Blocked WEB site, DNS look up=ok, ping=fail, tracert=fail
-
Hi -
I'm trying to reach the University of New Mexico (UNM.EDU) WEB sites and failing. Both my windows systems and linux systems can not access the sites, however, I can access unm.edu from my android phone (through verizon) and via TOR from home. I think the issue is somewhere in my pfsense setup. I see the same blocked behavior with DNS servers 8.8.8.8 and 4.2.2.2. I'm running release 2.2.6 on a Netgate 2440 box.
Running through the diagnostics menu, DNS resolves to 129.24.168.32 (seems to be correct). Ping has 100% packet loss. Tracert looks like this:
1 * * *
2 te-0-3-1-1-sur01.paradise.nm.albuq.comcast.net (68.85.224.105) 7.666 ms 8.978 ms 7.932 ms
3 be-6-ar02.albuquerque.nm.albuq.comcast.net (68.86.182.121) 8.663 ms 9.605 ms 8.113 ms
4 be-100-ar01.albuquerque.nm.albuq.comcast.net (68.86.182.37) 12.680 ms
be-200-ar01.albuquerque.nm.albuq.comcast.net (68.86.182.21) 8.727 ms 9.269 ms
5 be-33654-cr01.1601milehigh.co.ibone.comcast.net (68.86.95.237) 404.892 ms 446.298 ms 16.234 ms
6 be-11719-cr02.denver.co.ibone.comcast.net (68.86.86.77) 21.841 ms 16.743 ms 19.035 ms
7 ae14.edge3.Denver1.Level3.net (4.68.127.129) 15.815 ms 18.211 ms 17.988 ms
8 * ae-21-52.car1.Denver1.Level3.net (4.69.147.99) 17.103 ms
ae-11-51.car1.Denver1.Level3.net (4.69.147.67) 17.471 ms
9 CENIC.car1.Denver1.Level3.net (4.30.24.58) 48.744 ms 48.784 ms 50.649 ms
10 * * *
11 * * *
12 * * *
13 * * *
(apologize, I didn't see how to add a scrolling region)I do not see messages in the firewall logs about 4.30.24.58 (above, etc) being blocked. I don't see alerts about these sites in pfblocker. Both the "Allow DNS server list to be overridden by DHCP" and "Do not use the DNS Forwarder or Resolver as a DNS server" under System->General are unchecked.
This seems to be a very specific error with this destination as I have not noticed any other 'missing' sites (npr, cnn, netflix, … regular stuff all works). The only unusual setup that I can think of is that, following the thread in these forums, I did setup pfblocker to block W10 telemetry. I don't think this is root cause, ... but just to mention it.
Any suggestions where to look next?
Thanks!
-
Correct : unm.edu (129.24.168.32) doesn't reply to pings …. and its up to them to do so, or not.
Traceroute : that not the final end-point (unm.edu (129.24.168.32)) who decides to do so - but everything else 'some where' between you and them.Btw : the site http://www.unm.edu (129.24.168.32) connects well ans hows up for me (using pfSEnse, etc).
-
The traceroute I run continues onto the target host via 129.24.212.35 (just after 4.30.24.58), which is a UNM host - possibly a firewall. My guess is that the University's sysadmins are blocking traffic from your block of Comcast addresses, but that's just a theory. Maybe they've had attacks from that part of the internet?
-
The traceroute I run continues onto the target host via 129.24.212.35 (just after 4.30.24.58), which is a UNM host - possibly a firewall. My guess is that the University's sysadmins are blocking traffic from your block of Comcast addresses, but that's just a theory. Maybe they've had attacks from that part of the internet?
Yeah the first hop that doesn't reply is the first hop of UNM's network. They probably are either blackholing something there for some reason, or have screwed up routing.
Nothing OP can do regardless short of contacting UNM, the issue's definitely not on your network.
-
Mine currently works
1 <1 ms <1 ms <1 ms pfsense.localdomain [192.168.1.1]
2 2 ms 2 ms 3 ms xxx
3 14 ms 13 ms 14 ms xe-10-0-0.bar2.Minneapolis2.Level3.net [4.59.66.5]
4 38 ms 38 ms 39 ms ae-21-52.car1.Denver1.Level3.net [4.69.147.99]
5 103 ms 105 ms 127 ms ae-21-52.car1.Denver1.Level3.net [4.69.147.99]
6 66 ms 70 ms 73 ms CENIC.car1.Denver1.Level3.net [4.30.24.58]
7 74 ms 73 ms 73 ms 198.83.83.5
8 67 ms 67 ms 67 ms 208.77.78.190
9 69 ms 69 ms 68 ms bldg116-0020.unm.edu [129.24.192.30]
10 * * * Request timed out.
11 68 ms 68 ms 69 ms unm.edu [129.24.168.32]