Devices Unable to Access certain sites on WiFi Guest or WiFi IoT

[bestcea]

Thank you very much, Mike for the amazing guide. You have made low cost, secure and flexible networking for those with minimal networking skills - like me.

Knowing you have spent a lot of time on the Guide and fielding questions from users, I tried for hours and hours to see if I could figure out the solution to the problem, but I give up. I do not believe this is an "issue" but ignorance on my part. Background, I have an EdgeX router, loaded with your latest configuration and a UniFi AP.

The problem is certain sites do not load using a computer or IoT devices cannot communicate with a website. Google.com and yahoo.com load fine. When trying to reach microsoft.com I receive a cannot communicate with server error; amazon.com I receive an invalid security certificate.

Thank you or others in advance for any help.

bestcea

[GeoffWy]

Sounds like your devices are not accessing DNS. I assume you have port 53 enabled in your GUEST-LOCAL ruleset. Might be best to post a sanitised configuration so we can see how your DNS and firewall are configured.

[mjp66]

Typically, if some sites work, and some sites don't work, that is because of a PPPOE connection. Look at section 5 and check out the links about changing the MSS and/or MTU settings. Might try them even if you don't have a PPPOE connection. One of those links may have a debugging method, don't remember at the moment. First make a config backup. Good Luck.

[bestcea]

Thank you Mike. I don't have a PPPOE, but I tried the combinations. No luck. I will post what GeoffWy suggested.

[bestcea]

Sounds like your devices are not accessing DNS. I assume you have port 53 enabled in your GUEST-LOCAL ruleset. Might be best to post a sanitised configuration so we can see how your DNS and firewall are configured.

GeoffWy,
Thank you for posting. My configuration is straight off Mike's latest config file"

firewall {
all-ping enable
broadcast-ping disable
group {
address-group OPENDNS_SERVERS_GROUP {
address 208.67.222.222
address 208.67.220.220
description "OpenDNS Servers"
}
address-group RFC-1918_GROUP {
address 192.168.0.0/16
address 172.16.0.0/12
address 10.0.0.0/8
description "RFC-1918 Group"
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name HOME_OUT {
default-action accept
description "Home Out"
rule 10 {
action accept
description "Allow Wifi Iot Established Replies"
log disable
protocol all
source {
group {
address-group NETv4_switch0.7
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow Wired Iot Established Replies"
log disable
protocol all
source {
group {
address-group NETv4_eth1
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action accept
description "Allow Wifi Guest Established Replies"
log disable
protocol all
source {
group {
address-group NETv4_switch0.6
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 40 {
action accept
description "Allow Wifi Spare Established Replies"
log disable
protocol all
source {
group {
address-group NETv4_switch0.8
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 50 {
action drop
description "Drop RFC-1918 Traffic"
log disable
protocol all
source {
group {
address-group RFC-1918_GROUP
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WIFI_GUEST_LOCAL {
default-action drop
description "WiFi Guest Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
source {
port 68
}
}
rule 2 {
action accept
description "Allow DNS"
destination {
group {
}
port 53
}
log disable
protocol tcp_udp
}
}
name WIFI_IOT_LOCAL {
default-action drop
description "WiFi Iot Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
source {
port 68
}
}
rule 2 {
action accept
description "Allow Only OpenDNS"
destination {
group {
address-group OPENDNS_SERVERS_GROUP
}
port 53
}
log disable
protocol tcp_udp
}
}
name WIFI_SPARE_LOCAL {
default-action drop
description "WiFi Spare Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
source {
port 68
}
}
rule 2 {
action accept
description "Allow Only OpenDNS"
destination {
group {
address-group OPENDNS_SERVERS_GROUP
}
port 53
}
log disable
protocol tcp_udp
}
}
name WIRED_SEPARATE_IN {
default-action accept
description "Wired Separate In"
rule 1 {
action drop
description "Block RFC-1918 Traffic"
destination {
group {
address-group RFC-1918_GROUP
}
}
log disable
protocol all
}
}
name WIRED_SEPARATE_LOCAL {
default-action drop
description "Wired Separate Local"
rule 1 {
action accept
description "Allow DHCP"
destination {
port 67
}
log disable
protocol udp
source {
port 68
}
}
rule 2 {
action accept
description "Allow DNS"
destination {
group {
}
port 53
}
log disable
protocol tcp_udp
}
}
name WIRED_SEPARATE_OUT {
default-action accept
description "Wired Separate Out"
rule 1 {
action drop
description "Drop Non-Separate Traffic"
log disable
protocol all
source {
group {
address-group RFC-1918_GROUP
}
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description "Wired Iot Net"
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.5.1/24
description "Wired Separate Net"
duplex auto
firewall {
in {
name WIRED_SEPARATE_IN
}
local {
name WIRED_SEPARATE_LOCAL
}
out {
name WIRED_SEPARATE_OUT
}
}
speed auto
}
ethernet eth3 {
description "Home Net"
duplex auto
speed auto
}
ethernet eth4 {
description "Home Net"
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
description "Home Net"
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 7
}
}
interface eth3 {
vlan {
pvid 1
}
}
interface eth4 {
vlan {
pvid 1
vid 6
vid 7
}
}
vlan-aware enable
}
vif 1 {
address 192.168.3.1/24
description "Home Net"
firewall {
out {
name HOME_OUT
}
}
mtu 1500
}
vif 6 {
address 192.168.6.1/24
description "Wifi Guest Net"
firewall {
local {
name WIFI_GUEST_LOCAL
}
}
mtu 1500
}
vif 7 {
address 192.168.7.1/24
description "Wifi Iot Net"
firewall {
local {
name WIFI_IOT_LOCAL
}
}
mtu 1500
}
vif 8 {
address 192.168.8.1/24
description "Wifi Spare Net"
firewall {
local {
name WIFI_SPARE_LOCAL
}
}
mtu 1500
}
}
}
protocols {
igmp-proxy {
interface switch0.1 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface switch0.7 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
}
}
service {
dhcp-server {
disabled false
hostfile-update enable
shared-network-name HomeNetDHCP {
authoritative enable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
domain-name HomeNet
lease 86400
start 192.168.3.38 {
stop 192.168.3.243
}
}
}
shared-network-name SecureNetDHCP {
authoritative enable
subnet 192.168.5.0/24 {
default-router 192.168.5.1
dns-server 8.8.8.8
dns-server 8.8.4.4
domain-name SeparateNet
lease 86400
start 192.168.5.38 {
stop 192.168.5.243
}
}
}
shared-network-name WifiGuestDHCP {
authoritative enable
subnet 192.168.6.0/24 {
default-router 192.168.6.1
dns-server 208.67.222.222
⁃ dns-server 208.67.220.220
domain-name WifiGuestNet
lease 86400
start 192.168.6.38 {
stop 192.168.6.243
}
}
}
shared-network-name WifiIotDHCP {
authoritative enable
subnet 192.168.7.0/24 {
default-router 192.168.7.1
dns-server 208.67.222.222
dns-server 208.67.220.220
domain-name WifiIotNet
lease 86400
start 192.168.7.38 {
stop 192.168.7.243
}
}
}
shared-network-name WifiSpareDHCP {
authoritative enable
subnet 192.168.8.0/24 {
default-router 192.168.8.1
dns-server 208.67.222.222
dns-server 208.67.220.220
domain-name WifiSpareNet
lease 86400
start 192.168.8.38 {
stop 192.168.8.243
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 400
listen-on switch0
system
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
mdns {
repeater {
interface switch0.1
interface switch0.7
}
}
nat {
rule 1 {
description "Exclude OpenDNS WiFi Guest"
destination {
group {
address-group OPENDNS_SERVERS_GROUP
}
port 53
}
exclude
inbound-interface switch0.6
inside-address {
port 53
}
log disable
protocol tcp_udp
type destination
}
rule 2 {
description "Force OpenDNS WiFi Guest"
destination {
port 53
}
inbound-interface switch0.6
inside-address {
address 208.67.222.222
}
log disable
protocol tcp_udp
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name home.local
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}

/* Warning: Do not remove the following line. /
/ === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === /
/ Release version: v1.10.10.5210345.190714.1127 */

[GeoffWy]

Not got time to look in detail at the moment but in you DNS rule you seem to have source group enabled but with no group set. Not sure if this would cause the rule to fail or not.
name WIFI_GUEST_LOCAL {
.
.
rule 2 {
action accept
description "Allow DNS"
destination {

group {

}
port 53
}
log disable
protocol tcp_udp

[bestcea]

Thanks GeoffWy. I added OpenDNS servers group to that rule and it did not work.

Basically Wired IoT, WiFi IoT, WiFi Guest or WiFi Spare do not allow many sites, amongst them Microsoft.com, amazon.com. My Wired IoT and Wifi IoT are coalesced per the guide. In the case of amazon I get a Firefox error "www.amazon.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site." For Microsoft.com I get a Cisco OpenDNS screen saying site block due to content filtering. I just discovered GitHub.com does not work either, because it cannot establish a secure connection.

[mjp66]

I compared my reference config file against the GitHub published config file, no difference. Your config file has an inserted "?" on the following line "dns-server 208.67.220.220". That is inside the section "shared-network-name WifiGuestDHCP". You might want to re-config that section.

[GeoffWy]

I configured my system some time ago based on a much earlier version of Mike's guide (thanks Mike), but and I have modified it a lot, so I don't do some things quite the same way as Mike. There some things that puzzle me about the firewall rules in your config.
First a number of your rules have an empty destination group as I pointed out in previous post. Not sure if it would cause a problem, but it ought not really to be there.
Second, I can't see that the firewall rules to allow only open dns can work. Take WIFI_IOT_LOCAL as an example. These are rules applied at vif7 to traffic traveling to local - ie the switch itself. rule 2 is set to allow OPENDNS_SERVERS_GROUP as a destination. But those are external internet addresses and can never be a destination for traffic destined to local - the rule will never take effect. The rule that should be present here is one to block traffic to port 53, so that your IOT cannot access the switches DNS service. The NAT rules applied on exit to the WAN take care of allowing the OPENDNS_SERVERS_GROUP through unchanged, and any other addresses to be mapped to an open dns server.

• Added note - after further thought there is no need for a dns block rule here the default is block

Not sure if any of this will solve your problem though!

Another further thought - is the device you are using to test holding on to a previous dhcp configuration? Can you check which dns servers it is actually trying to use?