Meta child websites content not loading/blocked

[Jose]

Hello all, I'm not a fan/user of any social media at all hence I dint noticed this problem before, unfortunately with the nowadays marketing trends I have to sin and get involved with "WhatsApp/Instagram" just to get in touch with the "Solar Energy" business and found some problems when loading content from such sites.

Been using OPNSense since version 16.x and never had any problem on my small homelab/office network other than recently found that "Meta" child websites/apps partially work when pass through OPNSense, the webpage(Instagram) load but the content is blocked, i.e. images/videos etc but text, for WhatsApp chats is the same the media content does not load and have to turn off Wi-Fi and use cell data in order to view the images/videos, however if I connect the Linksys access point directly to the ISP cable modem the Meta websites/Apps works on all clients as intended but that's definitely not an option.

I did search the web/forums in this regards but just found some repetitive advice about "Enable syncookies" in which I've tried in either "never/always/adaptive" without success, I really hope some with knowledge in this case can bring some viable advice, other than the easy route on leaving host(s) vulnerable to DDoS.

System:
i5-2390T + 8GB RAM, 160GB HDD
HP Pro 6300SFF(WAN) + HP NC360T(LAN/OPT)

Versions:
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16

Network:
ISP --> OPNSense --> Linksys-AP --> Clients


Regards!

Edit:
Here is an example of the Meta site loading but without media content, it gets stuck in a connecting loop to ...fbcdn.net.

Here is a similar case in this regards in r/opnsense without proper solution, and again the OP Update/Solution is not an option for me. ;)

[Jose]

Looks like I've got an arrow to the knee now, and just got the Instagram suspended for absolutely no relevant reason just after 2 days of the account creation, wow!, how funny and very very worrying/scary at the same time o_O.

Here is they claim:



Regards!

[cookiemonster]

I'm guessing that they are identifying your connection as one hiding identity perhaps. So to see why it seems so when using OPN, the question is, what services are you using on OPN that might make it appear as hiding identity.
I can think of perhaps a VPN connection from OPN. Maybe Zenarmor or AdguardHome, something that blocks ads? Blocking ads is not hiding identity but maybe something they're not happy about and give a generic error.
We can really do with knowing what you run on OPN.

[Seimus]

I don't think they would BAN due to hiding Ads. As I myself block Ads on these platforms (family uses them..) using Pihole and ZA combined.

The reason why the BAN happen could be who knows why, meta banned many people and groups for no reason in the past.

Regards,
S.

[Jose]

@cookiemonster
@Seimus

Hello, many thanks for the input, yeah definitely the ad-block related extensions make sense if their system are way too sensitive against those,
I admit that I run Adblock Plus, PrivacyBadger and ClearURLs Firefox extensions and all this stuff may early-trigger false positives on their backend.

ATM I'm not running VPN, Intrusion detection/prevention or add-blockers from my OPNsense appliance nor was using my Proton VPN account, so who know exactly what was the issue as I remember that I've tested others browsers whit no addons enabled and was experiencing the same thing.

What I will do is to enable the Wi-Fi on the ISP modem for guest access those particular sites when I needed from a standalone device but definitely I will not try to give it access to my homelab for now until some more research.

Regards!

[Jose]

Hello small update on this case.

Unfortunately things getting even worse on my recent situation, good news is that I appealed and recovered my Instagram account, though I'm still unable to access the Meta "Content Delivery Network" related websites and apps, just as previously denoted page loads but no media displayed and forever loading loop, however that is not the case.

So I wanted to be more creative on this issue before writing on forums, then I've made the below test procedures without success:

1: Re-installed a fresh copy of OPNsense 25.1 with most sane default on my current hardware.
2: Re-installed a fresh copy of OPNsense 25.1 on my previous/retired hardware, a Supermicro X7SBL-LN2.
3: Played again with Unbound, Dnsmasq, DNS, OpenDNS, Google DNS, UPnP, etc. etc. etc. forum suggestions.
4: Removed my Linksys AP and used direct CAT.6e cables to discard for possible AP firmware bug messing around.
5: Set the OPNsense host as DMZ in my Arris cable modem to discard possible issues with the built-in firewall/DNS/UPnP stuff.
6: Set the Arris cable modem to Bridged mode and connected OPNsense to discard that double NATed suggestion around the net.

And some more tests but pretty much redundant/inverse stuff so not listed, and to resume none of the above did worked on my current situation.

However I've discovered more issues as follow:

1: All META websites and apps connecting to *CDN* fails with a partially loaded content or just looped.
2: Android(Google) mobile clients are unable to update/download apps, and when sporadically/partially download, it will fail with a yellow warning.
3: YouTube slow and/or constant loading issues.
4: 4kvideodownloader does not download 90% of the YouTube videos, but no issues when connected directly to ISP.
5: Netflix slow and/or constant loading issues.

I have to note that sometimes I'm able to connect to Meta sites/apps and can download YouTube videos with 4kvideodownloader after a quick firewall restart or when I mess around with OPNsense setting but after few mins the issue reappears.

At this point I'm out of options and unfortunately every suggestion around the forums/net that I've tried didn't worked for me, even on 2 different hardware, also I don't want to think that this may be possibly related to my ISP company "Liberty Cablevision" but at this point who knows.

My last test TODO is to install that "other firewall distro" and redo all this test with it, and even if works I will personally connect my homelab directly to my ISP cable modem until I found a viable solution.

This post is for reference purposes between, and I really hope I will find a solution soon as I don't want to use anything else but OPNsense.

Regards!

[cookiemonster]

I was thinking your ISP or your IP but if other hardware fixes, then that's out.
Brings to configuration really. I can only think of some service blocking (blocklists on unbound as an example but you checked that) or MTU or IPv6 settings. There is a good few resources here from meyergru that delve deep into those.

[Jose]

I was thinking your ISP or your IP but if other hardware fixes, then that's out.
Brings to configuration really. I can only think of some service blocking (blocklists on unbound as an example but you checked that) or MTU or IPv6 settings. There is a good few resources here from meyergru that delve deep into those.

Hi cookiemonster, good point in regards MTU and IPv6, I will play around with those and also completely disabling IPv6 on the ISP and redo some testing again and see what happens before hanging the gloves.

Regards

[Jose]

Hello, here's an update.
I wanted to get more answers on this but looks like there is very little to none viable solution to this phenomenon yet.

Here's the latest testing process I performed:

1: Played with the MTU and IPv6 without luck.
2: Played with some interface settings and the hardware offloading stuff, no luck.
3: Completely disabled IPv6 in ISP modem and OPNsense to test, no luck.
4: Installed an old OPNsense version "21.7" for re-testing, no luck.
5: Tested with two different clients and a laptop, no luck.

Then decided on testing "that other firewall distro" and I was amazed it did behaved exactly the same as OPNsense after playing with, man that moment I've got an wide ear-to-ear smile as I rapidly determined that OPNsense is not the issue here.

Since both firewalls did behaved the same, I decided to reset my old but good Linksys EA8100v2 and connected it as a basic AP/Router and I was surprised it did also behaved the same as the previous tests, most websites loads ok but web pages/apps depending on any CDN/Google stuff were broken as well, yep wow...

Also noticed that on every time wen restarting the Arris ISP cable modem the DNS/DNS64 servers changes.

So I've concluded that something bizarre is happening between my ISP and OPNsense even if the ISP modem is in bridge mode, definitely this phenomenon is caused by them, and very worrying that most of the websites/apps broken are the ones with the worst privacy concern.

Currently retired the HP Pro 6300SFF/Linksys AP and connected my clients directly to the crappy ISP until I got some more time debugging this, so pity I was about to order an Protectli Vault V1211, but for now will keep testing this issue on old hardware to determine if I should look around for ISP alternatives other than Liberty Cablevision LLC.

PS. Maybe I could try scanning/sniffing the network traffic and patiently read the logs lastly if I could get some time to do so though.

Regards

[meyergru]

Are you really sure that the problem is about OpnSense? The way you describe it, you employ a great amount of blockers/privacy tools and other plugins in your browser which might interfere with dynamic websites. I would try to use another browser without those tools and try if one (or more) of these are the culprit.

[Jose]

Are you really sure that the problem is about OpnSense? The way you describe it, you employ a great amount of blockers/privacy tools and other plugins in your browser which might interfere with dynamic websites. I would try to use another browser without those tools and try if one (or more) of these are the culprit.

Hi @meyergru, thanks for the input.

I've concluded that OPNsense is not the issue here as previously denoted, also yes I've tested with alternate clients and a Laptop with Debian and fresh/stock Firefox and have no luck with those sites/apps other than connecting it directly top the ISP, same with Android and iPhone clients.

I'm leaning towards a possible IPv6 miss-configuration between the ISP modem and the firewall, since I got some IPv6 content when directly connected to ISP but none wen connected through firewall like shown in the image below, hopefully will get some time to do more testing on this during the weekend.

Regards

Dynamic IPv6 content when connected to ISP directly(no bridge/DMZ modes though):

[meyergru]

In that case you probably do not have an ISP "modem", but a router. I dislike those router-behind-router configurations, because they have several disadvantages (see point 4 here), however I know that outside of countries like germany, you sometimes cannot use a "modem-only" termination with some ISPs.

For IPv6 to work with such a configuration, you would have to configure IPv6 subdelegation. Essentially, most ISPs hand out a single IA-NA IPv6 and a /56 IA-PD IPv6 prefix from which you can take out parts to delegate to your (V)LANs.

This is explained for a specific example here.

That being said, I cannot see what/how your ISP actually delegates subnets, because there are no netmasks for either IPv4 or IPv6 in your picture.

[Jose]

In that case you probably do not have an ISP "modem", but a router. I dislike those router-behind-router configurations, because they have several disadvantages (see point 4 here), however I know that outside of countries like germany, you sometimes cannot use a "modem-only" termination with some ISPs.

For IPv6 to work with such a configuration, you would have to configure IPv6 subdelegation. Essentially, most ISPs hand out a single IA-NA IPv6 and a /56 IA-PD IPv6 prefix from which you can take out parts to delegate to your (V)LANs.

This is explained for a specific example here.

That being said, I cannot see what/how your ISP actually delegates subnets, because there are no netmasks for either IPv4 or IPv6 in your picture.

Hi @meyergru, thanks again for the great info much appreciated, gonna have a good read indeed.

You are right, I have an ISP Cable Modem and Router Combo that has its own DHCP/NAT/UPnP/Firewall etc. integrated, I have the habit to call them ISP modems yeah, between it have the option for bridge mode but can't get the IPv6/DNS6 to work regardless if bridged.

Also this ISP gives just an /64 prefix for IPv6 that can't be changed, between dunno if it could be modified through telnet like in some ISP mode/routers but I think not to mess around with before asking them for options.

I will post an image of the Arris cable modem/router IPv6/DNS config pane for reference indeed, hopefully this can be solved soon so I can order a Protectli box to play with.

Regards

ISP Cable/Modem IPv6 config:

[meyergru]

Many routers tend to hand out only a /64 range, because they usually "think" that it is only one LAN connected to them - I mean that is in itself not a sure sign that your ISP does not hand out a larger prefix like /56 or /48 as per IA-PD. You would probably see that if you use the ISP router in brige/modem mode and try bringing up the connection with OpnSense as the only router.

I cannot provide any specific instructions, because IDK that provider.

[Jose]

Many routers tend to hand out only a /64 range, because they usually "think" that it is only one LAN connected to them - I mean that is in itself not a sure sign that your ISP does not hand out a larger prefix like /56 or /48 as per IA-PD. You would probably see that if you use the ISP router in brige/modem mode and try bringing up the connection with OpnSense as the only router.

I cannot provide any specific instructions, because IDK that provider.

Hi @meyergru yes you are right, apparently this ISP is indeed locking out domestic/home users to just one IPv6 lan prefix and the thing in Bridge or DMZ does not work as intended either, hence why the ISP in bridge or DMZ didn't worked on the IPv6 side as expected when testing, and the user can't modify prefix nor to disable IPv6 in the ISP router.

To make things worse found that this ISP company is nothing more than a [Carrier-Grade-NAT] "cgnat.libertypr.net" with a dynamic/dynamic connection setup.

This boils down that no matter what firewall/router is connected in between it will not work as intended for the IPv6 stuff, and since more and more heavily loaded content-delivery-networks websites/apps are using IPv6 it is not recommended disabling it completely like two decades ago.

I've confirmed this by completely disabling the IPv6 only on my workstation/client and all of this websites/apps loaded partially/broken even when connected directly to the CGN ISP.

I will try contact my ISP and ask if they can change this IPv6 prefix limitation though, and if not possible then wait patiently for further resolutions regarding CGN users with OPNsense.

For now I will enable the `ufw` firewall on my workstation and strict my current `pf` settings on my FreeBSD server, even if is a headache working with this stuff by hand, but at least is better than nothing.

Again thanks a lot for the suggestions @meyergru @cookiemonster @Seimus

Regards