No Internet, SSL Error [Solved]

[Regular0208]

I am having a strange issue with connecting to the internet. I can ping external IPs like 1.1.1.1 and even reach my port forwarded services from the internet, but when I load a page I get an err_cert_authority_invalid error, HTTP sites also don't load. I can connect to a cloud VPN server and browse perfectly so there is a connection to the WAN. I'm not a networking expert, but it seems to me like a NAT issue. I have OPNsense running virtualized in Proxmox, with the WAN port passed through and the LAN port as virtio.

[bartjsmit]

Could you have a (transparent) proxy between you and the internet? Try browsing to a non-existent website like https://akljakljoihogioonbjoakijllcjom.com/ If there is a proxy, it will give you an error message. If there isn't, you'll get a browser error about failed DNS.

Bart...

[Regular0208]

At a real https address I get the error:

• Your connection is not private
  Attackers might be trying to steal your information from youtube.com (for example, passwords, messages, or credit cards). Learn more
  NET::ERR_CERT_AUTHORITY_INVALID
  youtube.com normally uses encryption to protect your information. When Brave tried to connect to youtube.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be youtube.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Brave stopped the connection before any data was exchanged.
  
  You cannot visit youtube.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

On an http site I get:

• 404 Not Found
  openresty

On a nonexistant site I get:

• This site can’t be reached eujkshfeiukfhkjesfnsuefhuesif.com’s DNS address could not be found. Diagnosing the problem.
  DNS_PROBE_POSSIBLE

I use a local pi-hole which I know works because when I connect to a VPN, I still use local DNS and the internet loads normally.

[bartjsmit]

Could it be that happy eyeballs is switching between IPv4 and IPv6 addresses? Try with a browser that's not so adamant about HSTS, like Firefox.

Always worth a packet trace to see what's happening exactly

[Regular0208]

Wireshark seems to suggest that the site is responding. I took a closer look at the SSL certificate and the issuer and all data fields just say localhost. I tried a few different browsers but couldn't get past the cert error. I was thinking about the setup and I think it may be related to the LAN bridge I set up (https://docs.opnsense.org/manual/how-tos/lan_bridge.html). I think it was working before then, but I did double-check the guide to make sure I did everything exactly as stated.

[Regular0208]

I just want to post for anyone who may have the same problem. My issue was enabling NAT Reflection in the advanced firewall settings. It was the first 2, for 1:1 and for port forwards, that give me this ssl error.