Re: [pfSense Support] Strange issues with Fedex.com
I have had similar issues with the MTU that were unrelated to pfSense. The trouble I had was will an ISP supplied DSL modem that could not handle the MTU sizes in a bridged mode. We had to replace the ISP router with a Cisco model that would work correctly. the problem router was a SpeedStream. The problem manifested by certain sites not working and everything else appearing to work flawlessly. Robert On Wednesday 01 August 2007 14:53, Scott Ullrich wrote: On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim Hrm, I wouldn't be so sure as of yet. What version are you on? If you are not on a recent snapshot can you please try? We fixed a bug in PF w/ modulate state but I doubt that would help but it's worth a try. The only other thing that I can think of would be to try 1300 as a MTU. I have seen this problem when MTU issues are on the WAN link. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Strange issues with Fedex.com
On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: I am having a weird issue accessing fedex.com and I'm wondering if you can help me determine if it is firewall related (or what it is). Now almost all of our machines (except servers) are nat'ed to the same external IP. (servers are 1:1 to their own public IP) Half of our workstations can access fedex.com the others cannot (although every once in a while the machines can access it). And half of our servers can and half cannot. DNS resolves correctly and I can take the IP from a machine that works and paste it into iexplorer and it won't resolve. I tried Mozilla firefox thinking it might be an IE messup... didn't work there either. I've reset all states in the firewall and resolved it from the firewall. (I've also checked all rules, which I don't have any outgoing rules for our network besides pass all rule for the subnet) And when I found a machine that worked I swapped IP's with a machine that didn't work. The machine still wouldn't work (incase it happened to be a rule in the firewall I missed). I am totally lost at what this could be... here is what I've concluded: DNS issue - Nope, able to resolve correctly (using nslookup) IP conflict - Nope, changed IP's and no dice Firewall issue - all machines use the same external IP so I don't think fedex would be blocking our IP, logs show nothing. Tracert - passes well past our gateway. If I turn on logging I can see the packet hit the firewall so I don't think it is anything internal. Aug 1 10:07:20 LAN 192.168.5.18:3574 199.81.218.50:80 TCP I've changed the Optimization Options as well… is this a firewall issue? I'm stuck! If you guys can think of anything I skipped let me know. Is the MTU on wan correct to what the ISP expects? Maybe phone your ISP and ask if 1500 is okay for your connection. If you are using PPPoE you might want to lower your MTU to 1400 or so and see if it helps. Scott PS: please send plain text emails to public mailing lists. Sending HTML is considered to be bad manners. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Strange issues with Fedex.com
Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 01, 2007 11:28 AM To: support@pfsense.com Subject: Re: [pfSense Support] Strange issues with Fedex.com On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: I am having a weird issue accessing fedex.com and I'm wondering if you can help me determine if it is firewall related (or what it is). Now almost all of our machines (except servers) are nat'ed to the same external IP. (servers are 1:1 to their own public IP) Half of our workstations can access fedex.com the others cannot (although every once in a while the machines can access it). And half of our servers can and half cannot. DNS resolves correctly and I can take the IP from a machine that works and paste it into iexplorer and it won't resolve. I tried Mozilla firefox thinking it might be an IE messup... didn't work there either. I've reset all states in the firewall and resolved it from the firewall. (I've also checked all rules, which I don't have any outgoing rules for our network besides pass all rule for the subnet) And when I found a machine that worked I swapped IP's with a machine that didn't work. The machine still wouldn't work (incase it happened to be a rule in the firewall I missed). I am totally lost at what this could be... here is what I've concluded: DNS issue - Nope, able to resolve correctly (using nslookup) IP conflict - Nope, changed IP's and no dice Firewall issue - all machines use the same external IP so I don't think fedex would be blocking our IP, logs show nothing. Tracert - passes well past our gateway. If I turn on logging I can see the packet hit the firewall so I don't think it is anything internal. Aug 1 10:07:20 LAN 192.168.5.18:3574 199.81.218.50:80 TCP I've changed the Optimization Options as well. is this a firewall issue? I'm stuck! If you guys can think of anything I skipped let me know. Is the MTU on wan correct to what the ISP expects? Maybe phone your ISP and ask if 1500 is okay for your connection. If you are using PPPoE you might want to lower your MTU to 1400 or so and see if it helps. Scott PS: please send plain text emails to public mailing lists. Sending HTML is considered to be bad manners. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Strange issues with Fedex.com
On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim Hrm, I wouldn't be so sure as of yet. What version are you on? If you are not on a recent snapshot can you please try? We fixed a bug in PF w/ modulate state but I doubt that would help but it's worth a try. The only other thing that I can think of would be to try 1300 as a MTU. I have seen this problem when MTU issues are on the WAN link. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Strange issues with Fedex.com
Am 01.08.2007 um 20:53 schrieb Scott Ullrich: On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim Hrm, I wouldn't be so sure as of yet. What version are you on? If you are not on a recent snapshot can you please try? We fixed a bug in PF w/ modulate state but I doubt that would help but it's worth a try. The only other thing that I can think of would be to try 1300 as a MTU. I have seen this problem when MTU issues are on the WAN link. I have such a MTU problem (going to eBay.com, for example, usually doesn't work, or cgiX.ebay.com etc.) - but it requires setting the MTU to 1452. Values less than 1452 don't work so well, either. The half of your workstations that can access the site - are they always the same half? What you can do is run a tcpdump on the WAN-interface (or tcpdump on a host behind the WAN-interface, via a hub) so see what pfsense is doing and what fedex is sending (if at all). cheers, Rainer -- Rainer Duffner CISSP, LPI, MCSE [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Strange issues with Fedex.com
I am on 1.01 release, I was holding off till final releases since this is in production. I can upgrade later today and try. Occasionally it will work from a machine that doesn't work. If it ends up working it will continue to work pretty consistently until it doesn't work then it won't work for a while. I'll keep you posted... Thanks for the help. -Tim -Original Message- From: Rainer Duffner [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 01, 2007 12:13 PM To: support@pfsense.com Subject: Re: [pfSense Support] Strange issues with Fedex.com Am 01.08.2007 um 20:53 schrieb Scott Ullrich: On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim Hrm, I wouldn't be so sure as of yet. What version are you on? If you are not on a recent snapshot can you please try? We fixed a bug in PF w/ modulate state but I doubt that would help but it's worth a try. The only other thing that I can think of would be to try 1300 as a MTU. I have seen this problem when MTU issues are on the WAN link. I have such a MTU problem (going to eBay.com, for example, usually doesn't work, or cgiX.ebay.com etc.) - but it requires setting the MTU to 1452. Values less than 1452 don't work so well, either. The half of your workstations that can access the site - are they always the same half? What you can do is run a tcpdump on the WAN-interface (or tcpdump on a host behind the WAN-interface, via a hub) so see what pfsense is doing and what fedex is sending (if at all). cheers, Rainer -- Rainer Duffner CISSP, LPI, MCSE [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]