Messages

Hi @chemlud, Thanks for your suggestion, I just browsed to whatsmyip.com directly on the server and it does actually show that the IP location is France. 
I know OVHcloud is French, but we ordered a UK IP and are on a server in their UK Data Centre.
When I try a premium UK Dedicated Proxy and go to whatsmyip.com, it shows the UK as the location but I still get the access denied message so I'm not sure if it is Geo IP now?

We're in an OVHcloud Data Centre and using a purchased IP in their range, so we are not behind a Proxy.

I just tried using a Netherlands free proxy and I still get Access Denied.

VPN might work but I can't really use a VPN on all the RDP Servers in the Data Centre that are behind the OPNsense firewall that can't access these sites, that's why I thought a Proxy would work, just for web traffic.

I've just tested using the Tor Browser on my laptop and I get the same result, so the websites must recognise that your are using a proxy server.

Not knowing how they detect a proxy is being used, I don't know why they think that my servers behind the OPNsense firewall are using a proxy too and therefore denying me access.

If I could work out why they think a proxy is being used, we can hopefully change something on the firewall so they no longer think we're using a proxy and can then access all of these sites again?

I've also tried about 30 different free and paid external proxy services now and they all give the same result so I can't imagine that Akamai is blacklisting every single one of these.

This is turning into a real mystery now.

I saw this too which prompted me to try using a proxy to get around it.
I took a dedicated proxy trial so I got my own IP addresses and I tried 10 different IP's from different regions and I got the same result every time.

Whilst using the proxy I could verify that the IP address being presented was different by going to whatsmyip.com but even with the different IP addresses, I kept getting the same result.

I can't see that all of these addresses would be listed with Akamai but their reputation checker link doesn't work when you use any of these addresses, I tried contacting them and they told me they can't do anything as I'm not their customer.  The owner of the websites I'm trying to reach is their customer.

[Access DeniedYou don't have permission to access "http://website.com/" on this server.Reference #18.6c35068.1625333775.25f6e6e9]

I'm using OPNsense 21.4.1-amd64, FreeBSD 12.1-RELEASE-p16-HBSD, OpenSSL 1.1.1k 25 Mar 2021

The Web Proxy service is Disabled, but on some websites I try and access, I get this error message:

Access Denied
You don't have permission to access "http://website.com/" on this server.
Reference #18.6c35068.1625333775.25f6e6e9

I can only replicate this behaviour when using a proxy on another computer, which is why I think it has something to do with the proxy.

Also googling the error suggests that the fix is to disable any proxy service.

To further back this up, I started a premium Proxy trial and setup the proxy on 2 different servers and both could not access these sites either, showing the same error.

I tried enabling the proxy and disabling again on OPNsense, but it makes no difference.

There are quite a few sites we've identified now that are used on a day to day basis for the business but I've been using this one to test as it displays identical behaviour:  https://tui.co.uk

Can anybody help with this please?

We're suddenly getting error messages on multiple sites like this:

Access Denied
You don't have permission to access "http://[website]" on this server.
Reference #18.95fc645f.1625146667.36443df4

I did some googling and found it could be an Akamai blocking list, but the lookup tool will not work on my server:

https://www.akamai.com/us/en/clientrep-lookup/

If we have been blocked by them, their website says they cannot unblock us it is down to the sites using their list to ask them to unblock our address.

We are not aware of doing anything wrong but cannot access multiple site form our RDP servers now as a result.
If we are being blocked, we need to be able to use an external proxy or something so we can still access these sites.  Is this possible and if so how and who would you recommend?

We're desperate here as we can't access sites used for everyday business.

Any help greatly appreciated.
Thanks!

Hi @Fright, Thanks for the suggestion.
Just to update you, it happened again today, I tried restarting PF from the "lobby" page as previously suggested to see if that also cured it, but that didn't work.
I did the usual, "IP Do-Not-Fragment" off, apply, on, apply and it started working again.
Other sites are effected but the infotrack page is used daily in production so is the one noticed most often and causes the most disruption.

Thanks @Fright, I'm new to OPNsense, so thanks for pointing that out.
It does indeed say "@0 scrub on hn0 all no-df fragment reassemble"

All I know is that when the users complain of issues reaching certain HTTPS sites, I turn off "IP Do-Not-Fragment" then turn it back on and the problem has gone for a while.

glad it works
maybe @franco will correct me, but I don't see any indication in the filter.inc script why this might be happening. is it possible that you specified mss in the interface settings?

Hi @Fright, strange thing is it happened again this morning with a secure website that doesn't like fragmented packets, I turned off the "IP Do-Not-Fragment" setting, applied it, turned it back on, applied it and the website loads again.
It seems I have to keep doing this for it to work.
Any ideas?

Thanks @Fright, I haven't ever specified any MSS settings.

Just to provide a bit more updated info, I ran iperf3 on the host itself that has an LAN and a WAN interface in the Data Centre.

When I run iperf3 between the site and the host's WAN interface (i.e. bypassing the OPNsense firewall) I get 78Mbps, if I use the hosts LAN IP and go through OPNsense, I go back down to around 8Mbps.

Hi all,

I'm struggling a bit with a VPN between my site and a Data Center.

The VPN is rock solid but using iperf3 I can see that when a machine at the DC is acting as the iperf3 server, and a machine at the site is the client, we get a speed reading of around 8Mbps.

When we revers this and use the Data Center machine as a client, we get a speed reading of around 82Mbps.

I've tried changing MTU sizes but it doesn't seem to help.

Please could you help me get to the bottom of this?

Thanks

This seems to have been an issue with the setting "IP Do-Not-Fragment" under Firewall > Settings > Normalization.

This setting was turned on to address an issue we were having with some websites that use SSL and some remote management tools we use like splashtop, that did not like fragmentation.

We also had to change the MTU to match the Data Centre's MTU size and I think that's what broke exchange connections.

I turned off "IP Do-Not-Fragment", applied the settings, turned it back on, applied the settings again and then everything started working straight away again.

It seems if you make any changes to MTU, you have to undo the "IP Do-Not-Fragment" setting then re-apply it afterwards.

I'm using Exchange 2010 (until we can migrate to MS365) and the firewall is OPNsense Business 21.4.1.
The recipient supplies the SSL Cert and we are using Mutual Auth TLS.

Hi,

We have a specific email domain we send to on a regular basis that will only accept TLS SMTP connections and as such has it's own SMTP SEND and RECEIVE Connectors.

Our Exchange Server has been communicating with this domain perfectly for many years.

We have recently moved the Exchange Server (Virtual Machine) from the office into a Data Center and it is now behind an OPNsense firewall.

This is the only change we have made, the server was simply shutdown, moved and powered up again, it even has the same IP settings.

Since the move, we are getting intermittent rejections as the server has failed to negotiate a TLS encrypted session.

I could really do with some help on where to start trying to diagnose this as I can't see anything wrong and nothing else has changed. 

The recipient's IT team have told me this:

"This NDR usually occurs when the connecting mail servers fail to offer a certificate for the TLS handshake and attempts to communicate in plain text. We requires and force the use of TLS encryption, and any connecting mail server that is not capable of using TLS encryption will be rejected in this manner.

The external influence of proxies can also produce a similar issue. Cisco Firewalls with 'Mail Inspect" enabled are a good example of this."

Can anybody offer any assistance with this?

Thanks in advance
Scott