Problem Acessing some webpages

[peterwkc]

Dear All,
I have problem accessing some webpages at below:

1. Whatsapp
2. ThinkorSwim
3. Interactive Broker
4. moomoo
5. Visual Studio Community
6. Telegram Desktop

Anyone know how to diagnose the firewall rules or DNS?

[Vilhonator]

If you are using DNS blocklists on Unbound, you need to remove blocklists one by one and might have to restart unbound each time untill they work.

Firewall rule wise, if you only have 1 LAN network, then the Default allow LAN to any rule which is automatically generated is only thing you need to have

You have to add Default allow all rule to each network rules you add manually (just clone Default allow LAN to any rule and change Interface to network you need to add and Source from LAN net to networkname net you need to add it to).

Unless firewall has block rule which applies to IPs which apps use to connect to and it is above the default allow all rule, or network is missing Default allow to any rule, firewall won't block whatsapp or any programs from connecting internet.

[Vilhonator]

Also IPS (snort, Surricata and Zenarmor) might be blocking if you have set policies to block social media (so check Zenarmor policies and make sure in app section, each category you have selected won't contain apps you want to use.)

Free apps which heavily enforce adds, might not work if you are using add blocking.

DNS blocks are mostly used to block access to legitimate and completely safe websites and apps as well, so you need to know which type of blocklists to use.

For example windows spyblocker DNSLB lists block everything microsoft related, which will prevent you from updating windows, using microsoft store, xbox app or any microsoft services.

For security point of view, it's better to add aliases and setup firewall blocks using those aliases.
Spamhaus (https://docs.opnsense.org/manual/how-tos/edrop.html) is one that you can use and also find many IP lists (they need to be published as website in txt form and cotain only IP addresses, like in for example https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt)

[peterwkc]

I did not use DNS Blocklist. I use Suricata IPS mode but it should not block Zoom and Teams. I did have firewall aliases.

Please help.

[Vilhonator]

I did not use DNS Blocklist. I use Suricata IPS mode but it should not block Zoom and Teams. I did have firewall aliases.

Please help.

IPS ignores firewall rules completely, so even if you allow networks which are assigned to Zoom and Teams, if you selected rule on surricata which blocks those, then connection is blocked.

Surricata might be blocking them due to some networks having been in botnets and scammers use or had some suspicious activity or traffic. Especially if you use the free version, there's ALOT of false positives and things (like speedtest.net) which get blocked by it.

Check if you can see any alerts on IPS.

[Vilhonator]

Don't mean to sound like complete prick, but opnsense is Enterprise level firewall with enterprise level IPS.

Without buying specific license for IPS, you have to choose rules very carefully and instead of blocking each one, choose alert and check if alerts you get are worth ignoring or worth blocking.

In short, Free version of Surricata doesn't show just rules which are 100% accurate and surely a threat, it shows everything which companies use to block clients from accessing the site (from windows updates and facebook all the way to known threats and viruses)

That is why they sell different packages with different combinations of rules, to make configuration and monitoring much easier without having to spend first couple of days checking that nothing that shouldn't be blocked, doesn't get blocked.

For about 10€ per month, you can get Zenarmor which is good enough. It is much easier to use and paid version supports custom listings etc. Worth checking out if you want ease of use. Snort and Surricata both require more knowledge (not to mention how resource hungry they are).

Just remember, paid or free IPS doesn't protect your computers from all threats, and without knowing what you are doing, IPS can make your systems even less secure.

Security and privacy is 90% dependent on user, not what type of VPNs, firewalls, AV and software or hardware they use, they just bring added security and tools which inform you about threats.

[peterwkc]

I stop the Suricata and Zenarmor service and it still block Whatsapp, Teams, Zoom, Telegram and others Investing platform. My firewall optimization algorithm is Agressive.

[Vilhonator]

I stop the Suricata service and it still block Whatsapp, Teams, Zoom, Telegram and others Investing platform. My firewall optimization algorithm is Agressive.

Did you reboot?

Sometimes you need to either reboot opnsense or disconnect and reconnect your PC for affects to come in affect. I have that issue with firewall and dns settings from time to time.

[Vilhonator]

Also make sure, that firewall rules doesn't contain any block rules which block teams and zoom above allowed rules.

By default, firewall ignores rules based on order from top to bottom if there are conflicting rules (a.k.a one rule which blocks all traffic to x IP and one below it which allows specific port to same IP)

[meyergru]

I would check firewall rules first (you should see errors in the live log if any filtering does occur).

If it is not the firewall, I would check what is different with those sites compared to those that work.

What comes to mind is:

• 
  IPv4 vs. IPv6
  
• 
  Wrong MTU size (e.g. if you connect over a PPP link of sorts)
  

[peterwkc]

Let me check on it and come back here.

[netnut]

Do you use Unbound DNS and enabled "Strict QNAME minimisation" in the advanced options ? If so, try to disable this option and test...

[peterwkc]

No I didn't check it. Why this so?