One of our users is having trouble accessing a single website from behind our pfSense firewall. The site is SSL-only and when she attempts to connect, she gets a CONNECTION_REFUSED in Chrome. We have tested this using multiple WAN, getting the same issue. When we access the site directly through any WAN link (without going through the pfSense) it works just fine. Running traceroute provides information up to the edge of the other site, which is consistent with them just refusing ICMP. Name resolution is returning accurate results as well. pfSense is not reporting any outbound traffic being blocked and as far as the people on the other end can tell, their edge firewalls are not blocking the traffic either. We do not have any known issues accessing other websites. What could be the problem here?
Asked
Active
Viewed 1,281 times
0
tacos_tacos_tacos
- 3,220
- 16
- 58
- 97
-
Is this the only HTTPs website not working? – Alexandre Lavoie Apr 28 '13 at 02:36
1 Answers
0
Still happening? I don't have a definitive answer, but I do have some suggestions:
When tracerouting from somewhere topologically close, but outside the firewall, do you get the same path?
Could the destination be doing something like blocking incoming connections from specific platforms (via p0f or similar)?
Can you use pfSense's packet capture to watch the connection get refused?
Can you sniff the traffic outside the firewall, to make sure that the refusal is or isn't happening within the pfSense box?
Royce Williams
- 1,362
- 8
- 16
-
1The remote site insisted that nothing was going wrong on their end and that it was some problem with pfSense. Normally I would not believe this, but what made things worse was that a) we tested from at least four different WAN's (including another pfsense at another site) and the same thing happened... Of course it turned out that the destination was blocking the traffic inadvertently. – tacos_tacos_tacos May 03 '13 at 21:18