PFSense is installed Virtually on XCP-NG on a dell r710 if it makes a difference.
I have no packages snort, etc. installed
PF Sense Version 2.4.3-RELEASE-p1
Any input from experienced user would be greatly appreciated.
I only noticed the .css on the ubnt forum when I was trying to diagnose the issues.
facebook, youtube etc. that the wife/kids browse all work fine.
IPv6 is disabled. SYSTEM / ADVANCED / NETWORKING
I don’t understand what these are so i’m going to say no but not 100% sure.
As i said I’m new to networking and just doing this as an hobbyist who is curious how these things work.
It was a clean install with a vlan added for guests that goes out through a Unifi AP.
I then came across the video about whole network VPN on this forum and when I ran into issues there, I registered so I could post and went to check my email realized I couldn’t access it (on my laptop connected to guest network.) Jumped on my desktop and it worked fine.
I added a couple more vlans with different firewall rules but same results.
A TCP sconnection stream need to gets segmented into packets before being sent over the network. Considering internet is a series of tubes with different and hard to predict maximum packet sizes, there’s multiple approaches to figuring out how much is safe to send, these algorithms are called "Path MTU Discovery, and they usually rely on ICMP.
Early internet/IP worked around this in a different way - send whatever, and routers will fragment/split packets and reassemble them… This was a bad idea, … simultaneously ICMP that PMTUD relies on turns your router into a public server so, so some guides recommend blocking ICMP.
The only way to figure this stuff out is to find a use case that’s broken, and stare at packet traces, generally major PITA to figure out.
I tried lowering the MTU on VLAN interface but it made no difference. Here is a test from my PC on VLAN10, full 1472 bytes plus 28 byte overhead = default 1500 byte MTU.
Should this be done on the WAN or Vlan interface?
EDIT: Just realised that from the VLAN I can ping other devices on the network even across VLANS, or out to the web will Full MTU.
However when I try ping my gateway my limit is 1468 bytes. So 1458 + 28 overhead = 1486 bytes. Should I set the MTU to 1458 or 1486?
On Linux at least (read: 99.9% of home routers), icmp traffic is covered as ‘related’ in iptables , and forwarded back to the original host which helps MTU discovery for hosts.
–
If you can figure out the IP that’s causing your host to fail to load the website, let us know. Or try pinging it with -l 1472 from pfSense directly and see if it works.
–
Any chance you could try adding this to your pf, assuming em0 is your wan:
scrub in on em0 proto tcp max-mss 1452
scrub out on em0 proto tcp max-mss 1452