[pfSense Support] can't get to specific site(subaru.com)
going back a few weeks ago when i posted my issues getting to subaru.com.. i came across another site that i could not get to behind pfsense(cisco.com). i installed squid proxy and then i was able to get to subaru.com and cisco.com to refresh your memory, there are no rules blocking traffic on port 80, i'm on a cable modem, when on a shell on the firewall i can always telnet over port 80 to subaru.com but i cannot from my client machines. the client sends a syn but never receives the syn/ack from the firewall. however, the firewall does in fact get the syn/ack back from the webserver. finally to my question, what are you thoughts as to why the proxy being installed solved my issue? best, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
On Fri, Oct 10, 2008 at 2:01 AM, BSD Wiz [EMAIL PROTECTED] wrote: going back a few weeks ago when i posted my issues getting to subaru.com.. i came across another site that i could not get to behind pfsense(cisco.com). i installed squid proxy and then i was able to get to subaru.com and cisco.com to refresh your memory, there are no rules blocking traffic on port 80, i'm on a cable modem, when on a shell on the firewall i can always telnet over port 80 to subaru.com but i cannot from my client machines. the client sends a syn but never receives the syn/ack from the firewall. however, the firewall does in fact get the syn/ack back from the webserver. finally to my question, what are you thoughts as to why the proxy being installed solved my issue? Its simple as i said in a previous post problems might arise: 1- tcp mss 2- timestamps not handled correctly 3- sacks not handled propperly by the reciveing host 4- tcp options not correctly set by your host ... Basically any part of a tcp header the pf checks for a state. Now with squid that works cause the connection to the site is made directly from pfSense which does know how to handle its own packets. Mostly you seem to need more elaborate scrub rules for your hosts which i suspect are having problmes with path mtu discovery(a guess). best, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ermal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? On Oct 9, 2008, at 7:26 PM, Ermal Luçi wrote: On Fri, Oct 10, 2008 at 2:01 AM, BSD Wiz [EMAIL PROTECTED] wrote: going back a few weeks ago when i posted my issues getting to subaru.com.. i came across another site that i could not get to behind pfsense (cisco.com). i installed squid proxy and then i was able to get to subaru.com and cisco.com to refresh your memory, there are no rules blocking traffic on port 80, i'm on a cable modem, when on a shell on the firewall i can always telnet over port 80 to subaru.com but i cannot from my client machines. the client sends a syn but never receives the syn/ack from the firewall. however, the firewall does in fact get the syn/ack back from the webserver. finally to my question, what are you thoughts as to why the proxy being installed solved my issue? Its simple as i said in a previous post problems might arise: 1- tcp mss 2- timestamps not handled correctly 3- sacks not handled propperly by the reciveing host 4- tcp options not correctly set by your host ... Basically any part of a tcp header the pf checks for a state. Now with squid that works cause the connection to the site is made directly from pfSense which does know how to handle its own packets. Mostly you seem to need more elaborate scrub rules for your hosts which i suspect are having problmes with path mtu discovery(a guess). best, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ermal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
i really appreciate your willingness to help me resolve this issue. i just found the culprit. it is the wireless access point that these machines are connecting to. it's netgear wpn824(rangemax). when i plug directly into the router or another switch on my network i can access the sites with no problems. thanks, -phil On Oct 9, 2008, at 8:03 PM, Chris Buechler wrote: On Thu, Oct 9, 2008 at 8:44 PM, BSD Wiz [EMAIL PROTECTED] wrote: so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? That would appear to be the case, yes. You have to have some sort of non-default settings on those hosts, most of our developers are Mac users and would have run into this long ago. If you can send me some capture files I'll take a look at what's happening on the wire. I'll need one for your inside interface and one for outside. Open two SSH sessions and run: tcpdump -ni fxp0 -s 0 -w /tmp/wan.pcap host 1.2.3.4 replacing fxp0 with your real WAN interface, and 1.2.3.4 with the public IP of the website you're having issues reaching. cisco.com is probably a better one as it has a 1 day TTL and subaru.com has a 5 minute TTL, at least on the responses I'm getting. Hence there's a chance subaru.com will resolve to a different IP at some point during the capture where as cisco.com won't. second tcpdump is the same as above, substituting fxp0 with your LAN interface, and call that file lan.pcap. Then try to access the site from a couple problem machines about 5 times or so, waiting about 30 seconds between. When done, ctrl-c on both the tcpdumps. Then download both those files on the Diagnostics - Command page and email to me offlist. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
When troubleshooting any connection issue, a true harden way, is to start at the device you know works, then work your way back device by device/Cable by Cable until you find the problem. After testing the ISP connection, a PC plugged directly into the pfSense should have been the next step. I've seen so much strange stuff with network equipment i don't take anything for granted anymore. Glad you found the problem though Adam BSD Wiz wrote: i really appreciate your willingness to help me resolve this issue. i just found the culprit. it is the wireless access point that these machines are connecting to. it's netgear wpn824(rangemax). when i plug directly into the router or another switch on my network i can access the sites with no problems. thanks, -phil On Oct 9, 2008, at 8:03 PM, Chris Buechler wrote: On Thu, Oct 9, 2008 at 8:44 PM, BSD Wiz [EMAIL PROTECTED] wrote: so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? That would appear to be the case, yes. You have to have some sort of non-default settings on those hosts, most of our developers are Mac users and would have run into this long ago. If you can send me some capture files I'll take a look at what's happening on the wire. I'll need one for your inside interface and one for outside. Open two SSH sessions and run: tcpdump -ni fxp0 -s 0 -w /tmp/wan.pcap host 1.2.3.4 replacing fxp0 with your real WAN interface, and 1.2.3.4 with the public IP of the website you're having issues reaching. cisco.com is probably a better one as it has a 1 day TTL and subaru.com has a 5 minute TTL, at least on the responses I'm getting. Hence there's a chance subaru.com will resolve to a different IP at some point during the capture where as cisco.com won't. second tcpdump is the same as above, substituting fxp0 with your LAN interface, and call that file lan.pcap. Then try to access the site from a couple problem machines about 5 times or so, waiting about 30 seconds between. When done, ctrl-c on both the tcpdumps. Then download both those files on the Diagnostics - Command page and email to me offlist. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
