Ssl – Strange issue accessing a single site behind pfsense firewalls

firewallpfsensessl

One of our users is having trouble accessing a single website from behind our pfSense firewall. The site is SSL-only and when she attempts to connect, she gets a CONNECTION_REFUSED in Chrome. We have tested this using multiple WAN, getting the same issue. When we access the site directly through any WAN link (without going through the pfSense) it works just fine. Running traceroute provides information up to the edge of the other site, which is consistent with them just refusing ICMP. Name resolution is returning accurate results as well. pfSense is not reporting any outbound traffic being blocked and as far as the people on the other end can tell, their edge firewalls are not blocking the traffic either. We do not have any known issues accessing other websites. What could be the problem here?

Best Answer

Still happening? I don't have a definitive answer, but I do have some suggestions:

When tracerouting from somewhere topologically close, but outside the firewall, do you get the same path?
Could the destination be doing something like blocking incoming connections from specific platforms (via p0f or similar)?
Can you use pfSense's packet capture to watch the connection get refused?
Can you sniff the traffic outside the firewall, to make sure that the refusal is or isn't happening within the pfSense box?

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

Firewall – Unable to access internal network through PfSense WAN port

Without seeing your pfsense rules my inclination is to say "Working As Designed" -- most firewalls are configured to prevent people on the outside (WAN port) from accessing resources on the inside (LAN port).

If you want to let people from the outside in you need to either punch firewall holes (including 1:1 NAT or port redirection, if you're using NAT) or set up a VPN. The latter is a better solution in nearly every case...

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Firewall – Unable to access internal network through PfSense WAN port

Related Topic