How can I track down what part of pfsense is blocking website access?

networking firewall pfsense

11,611

Your traceroute seems to indicate your routing is screwy. Should never see your default gateway as the hop multiple times. Maybe you have a subnet mask that's way out of whack or something similar. What does Diagnostics>Routes show? I doubt you're blocking it, seems more like a routing issue.

11,611

Chase Florell

I'm a developer in BC Canada and one of the owners of Flo Media Group Inc. I work primarily in C# .NET, Xamarin, HTML5 and Javascript, and I'm also very passionate about DevOps, and have been known to sling my fair share of PowerShell. When I'm not coding, I'm enjoying time with my wonderful wife and children, riding my motorcycle, camping in the summer months, snowboarding in the winter, or maybe just a round at the Golf Course. I Blog Here, and I'm also on Linkedin Contact Me

Updated on September 18, 2022

Comments

Chase Florell over 1 year
I've got a PFSense firewall/gateway on our network. Everything works great except for the fact that I cannot access one specific website.

Pfsense is running the following packages
- Country Block
- LightSquid
- nmap
- notes
- squid
- squidGuard
- Strikeback
I can access every single website I've ever tried aside from one that we need for business use (http://bridalnetwork.ca)

here's the traceroute
```
frodo:~ chase$ traceroute bridalnetwork.ca 
traceroute to  bridalnetwork.ca (192.197.103.73), 64 hops max, 52 byte packets  
 1  rohan (192.168.5.1)  6.618 ms  1.662 ms  9.207 ms  
 2  * * *  
 3  * * rohan (192.168.5.1)  7.225 ms !H  
 4  rohan (192.168.5.1)  5.314 ms !H 5.701 ms !H  7.573 ms !H  
frodo:~ chase$
```
How can I figure out what the reason behind the blockage is?

note: this has been tested on every computer on the network with the same results.
ps: the pfsense box is 'rohan' (192.168.5.1)

Here's what I get with Squid enabled

and here's what I get with Squid disabled
Chase Florell about 12 years

There is nothing in the firewall logs regarding that website, and I can't see anything in the pfctl command for that website either.
Wesley about 12 years

@ChaseFlorell Can you use a DMZ port or separate external IP that doesn't pass through the pfsense gateway, but still goes through the same CPE / ISP gateway? Is the line DSL?
Chase Florell about 12 years

I'll try hooking a box directly into the cable modem as soon as I get a chance.
Wesley about 12 years

@ChaseFlorell I've seen ISP CPE stuff do some weird stuff like intermittently blocking certain sites - usually as a result of strange MTU issues or PPPoA/PPPoE.
Chase Florell about 12 years

I'll have to check it out. I've been blaming this issue on my ISP for about 6 months. Now I'm thinking it's time I get to the bottom of the problem.
Chris Buechler about 12 years

also the output of "route -n get 192.197.103.73" would be telling. If that shows anything other than your default gateway IP, you have a routing issue. If it doesn't show "gateway" in that output, then you have a subnet mask wrong.
Chase Florell about 12 years

that was exactly it. I had 192.168.5.1/8 instead of 192.168.5.1/24 in my LAN config. Wonder why it was ONLY affecting that one website...
noamik about 9 years

@ChaseFlorell It was only blocking that website, because all other websites you tried didn't have an IP in the 192.168.5.1/8 range. Of course there were likely thousands of websites you accidentally blocked but never used and thus never noticed not to work. The full range you accidentally blocked was 192.0.0.1 to 192.255.255.254. So any website with an IP NOT starting with 192. was routed just fine. You can do the math yourself using: jodies.de/ipcalc?host=192.168.5.1&mask1=8&mask2=