront, so if you use the firefox addon called noscript,  allow waitrose.com but dont allow anything else ie blocking trackers and advertisers, you cant shop at Waitrose which cant be good for sales!



  • Hi, I finally got around to going on-site for this issue. Narrowed it down to Safari. It seems that the DNS forwarder doesn't like the Safari prefetching feature. Sometimes It would get "Query refused" from the DNS forwarder. Was resolved by setting the default gateway of my ISP as the DNS in dhcp settings.

    http://support.apple.com/en-us/HT203387

    C:\Users\ChristopheB>nslookup espn.co.uk
    Server:  pfsense.localdomain
    Address:  10.0.0.1

    *** pfsense.localdomain can't find espn.co.uk: Query refused

    C:\Users\ChristopheB>nslookup espn.co.uk
    Server:  pfsense.localdomain
    Address:  10.0.0.1

    Non-authoritative answer:
    Name:    espn.co.uk
    Address:  80.168.92.140


  • Netgate Administrator

    Thanks for coming back with that useful info. Must be quite a few people that have been hit by this. Safari 5.0.1 was released in 2010 though so almost everyone using would be affected you'd think.

    Steve


Log in to reply