1

I manage a small office LAN that connects to the Internet via a pfsense 2.4.4 firewall. Most of the systems on the LAN are Macs but there are two Windows PCs, running Windows 7 and Windows 10.

Recently, the Windows PCs are not able to connect to any google services. For example, connecting to gmail.com in Chrome eventually shows a page that says "This site can't be reached. accounts.google.com took too long to respond.". Connecting to www.google.com shows the top of the page but not the footer. Other browsers (firefox, IE and Edge) also do not work. Booting in safe mode doesn't help. Connecting to gmail.com in a Chrome incognito window also doesn't help. Connecting to other google sites also fails (drive, docs, etc.).

Connecting to non-google sites is fine (i.e., amazon.com, microsoft.com, etc.) and the Macs all work fine for google and everything else. Also, tethering the Windows PC to an iPhone (i.e., bypassing the firewall) works.

The pfsense uses Google dns (8.8.8.8), and I've tried flushing the PC's dns cache and also tried configuring the Windows PC to use alternate dns services directly: Google (8.8.8.8), OpenDNS (208.67.222.222) and Cloudflare (1.1.1.1).

The hosts files look normal (either empty or just 127.0.0.1).

Both systems have been scanned for viruses with microsoft's tools as well as AVG.

As far as I know, nothing has changed on the pfsense since the last firmware upgrade, which was a couple of months ago.

Rudedog
  • 732
  • 5
  • 9
  • You still have a DNS problem, two things come to mind, are you familiar with nslookup? and have you tried adjusting the MTU? – Larryc Apr 23 '19 at 23:39
  • Yes, I know nslookup and it returns sane results on the Windows PCs. – Rudedog Apr 23 '19 at 23:53
  • Would you suggest adjusting the MTU on the firewall or on the PC? – Rudedog Apr 23 '19 at 23:54
  • nslookup should be able to tell you what's going on, and there's been several times now when I found that lowering the MTU made all websites appear. Adjust the MTU on the gateway. – Larryc Apr 25 '19 at 10:23

1 Answers1

0

After more digging I discovered that the Windows boxes had the wrong netmask (255.0.0.0 instead of 255.255.252.0). That made routing to Google’s servers fail. Other servers succeeded because they were still outside of the PCs’ subnet. The strange thing is that the DHCP server is definitely configured with the correct netmask. But that’s a separate mystery that I’ll take up in the pfsense forums.

In any case, the temporary fix for me was to hard-code the systems’ IP address and netmask.

Rudedog
  • 732
  • 5
  • 9