Wiki

User Tools

Site Tools

Trace: exception_from_wallet configure_indexers troubleshooting
pfsense:troubleshooting

This is an old revision of the document!

Table of Contents

PFSense - Troubleshooting

PFSENSE BEHIND A ROUTER

From: http://hakology.co.uk/2014/02/pfsense-behind-a-router/ 

Can pfsense ping router – NO WAN config error
Can pfsense ping pfsense client – NO – LAN config error / Client firewall
Can pfsense client ping pfsense – NO – LAN config error / Client firewall
Can pfsense ping 8.8.8.8 – NO – ASDL/CABLE router config error
Can pfsense client ping router – NO – NAT error
Can pfsense client ping 8.8.8.8 – NO – NAT error / ADSL / CABLE config error
Can pfsense client ping 8.8.8.8 – YES – All good
Can pfsense client load a website – NO – DNS Error – Check everything above is OK
Can pfsense client load a website – YES – Everything is working

Firewall Blocking an Internal Address

Try to open a pass-all rule

Add a pass-all rule at the top for that VLAN on pfSense and enable logging.

If this allows this through then go through each subsequent rule to see if there is a problem.

Check ARP tables

Navigate to Diagnostics → ARP Table.

On your client, when you try and ping pfSense on 192.168.1.1, you should see your MAC in the ARP table.

Check the MAC address is correct, i.e. matches up with pfSense MAC address.

If the MAC address does not match the pfSense MAC address:

  • There may be an entry for the IP in the ARP, so try to delete it.
  • The system should automatically add this in again correctly.

Check the Firewall Logs

Check firewall logs at Status → System Logs → Firewall

SSL_ERROR_RX_RECORD_TOO_LONG

Getting the error SSL_ERROR_RX_RECORD_TOO_LONG when attempting to access multiple different sites, sometimes goes away with refresh but sometimes persists.

Usually when using Squid option of Splice All for SSL/MITM Mode.

Can't connect to 192.168.1.1:443 (certificate verify failed) 

SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.

Check: 

openssl s_client -connect 192.168.1.1:443

returns: 

...
Verify return code: 21 (unable to verify the first certificate)
...

Solution

  • Servicess → SquidGuard Proxy Filter → Common ACL → ALL to allow
  • May need to refresh the browser cache:
    • CTRL F5
    • CTRL+SHIFT+r
    • SHIFT+reload button
  • Might need to turn off support for the newest and most secure connection protocol, TLS 1.3.
    • In Firefox
      • Type about:config in the address bar and press Enter/Return.
      • In the search box above the list, type TLS.
      • Double-click the security.tls.version.max preference to display a dialog where you can edit the value from 4 to 3 (or in other words, from TLS 1.3 to TLS 1.2).
      • Then click OK.
pfsense/troubleshooting.1586274145.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki