OPNsense Forum

English Forums => 25.1 Production Series => Topic started by: Siarap on March 07, 2025, 11:46:42 PM

Title: Cannot access facebook.com using opnsense.
Post by: Siarap on March 07, 2025, 11:46:42 PM
I cannot access facebook facebook.com even with default 25.1.2 opnsense firewall. When i switched to mikrotik router page starts working imediately. Something is blocking facebook. It not even working with syn cookies disabled. This is error from debug console in firefox (ctrl+shift+i):
ErrorUtils caught an error:

GraphQL server responded with error 1675030: Błąd podczas wykonywania zapytania
 [Caught in: caught error in module a [from CometSSRMultipassBoundary.react] (base)]

Subsequent non-fatal errors won't be logged; see https://fburl.com/debugjs.

Its no matter what settings i use in my firefox esr and no matter what adblock or security addon in firefox im using. It even dont working on windows 11 with edge browser or any other linux distro in my local network. Tried browsers : chromium, firefox, firefox-esr, falkon, edge, brave, opera. Facebook with opnsense not working. I get only white page with: "Sorry, an error occured."

It worked until i cleared all cookies and data from browsers. Old cookies alowed me to acces facebook,com.
Title: Re: Cannot access facebook.com using opnsense.
Post by: newsense on March 08, 2025, 02:13:48 AM
On the FW what is the output for this commands ?

host graph.facebook.com && host graph.facebook.com 127.0.0.1 && host star.c10r.facebook.com
Title: Re: Cannot access facebook.com using opnsense.
Post by: meyergru on March 08, 2025, 08:25:06 AM
Facebook is one of the sites that are notorious to not work when your MTU size is set incorrectly. Try if you can do:

ping -D -s 1472 -4 graph.facebook.com
If you get no answer, try this (https://forum.opnsense.org/index.php?topic=45658.0) or set your LAN MTU to the correct size (it should be reduced from 1500 bytes by the VLAN and/or PPPoE overhead).
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 10:56:08 AM
Quote from: newsense on March 08, 2025, 02:13:48 AMOn the FW what is the output for this commands ?

host graph.facebook.com && host graph.facebook.com 127.0.0.1 && host star.c10r.facebook.com

Output:
graph.facebook.com has address 0.0.0.0
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

graph.facebook.com has address 0.0.0.0
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
star.c10r.facebook.com has address 57.144.110.141
star.c10r.facebook.com has IPv6 address 2a03:2880:f32e:90:face:b00c:0:2
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.

Quote from: meyergru on March 08, 2025, 08:25:06 AMFacebook is one of the sites that are notorious to not work when your MTU size is set incorrectly. Try if you can do:

ping -D -s 1472 -4 graph.facebook.com
If you get no answer, try this (https://forum.opnsense.org/index.php?topic=45658.0) or set your LAN MTU to the correct size (it should be reduced from 1500 bytes by the VLAN and/or PPPoE overhead).

I got path mtu discovery enabled + blackhole detection enabled. Depending what i ping i get different results:
root@OPNsense:~ # ping -D -s 1472 -4 graph.facebook.com
PING graph.facebook.com (0.0.0.0): 1472 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- graph.facebook.com ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss
root@OPNsense:~ # ping -D -s 1472 -4 facebook.com
PING facebook.com (57.144.110.1): 1472 data bytes
1480 bytes from 57.144.110.1: icmp_seq=0 ttl=55 time=17.837 ms
1480 bytes from 57.144.110.1: icmp_seq=1 ttl=55 time=17.832 ms
1480 bytes from 57.144.110.1: icmp_seq=2 ttl=55 time=14.157 ms
1480 bytes from 57.144.110.1: icmp_seq=3 ttl=55 time=14.290 ms
1480 bytes from 57.144.110.1: icmp_seq=4 ttl=55 time=14.300 ms
1480 bytes from 57.144.110.1: icmp_seq=5 ttl=55 time=14.307 ms
1480 bytes from 57.144.110.1: icmp_seq=6 ttl=55 time=14.912 ms
1480 bytes from 57.144.110.1: icmp_seq=7 ttl=55 time=14.063 ms
^C
--- facebook.com ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 14.063/15.212/17.837/1.532 ms

EDIT: After disabling unbound blocklists:
root@OPNsense:~ # ping -D -s 1472 -4 graph.facebook.com                         PING star.c10r.facebook.com (57.144.110.141): 1472 data bytes
1480 bytes from 57.144.110.141: icmp_seq=0 ttl=55 time=18.487 ms
1480 bytes from 57.144.110.141: icmp_seq=1 ttl=55 time=16.992 ms
1480 bytes from 57.144.110.141: icmp_seq=2 ttl=55 time=13.227 ms
1480 bytes from 57.144.110.141: icmp_seq=3 ttl=55 time=12.129 ms
1480 bytes from 57.144.110.141: icmp_seq=4 ttl=55 time=14.306 ms
1480 bytes from 57.144.110.141: icmp_seq=5 ttl=55 time=14.568 ms

root@OPNsense:~ # host graph.facebook.com && host graph.facebook.com 127.0.0.1 && host star.c10r.facebook.com
graph.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 57.144.110.141
star.c10r.facebook.com has IPv6 address 2a03:2880:f32e:90:face:b00c:0:2
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

graph.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 57.144.110.141
star.c10r.facebook.com has IPv6 address 2a03:2880:f32e:90:face:b00c:0:2
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
star.c10r.facebook.com has address 57.144.110.141
star.c10r.facebook.com has IPv6 address 2a03:2880:f32e:90:face:b00c:0:2
star.c10r.facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
But it changes NOTHING site still not working with same error. Like i said before on mikrotik works imediately. Also it works when i connect via opnsense to facebook with link sended by facebook to my gmail with information about posts. I can log in with that links. When i dont remove cookies site is accesible and works. But im clearing cookies (and all history, and sites data) at every shutdown of browser.
Title: Re: Cannot access facebook.com using opnsense.
Post by: newsense on March 08, 2025, 12:01:17 PM
Quote from: Siarap on March 08, 2025, 10:56:08 AMBut it changes NOTHING site still not working with same error.

On the contrary my dear Watson, this changes EVERYTHING.

While you thought you came here with a netwoking problem, what you're up against is Reading Comprehension + Logic


To translate your results, whenever a domain you query with the host or ping commands has the IP address 0.0.0.0

graph.facebook.com has address 0.0.0.0
that means you have a DNS issue due to the fact that one of the Unbound blocklists has that domain.

The logical next step is to go to Unbound Blocklist section and Whitelist that particular domain.


Once you confirm Unbound now resolves the domain properly - can take some time if having large lists and a slow CPU - you move to the next logical step and retry the particular site in the browser.

Success ? You're done. Still failing to connect with that particular error ? Move on to the next logical step in this case suggested by @meyergru - path discovery.
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 12:20:09 PM
I mean disabling unbound changes NOTHING Read WHOLE post. After disabling blocklist i have no dns issues, and facebook.com still not working. You read partially. Also have path mtu discovery with blackhole detection enabled and have NO mtu errors.
Title: Re: Cannot access facebook.com using opnsense.
Post by: newsense on March 08, 2025, 12:28:08 PM
Do you have a working IPv6 environment ?
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 12:40:17 PM
I have no ipv6 at all.
Title: Re: Cannot access facebook.com using opnsense.
Post by: meyergru on March 08, 2025, 01:35:16 PM
Quote from: Siarap on March 08, 2025, 12:20:09 PMAlso have path mtu discovery with blackhole detection enabled and have NO mtu errors.

Wow. I'd like that, too, like having magic control over the whole path through the internet... And I always thought that sites having problems with wrong MTU size on the client were exactly those where PMTUD does not work. Thanks for letting me know that I was wrong...

I was on the verge of getting a Mikrotik router anyway and will now buy one, because that is obviously better than OpnSense. Just because I happen to know Mikrotik is not easy to configure: Can you tell us were that magic setting is to be found?


Joking aside, you obviously had problems to resolve the DNS names - and BTW: There is another magical thing that is called DNS caching. So, disabling the DNS block will not wirk immediately unless you flusg your DNS cache.
Title: Re: Cannot access facebook.com using opnsense.
Post by: newsense on March 08, 2025, 01:40:54 PM
Also check if the syncookies fix is still needed.

https://forum.opnsense.org/index.php?topic=34237.msg165648#msg165648 (https://forum.opnsense.org/index.php?topic=34237.msg165648#msg165648)
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 01:51:49 PM
Quote from: meyergru on March 08, 2025, 01:35:16 PM
Quote from: Siarap on March 08, 2025, 12:20:09 PMAlso have path mtu discovery with blackhole detection enabled and have NO mtu errors.

Wow. I'd like that, too, like having magic control over the whole path through the internet... And I always thought that sites having problems with wrong MTU size on the client were exactly those where PMTUD does not work. Thanks for letting me know that I was wrong...

I was on the verge of getting a Mikrotik router anyway and will now buy one, because that is obviously better than OpnSense. Just because I happen to know Mikrotik is not easy to configure: Can you tell us were that magic setting is to be found?


Joking aside, you obviously had problems to resolve the DNS names - and BTW: There is another magical thing that is called DNS caching. So, disabling the DNS block will not wirk immediately unless you flusg your DNS cache.


I have no problems with dns when i disable unbound blocklists like i said it not helping at all with facebook. Domains are resolved properly you just not read properly. Path mtu may not work properly when icmp is not allowet on wan address (i allowed it already). On mikrotik there is no path mtu discovery but you can clamp mss like this: https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/ (https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/) You can test pmtud on this site: http://pmtud.enslaves.us/ (http://pmtud.enslaves.us/) Pmtu on opnsense is enabled by default.
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 01:59:14 PM
Quote from: newsense on March 08, 2025, 01:40:54 PMAlso check if the syncookies fix is still needed.

https://forum.opnsense.org/index.php?topic=34237.msg165648#msg165648 (https://forum.opnsense.org/index.php?topic=34237.msg165648#msg165648)

Thats not works at all. Already tried this solution.
Title: Re: Cannot access facebook.com using opnsense.
Post by: newsense on March 08, 2025, 02:02:38 PM
When everything fails, last resort is a packet capture. On the client machine.
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 02:10:35 PM
Quote from: newsense on March 08, 2025, 02:02:38 PMWhen everything fails, last resort is a packet capture. On the client machine.

I dont even know how to capture packets. My networking knowledge is limited. I just know that is related to opnsense because on mikrotik router it just works. Im trying to solve this because i like opnsense. Also tried restore default config by System:Configuration:Defaults. With no success.
Title: Re: Cannot access facebook.com using opnsense.
Post by: meyergru on March 08, 2025, 03:07:25 PM
Quote from: Siarap on March 08, 2025, 01:51:49 PMI have no problems with dns when i disable unbound blocklists like i said it not helping at all with facebook. Domains are resolved properly you just not read properly. Path mtu may not work properly when icmp is not allowet on wan address (i allowed it already). On mikrotik there is no path mtu discovery but you can clamp mss like this: https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/ (https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/) You can test pmtud on this site: http://pmtud.enslaves.us/ (http://pmtud.enslaves.us/) Pmtu on opnsense is enabled by default.

1. And as I wrote, your DNS answer from your previous test with DNS blocking on (namely 0.0.0.0) will have been cached locally, so that host and nslookup may work after disabling it, but your browser does not neccessarily have to.

2. Just for the record and if you did not catch my drift: By using that PMTUD test site, you are testing exactly one specific path through the internet, namely the one between you and that site. And as I also wrote, that says nothing about your path to other sites, expressly to Facebook, which is known to have problems in that area, which I told you in my first answer. To quote that site:

Quotewhich is hopefully indicative of your experience with PMTUD in general.

You can see what MSS your setup can handle by looking at the maximum mss size reported by the test site. If it is below 1460, you will either have to make your LAN MTU size smaller or tune your WAN MTU.
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 03:48:30 PM
Quote from: meyergru on March 08, 2025, 03:07:25 PM
Quote from: Siarap on March 08, 2025, 01:51:49 PMI have no problems with dns when i disable unbound blocklists like i said it not helping at all with facebook. Domains are resolved properly you just not read properly. Path mtu may not work properly when icmp is not allowet on wan address (i allowed it already). On mikrotik there is no path mtu discovery but you can clamp mss like this: https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/ (https://davidstein.cz/2024/10/17/fixing-website-access-issues-with-mikrotik-mss-clamping/) You can test pmtud on this site: http://pmtud.enslaves.us/ (http://pmtud.enslaves.us/) Pmtu on opnsense is enabled by default.

1. And as I wrote, your DNS answer from your previous test with DNS blocking on (namely 0.0.0.0) will have been cached locally, so that host and nslookup may work after disabling it, but your browser does not neccessarily have to.

2. Just for the record and if you did not catch my drift: By using that PMTUD test site, you are testing exactly one specific path through the internet, namely the one between you and that site. And as I also wrote, that says nothing about your path to other sites, expressly to Facebook, which is known to have problems in that area, which I told you in my first answer. To quote that site:

Quotewhich is hopefully indicative of your experience with PMTUD in general.

You can see what MSS your setup can handle by looking at the maximum mss size reported by the test site. If it is below 1460, you will either have to make your LAN MTU size smaller or tune your WAN MTU.


It was no dns. Because when i disabled unbound blocklists i rebooted my pc an opnsense for sure there is no dns cache anywhere. After that checked do the pages are resolved properly and it was resolved. And still facebokk dosent work. Even tried default opnsense setinngs.

Now i think this is realtek hardware/driver related. Facebook dont works on opnsense installed Firebat T8 Plus mini pc with dual realtek nic. Now installed opnsense in HP Elite Desk 800 G2 SFF with intel i350-T2 nic, and everything works fine. Both machines SAME setting DIFFERENT hardware.

NEVER AGAIN realtek.
Title: Re: Cannot access facebook.com using opnsense.
Post by: meyergru on March 08, 2025, 04:07:18 PM
There is a plugin called os-realtek-re with a vendor driver that help in some cases. What is your actual maximum MSS as diagnosed by http://pmtud.enslaves.us/, then?
Title: Re: Cannot access facebook.com using opnsense.
Post by: Siarap on March 08, 2025, 04:13:02 PM
Quote from: meyergru on March 08, 2025, 04:07:18 PMThere is a plugin called os-realtek-re with a vendor driver that help in some cases. What is your actual maximum MSS as diagnosed by http://pmtud.enslaves.us/, then?

Tests was made with realtek vendor driver. My current max mss is 1460 at download and 9000 at upload with stock opnsense settings.