I’ve recently had an issue with a pfsense firewall version 2.6.0 that caused users on multiple devices to experience “connection timed out” for google.com and gmail. Youtube and other websites like bing were working fine. Ping google results in timed out, and traceroute wasn’t working either.
I added google, Gmail, and youtube to the whitelist, and tested resetting DHCP and DNS. The only thing that seemed to work temporarily was to restart the pfsense device. I searched bing.com for the first time in years, also google on my phone, and none of the forums had the answer. One post on reddit even said “It’s not pfsense, this is known in the industry as a layer 8 issue. 😜Check pfblocker logs and look for the blocks. A note on the whitelist, sometimes you may need to clear your state table (shouldn’t have to but with any rule changes, clearing the states is a good troubleshooting thing)” Reading this, I felt hopeless and went to bed.
The next day, I cleared the states, and nothing still. The problem this time was permanent on my desktop but periodic for other devices that were on the wifi, which confused me more. So then, by finally looking through the proper logs, I found in pfblockerng that IP’s which I crossed referenced as googles servers, were being blocked by the “Block snort2c hosts” rule in the firewall. Okay, so I searched the snort2c table to find those exact IPs from google. Finally!
My current solution (which is still a work in progress) was to reset the snort2c table, which for some reason had the resolved google servers for google.com on the block table. I realized that even though I had whitelisted www.google.com and google.com, they were being blocked because pfblockerng / snort2c added the resolved google IP as a block.
Now all I need to do is diagnose why the rule in pfblockerng is causing the snort2c block, regardless of the addition of google to the whitelist. I’ll post an update when I find the best solution vs. just resetting the snort2c table.
Update | 10-6-2022
I’ve got an update to this post and so even though pfblockerng is showing the blocked IPs from google, apparently, Suricata is to blame. Hold on, I’m no pfsense master, just a humble student of networking, I’ll get to the point.
After some additional research on the all-mighty google – I think I might have found a solution (still testing the viability at the moment). Seems as though the best solution is to have a modified “Remove Blocked Hosts Interval” of 1 hour.
“Please select the amount of time you would like hosts to be blocked. Note this setting is only applicable when using Legacy Mode blocking! This setting is ignored when using Inline IPS Mode.
Hint: in most cases, 1 hour is a good choice.”
To find this setting: Services -> Suricata -> Global Settings -> towards the bottom [Remove Blocked Hosts Interval]
I changed mine from 4 days to 1 hour in hopes that google IPs being blocked by snort will at least be removed at a faster rate than before in my configuration.
I also chose to turn on logs for Suricata below the remove blocked hosts setting.
References:
https://forum.netgate.com/topic/131510/pfsense-keeps-blocking-google-com-i-lost-all-hope
https://www.reddit.com/r/PFSENSE/comments/oq4s6s/pfsense_blocking_googlecom_and_searches_but/
https://forum.netgate.com/topic/171592/suricata-blocking-google-gmail
https://www.reddit.com/r/PFSENSE/comments/qnhqvr/help_100_packet_loss_on_wan_link_not_isp_does_not/
***https://forum.netgate.com/topic/137889/snort/2*** Solution