Two web sites won't load -- traceroute doesn't reach them

[dfsotm]

We are able to reach any website we've tried except bankofamerica.com and brother-usa.com.  We've been using OPNsense for nearly a year, and we haven't had any problems reaching bankofamerica.com until recently.

Code: [Select]

me@my-desktop:~$ dig bankofamerica.com

; <<>> DiG 9.18.24 <<>> bankofamerica.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29948
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;bankofamerica.com. IN A

;; ANSWER SECTION:
bankofamerica.com. 341 IN A 171.161.148.150
bankofamerica.com. 341 IN A 171.159.228.150

;; Query time: 40 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Mar 19 23:24:52 EDT 2024
;; MSG SIZE  rcvd: 78

me@my-desktop:~$ traceroute 171.161.148.150
traceroute to 171.161.148.150 (171.161.148.150), 30 hops max, 60 byte packets
 1  _gateway ([private network IP redacted])  0.392 ms  0.265 ms  0.180 ms
 2  [My ISP redacted]  5.137 ms  4.998 ms  4.101 ms
 3  [My ISP redacted]  4.899 ms  4.821 ms [My ISP redacted]  4.989 ms
 4  * * *
 5  ash-b2-link.ip.twelve99.net (80.239.135.178)  9.254 ms  9.956 ms *
 6  f5inc-ic-382043.ip.twelve99-cust.net (62.115.178.73)  9.303 ms  7.609 ms  7.589 ms
 7  * * *
 8  107.162.79.1 (107.162.79.1)  10.544 ms  10.458 ms  9.974 ms
 9  107.162.79.1 (107.162.79.1)  8.501 ms  9.249 ms  8.456 ms
10  * * *
(Omitting hops 11-30 as they are all "***".  "traceroute 171.159.228.150" also stops at 107.162.79.1.)

As for brother-usa.com, traceroute reports a few hops, all of which have whois records with domains belonging to our ISP.

I have Unbound DNS enabled with DNS over TLS pointing to 1.1.1.2, 1.0.0.2, and their two IPv6 counterparts.

We have two ISPs:  Verizon Fios and Comcast.  All of the above is from Verizon Fios with which we use OPNsense.  We are able to access both websites when using Comcast with which we are using the Comcast-supplied router.

Is DNS working?  Why won't these websites load?

Thank you.

[bartjsmit]

What happens when you browse to http://171.161.148.150 while on Verizon?

[dfsotm]

http://171.161.148.150 results in ERR_CONNECTION_RESET in Chrome and PR_CONNECT_RESET_ERROR in Firefox
https://171.161.148.150 results in ERR_TIMED_OUT in Chrome and PR_IO_TIMEOUT_ERROR in Firefox

[bartjsmit]

That means the connectivity failed. Unfortunately, 171.161.148.150 does not ping which may mean that the bank is blocking ICMP (useful paranoia).

Can you open a shell on OPNsense and run: curl -v http://171.161.148.150

I get a redirect to the HTTPS site:
< HTTP/1.0 301 Moved Permanently
< Location: https://www.bankofamerica.com/

Bart...

[dfsotm]

The response I get from our OPNsense shell includes the same two lines.  What does this mean?

[bartjsmit]

That means your HTTP connection to BoA is fine since it is the bank website telling you to redirect.

Try making an encrypted connection (again from the OPNsense shell)

openssl s_client -connect www.bankofamerica.com:443

You should see some Entrust labeled X.509 stuff and the server cert in a pretty big chunk of output. If not, then something is blocking HTTPS.

[dfsotm]

Code: [Select]

me@OPNsense:~ # openssl s_client -connect www.bankofamerica.com:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2014 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1M
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, jurisdictionC = US, jurisdictionST = Delaware, O = Bank of America Corporation, businessCategory = Private Organization, serialNumber = 2927442, CN = www.bankofamerica.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Illinois, L = Chicago, jurisdictionC = US, jurisdictionST = Delaware, O = Bank of America Corporation, businessCategory = Private Organization, serialNumber = 2927442, CN = www.bankofamerica.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2014 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1M
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2014 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1M
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHujCCBqKgAwIBAgIQBSl56mpuyHCMAn0e8Q+ZszANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDE0IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxTTAeFw0y
MzA3MzExNzI1MTZaFw0yNDA4MjkxNzI1MTVaMIHZMQswCQYDVQQGEwJVUzERMA8G
A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xEzARBgsrBgEEAYI3PAIB
AxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxJDAiBgNVBAoTG0Jhbmsg
b2YgQW1lcmljYSBDb3Jwb3JhdGlvbjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6
YXRpb24xEDAOBgNVBAUTBzI5Mjc0NDIxHjAcBgNVBAMTFXd3dy5iYW5rb2ZhbWVy
aWNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjO97yOkdtS
wEnVh6qyLk4ErKG3o4iNGMhdiXQ/qHyL0rq4w4RqNlL8OkeKAdUu7qGd+2LO6pdl
nviv7ZTwVm62Q7v6OwX/HeeeaK+QJXwYgxvjXn5IilD1rcGPK0beLumIO04cwY/x
tT40j9DKEwE5NLgWT2i59O2/b+g6/ibof7gikMbxMPVNbnPaoz2MxqNBWNukXF3u
HCjFY/UIxFgmSah9EZgGcbKcZbgTKpPhGrkDhn7hnpr1wBWxIHMSDoUKRkNPK5K+
7/GySbH25PUmmkhuQZ+Eo9lF0U8o4uzS/HYGRRjou8CZP3VJYQ+URraANlxp1IKq
d7OzAORgq0cCAwEAAaOCA5kwggOVMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHp/
brzqsHMu+O2ZTUdsGnpQqZ2HMB8GA1UdIwQYMBaAFMP30LUqMK2vDZEhcDlU3byJ
cMc6MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50
cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFt
LWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1
c3QubmV0L2xldmVsMW0uY3JsMIGnBgNVHREEgZ8wgZyCFXd3dy5iYW5rb2ZhbWVy
aWNhLmNvbYIYbW9iaWxlLmJhbmtvZmFtZXJpY2EuY29tgi5zbWFsbGJ1c2luZXNz
b25saW5lY29tbXVuaXR5LmJhbmtvZmFtZXJpY2EuY29tgg1jaGF0dWkubWwuY29t
ghJjaGF0dWkubWVycmlsbC5jb22CFmNoYXR1aS5tZXJyaWxsZWRnZS5jb20wDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNV
HSAERDBCMDcGCmCGSAGG+mwKAQIwKTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cu
ZW50cnVzdC5uZXQvcnBhMAcGBWeBDAEBMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFq
AWgAdQDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYms+5gCAAAE
AwBGMEQCID6GYZKiBSaSAJ5RJcSVvVbzXA+pvjADx5gxBy/zC4l7AiAuhCvh6WfQ
2iuBnm93J6yo1GjMoQUe2sEebvWez1RuMwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/
H4Vq68G/KIXs+GRuAAABiaz7mDcAAAQDAEcwRQIgMnJIGUarsvCvtJAWLbHmFbEq
3DbDfQvoOLpIw4JF/f0CIQCIzoy5p8YyLmadodQMdU3ubJkS/RuOX7kdXS2b6SJZ
aQB3ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABiaz7mDcAAAQD
AEgwRgIhALFY5WmgBttZkjifXzzu246gb2f2nl5RC0SxV3dtkCeaAiEAyEYo4m0h
CNQsAUSsv9I0w+ZB0y3GAVgmJ6of9t/jRVMwDQYJKoZIhvcNAQELBQADggEBABPg
8Pwi6k7r0L0BJVORHonxsdifkg9gTbTrV5Y/65mYNEqzyAnGW4O0DreAI6KHG3I8
6JJlcahLCYhi23Qst1MIeRw3Xiog383Xo07onQiy4GEm9tLd3O8rN0s2mdGChpPW
za8oW9j8qKKGJPJpy9gjTc0fzCJ3hLAavSxpKHet7SvnB3+t9uerXBk94uNBzJjL
yCSvKz3qmvB9UPS0cb6ZBfWYYXrlYkF6ivZeE/tywh2JiU/+83I6s5WZWfwuNfPi
WqvGADDP7UHLCYjAUEhQa3Ea0EV+5/AlfNp2Y60gUjhgJk8fJ/Auwnra2W36p7R1
OdaB4N5JhU/tYTy5/7E=
-----END CERTIFICATE-----
subject=C = US, ST = Illinois, L = Chicago, jurisdictionC = US, jurisdictionST = Delaware, O = Bank of America Corporation, businessCategory = Private Organization, serialNumber = 2927442, CN = www.bankofamerica.com

issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2014 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1M

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4916 bytes and written 449 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: [redacted hex string]
    Session-ID-ctx:
    Master-Key: [redacted hex string]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1710945338
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=54
me@OPNsense:~ #

Does "errno=54" mean BoA is resetting the connection?

[bartjsmit]

Do you have any proxy configured? You are clearly getting something from the firewall. Can you reproduce the same openssl s_client output from the LAN?

[dfsotm]

I don't have a proxy configured.  I do get a different result in the LAN.

Code: [Select]

me@my-desktop:~$ openssl s_client -connect www.bankofamerica.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
me@my-desktop:~$
I found another web site that won't load in the browser on the LAN:  trainerroad.com, but its output on the LAN looks better than the output for BoA.

Code: [Select]

me@my-desktop:~$ openssl s_client -connect trainerroad.com:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
verify return:1
depth=0 CN = trainerroad.com
verify return:1
---
Certificate chain
 0 s:CN = trainerroad.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 17 20:13:54 2024 GMT; NotAfter: Jun 15 20:13:53 2024 GMT
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdjCCBF6gAwIBAgIRAPGq2a151+tDDndGXuCMC3QwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjQwMzE3MjAxMzU0WhcNMjQwNjE1
MjAxMzUzWjAaMRgwFgYDVQQDEw90cmFpbmVycm9hZC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCu1EODQuv6+fxtZGgK8kuyPrmG2+MDJdTGnQ9q
tyOHy83y2O9kJm4ib6C/Sx0PKmK0/d2PbhLPf0eGMuQ0d9FGPVVloScEIdZ7Ygt1
1PKnHW+Bhx3vB5nL51d/A1tLcIV9cOCTiDViBgYGh2+YbTaGSh8C+PEjcm/eSdZE
KCETHvMSRf2ULm76kOPzzrLiplvbONF2+7jpes7ggJIvPFGZ2WPCs0RVxRuuiny2
+fRn7gtiPP+9rzz6Pd/iK65s63BLPXuEkWJ55DHJ6LGt8FvF4qKnK5MaYfNSdQ9D
KPm799FsqFtjBRzZn+6GQAOMSKD8n7Bdk9WJwaJ4R/BoYQXFAgMBAAGjggKJMIIC
hTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUqBy+GY5RsW+UnL4keWsETyX2ftowHwYDVR0jBBgwFoAU
1fyeDd8eyt0Il5duK8VfxSv17LgweAYIKwYBBQUHAQEEbDBqMDUGCCsGAQUFBzAB
hilodHRwOi8vb2NzcC5wa2kuZ29vZy9zL2d0czFwNS9tcmFlaENYb3dJczAxBggr
BgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzMXA1LmRlcjAt
BgNVHREEJjAkgg90cmFpbmVycm9hZC5jb22CESoudHJhaW5lcnJvYWQuY29tMCEG
A1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+g
LYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1LzMzMk5VOU5vZ1d3LmNybDCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJhzPWHujS0pM27Kdxo
Qgqf5mdMWjp0AAABjk5DkXAAAAQDAEcwRQIhAK7/EMqUJcmD0go3eUgSs1C5s5N9
75W45pA3WJVTfY+ZAiAoqmlriJtGASkYLXHSQDeaNWBuEMLFyueKuJ2AkUczwQB2
ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABjk5DkXMAAAQDAEcw
RQIhAOeyTd1My1HC4Peal+V8wMdGJlcEqDdN4TLlXXuE7gnJAiAB8HeEtqiyKPx3
V8e7l9Y5I43Fmrc00iEjzzR6VnNuWzANBgkqhkiG9w0BAQsFAAOCAQEAiYCxU2Wn
Nw0J5tzZI5mvx4T/PgdplZuL6rttP6cZAPe0ILKAC50u2LkPliyhN2rrNCHft9Zz
6HOcam4S2nQR5czrsBEMyzNLQY69XM93EJ8IyGxGR0DrEU0/d4SINoO7jHy5TxBV
PSiw7UMsFNAXq7q5Da2G6UVM/WPyJJyrGVvpP8GDPyHNAM6TCGHO3tjbpjhJseey
aeLdbJ521af5xnIkPkXT2DWyJu1RMPVkolBJeY8yHmV1i/faEqwtRgH1gn762iak
V0yBLEW6+YOQvpJ4FIyAVRILfNDY05QZE1d2/OhUZYeiMprA+cL6dZKDO6Chllf7
VZ6AKDy978xY1w==
-----END CERTIFICATE-----
subject=CN = trainerroad.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4712 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 52AFF9D439D4F7258C55C2327D80A3451C909C182DA1B8A4603A82A310D90FDB
    Session-ID-ctx:
    Resumption PSK: A6B7EA12765DE46DC847325B294C3AD238B67680F7C7704901F2DE5CB95B4ABC1420B7A07C0A8B7521B0EF2E1B7AAE83
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - 28 ab 4f e4 37 c4 a5 c1-60 c6 b8 87 3e f8 0f 35   (.O.7...`...>..5
    0010 - 7d 78 01 f4 88 c4 e4 21-46 86 2f 57 ca b6 94 be   }x.....!F./W....
    0020 - 9b 8b a7 de 37 f8 e9 3f-1f 86 c0 17 e7 30 ec c3   ....7..?.....0..
    0030 - 92 36 7f cc a6 8d 86 5e-59 2a ec 37 4b 61 4d 1a   .6.....^Y*.7KaM.
    0040 - 95 1c 0b 8b 91 f3 5a 6a-a8 f5 41 3d 71 e6 13 23   ......Zj..A=q..#
    0050 - 49 22 1d f8 c3 a1 9b d3-33 4d 1f 02 76 6c a6 69   I"......3M..vl.i
    0060 - 91 0d 5d ac ba 3c 00 d5-75 5b bd e5 1f 1f 12 70   ..]..<..u[.....p
    0070 - 9e 24 db 9e 7e 1f c7 20-37 49 55 01 69 46 7d 5c   .$..~.. 7IU.iF}\
    0080 - 35 84 2f 38 20 1d ab ed-a4 0b 52 7d 72 66 40 a7   5./8 .....R}rf@.
    0090 - 30 2c 1a 0f 6a 3c f7 cc-d0 42 0a 44 6a ac 13 1d   0,..j<...B.Dj...
    00a0 - 99 fd 6c 7c 97 7b 3a 8a-4c 78 7d 50 99 72 d0 3b   ..l|.{:.Lx}P.r.;
    00b0 - 0a 5c b6 fb 28 b4 d6 ba-69 93 52 9f 4d 0f d5 76   .\..(...i.R.M..v

    Start Time: 1710971660
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: [redacted hex string]
    Session-ID-ctx:
    Resumption PSK: [redacted hex string]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - 28 ab 4f e4 37 c4 a5 c1-60 c6 b8 87 3e f8 0f 35   (.O.7...`...>..5
    0010 - 61 c2 32 fc d3 26 95 73-f4 bc d4 b6 e3 9d fe 6f   a.2..&.s.......o
    0020 - 5d cd 2d 9a 63 5a f4 fd-29 b5 dc a6 17 d8 20 70   ].-.cZ..)..... p
    0030 - bf 73 62 ee 9b 8c 60 54-4a c5 32 71 4e cf ec c6   .sb...`TJ.2qN...
    0040 - 50 5f 6f c7 c4 05 f3 9e-76 4e b8 bb 6c 38 bb 65   P_o.....vN..l8.e
    0050 - 7d cb f3 b7 20 b7 d7 e5-3f 02 2f 14 01 43 69 8f   }... ...?./..Ci.
    0060 - d8 c5 2a c9 a3 16 04 8a-a2 96 83 7b 09 98 43 7e   ..*........{..C~
    0070 - 2a f6 a8 bc 44 49 79 f9-ed cc df bd 5b bf c2 52   *...DIy.....[..R
    0080 - 83 06 19 9d d5 1e 1c e2-48 d3 b3 b7 3b 5c 9d a0   ........H...;\..
    0090 - 44 8a ad 0c fa a8 b0 78-75 d8 99 0b 8e d0 f4 09   D......xu.......
    00a0 - 15 0e 69 f8 70 72 88 72-ae 28 92 40 e6 c5 c0 d3   ..i.pr.r.(.@....
    00b0 - 97 5a 28 f0 4a 86 3e 7b-7b 4f 86 7c 87 79 d3 b6   .Z(.J.>{{O.|.y..

    Start Time: 1710971660
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
me@my-desktop:~$ Thank you for your help.  Should I reinstall OPNsense, reset the configuration for my two switches, and start over?

[bartjsmit]

Can you use OPNsense with Comcast? Maybe put its router in modem mode?

Not that I would dare to suggest that Verizon is anything but a pinnacle of technical excellence, obviously