PfSense, unable to access some websites

Hi,
I’m having some strange issues with my PFsense install.
I get issues trying to access some websites.

Chiefly Amazon.co.uk and the BBC.
I almost always get a “Error connection timed out” message.

Other times it will work just fine. I’m sure the problem affects other sites but just seems to be less of an issue. Things like Youtube / Facebook / Outlook etc all work just fine.

I’ve tried setting the MTU on the router but this didn’t see to have any effect.
I have however attached that files to see if it helps diagnose the issue.

This is effecting any device that goes through my home network so isn’t isolated to just one PC.

Any ideas that I can try?
I’d like to avoid resetting my router install as I had to do some setting up to get the VPN and port forwarding working.

VPN is not used by any of these effected devices.

Trace File.txt (10.0 KB)

Pinging www.amazon.co.uk [192.0.0.2] with 32 bytes of data:

192.0.0.2 is not a valid IP for Amazon so it appears you have a DNS issue. Does it also resolved to this IP if you use Diagnostics > DNS Lookup in the pfSense UI?

That makes sense.

This is what I got from DNS Lookup

On your Windows PC open a command prompt and run ipconfig /all. Is the DNS Server IP your pfSense LAN IP or something else?

Yes the DNS Servers entry is showing the IP address of my Router

Do you have any ad blocking or filtering packages such as pfBlocker installed on your router? If so, disable them and test again.

I used to have pfblocker but removed it some time ago.
Otherwise nothing.

Are you running any kind of website caching with your pfsense set up?

If so is the storage device used for the cache got an power settings on it that might drop it into idle or power off state?

No, nothing like that.

Can you open a command prompt and run the following commands? Want to verify that the incorrect name resolution is coming from your pfSense DNS and the issue still exists before digging in deeper.

nslookup
server 192.168.1.1
amazon.co.uk

Is this what you were after?

Microsoft Windows [Version 10.0.19044.1586]
(c) Microsoft Corporation. All rights reserved.

C:\Users\dsout>nslookup
Default Server:  pfSense.home.arpa
Address:  192.168.1.1

> server 192.168.1.1
Default Server:  pfSense.home.arpa
Address:  192.168.1.1

> amazon.co.uk
Server:  pfSense.home.arpa
Address:  192.168.1.1

Non-authoritative answer:
Name:    amazon.co.uk
Addresses:  178.236.7.220
          54.239.33.58
          54.239.34.171

That’s all correct. And if you just do ping amazon.co.uk?

C:\Users\dsout>ping amazon.co.uk

Pinging amazon.co.uk [54.239.34.171] with 32 bytes of data:
Reply from 54.239.34.171: bytes=32 time=23ms TTL=234
Reply from 54.239.34.171: bytes=32 time=19ms TTL=234
Reply from 54.239.34.171: bytes=32 time=19ms TTL=234
Reply from 54.239.34.171: bytes=32 time=19ms TTL=234

Ping statistics for 54.239.34.171:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 23ms, Average = 20ms

Not that the page is loading at the moment

Hmmm… everything is resolving correctly. You’re not having the same issue I saw in your log file. And if you browse to Amazon right now do you still get a timed out error?

I did, then I refreshed a min or so later and it loaded.
Very intermittent.

Well, it’s going to be an intermittent DNS resolution issue then. You’ll just have to troubleshoot it when it stops works again.

I’ll post a ping back when it stops working again?

That being said, trying to load the BBC results in this mess.

The only other simple suggestion I have would be to remove the 103.86.9x.100 DNS servers and then restart your DNS resolver service.

Then my next suggestion gets a bit technical. If it were me I’d do a packet capture on your Windows machine using Wireshark (capture filter port 53) and see if your queries are timing out.

And do the same in pfSense under Diagnostics > Packet Capture to see if you’re having issues talking to your upstream DNS servers. Interface WAN, Any IP, and Port 53.

Sorry, wish I had something simpler to suggest. Maybe someone else can chime in with an easier way to diagnose your DNS issues.

I appreciate the help.
My only concern is that the 103 DNS Servers are linked to the VPN so “shouldn’t” affect the WAN or so my limited knowledge would tell me.
It’s just if I turn those off then I won’t be able to use my VPN. Which is fine for the short term but not long.
Typically I just tried the packet capture on bbc.co.uk and then it started loading correctly.

I swear it’s like it knows I’m going to test it…

I think your VPN DNS servers are the culprit… read comments on this post: