Netgate SG-1000 microFirewall

Author Topic: Partial Website Load  (Read 431 times)

0 Members and 1 Guest are viewing this topic.

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Partial Website Load
« on: December 13, 2017, 09:52:49 am »
This question may be answered already and I was unable to find it, if so please send me the link to the solution.  Thanks.


I have been able to access <http://swsheets.com> without issues until this last update of pfSense v2.4.2-RELEASE (amd64).  The site only partially loads in all browsers.  I get the text and not the background layout and some of the graphics after the homepage.  I confirmed the issue on Chrome, IE, and Firefox on my PC.  Same on another PC inside my network.  I loaded the site on my phone on the network, the same.  When I load it on my phone off my network, it loads normally.  This leads me to believe the issue is with pfSense.  Not sure what information you might need regarding my network layout or settings on pfSense.

Network Layout
Internet Router/Modem -> pfSense -> all systems in my network

The Internet Router/Modem is set to DMZ to the pfSense router.

Thanks for any help.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15761
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Partial Website Load
« Reply #1 on: December 13, 2017, 10:01:57 am »
Are you using proxy in pfsense, are you using IPS?

What are you doing for dns - forwarder or resolver?  Are you using pfblocker?  Normally when a page does load its layout or images can be related to dns not being able to resolve where he css or image laid out.

I would suggest you use a browser tool to show you what specific part of the page, like the css or whatever is the background, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #2 on: December 14, 2017, 11:43:06 am »
I have confirmed with the site owner that it uses CSS and Javascript. Most CSS and Javascript is hosted on swsheets.com itself, but some CSS is loaded from googleapis.com and some JS from maxcdn.com.

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #3 on: December 14, 2017, 11:51:55 am »
Attached is an image using Google Chromes info.  Errors are listed below.


Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.
welcome:1 This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar. For more information, see https://goo.gl/zmWq3m.
VM242:34278 Refused to connect to 'https://cr-input.mxpnl.net/data?_channel_id=&_partner_id=39571&_sub_id=0000&_app_version=1.0.23&_app=cs-dca' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.


I hooked up a laptop to bypass my router and connect directly to my internet modem and the page comes up without issues.

Proxy I have squid and squidGuard.  I have turned it off and still the same, these were both on before the last pfSense update.

I do not believe I'm using IPS.

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #4 on: December 14, 2017, 11:55:43 am »
I have disabled DNS Forwarder in the DNS Server Settings under General Setup. 

pfblocker - no I do not have it installed

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15761
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Partial Website Load
« Reply #5 on: December 14, 2017, 12:02:37 pm »
Well looks like that js was blocked.. So yeah that could cause you some issues with displaying the page.. That looks to be browser itself blocking it because it violates some security policy.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #6 on: December 14, 2017, 12:37:32 pm »
I would agree with you if it didn't occur on every browser, but does not happen on the same browser outside of my network.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15761
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Partial Website Load
« Reply #7 on: December 14, 2017, 02:33:34 pm »
Well I am on that page through pfsense 2.4.2 and using chrome and don't even see what your having error with even loaded..

I would validate you can resolve that domain

;; QUESTION SECTION:
;cr-input.mxpnl.net.            IN      A

;; ANSWER SECTION:
cr-input.mxpnl.net.     3569    IN      A       52.21.163.24
cr-input.mxpnl.net.     3569    IN      A       34.200.204.208
cr-input.mxpnl.net.     3569    IN      A       34.193.92.154
cr-input.mxpnl.net.     3569    IN      A       34.200.94.45

;; Query time: 1 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Dec 14 14:24:38 Central Standard Time 2017
;; MSG SIZE  rcvd: 111

"Proxy I have squid and squidGuard."

You sure you have those disabled?? Try just not using the proxy straight through pfsense not using transparent proxy or implicit proxy, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #8 on: December 14, 2017, 03:15:29 pm »
With the proxy confirmed off and the Chrome extensions disabled, the site works.  Cache was cleared and confirmed a couple of times.
With the proxy confirmed off and the Chrome extensions enabled, the site works.  Cache was cleared and confirmed a couple of times.

With the proxy confirmed on and the Chrome extensions enabled, the site does not work.  Cache was cleared and confirmed a couple of times.  So the issue appears to be related to the proxy.

On the Proxy Filter (PackageProxy filter SquidGuard: Common Access Control List (ACL)Common ACL) I have the following:
own personal Whitelist - whitelist
---only thing on it is the swsheets.com which is on the domain list
[blk_BL_adv] - deny
[blk_BL_spyware] - deny
[blk_BL_tracker] - deny

The list is downloaded from <http://www.shallalist.de/Downloads/shallalist.tar.gz>.

Even with them set to allow the denied ones, the site still will not work correctly.  Thoughts?

Offline kaysersosa

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #9 on: December 20, 2017, 11:17:14 am »
After following this setup for the proxy it appears the issue is related to the Transparent HTTP Proxy being enabled.  Disabled the site works, enabled it doesn't work correctly.  My work around is simply adding the side to the Bypass Proxy for These Destination IPs and it is working.

PFSense Series #2 - How to setup SQUID & SquidGuard
https://www.youtube.com/watch?v=OrB2i2btceI


Any thoughts on why or what settings might be affecting this not working through the proxy?
« Last Edit: December 20, 2017, 03:37:34 pm by kaysersosa »

Offline infiniti25

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Partial Website Load
« Reply #10 on: December 22, 2017, 03:29:45 pm »
With the proxy confirmed off and the Chrome extensions disabled, the site works.  Cache was cleared and confirmed a couple of times.
With the proxy confirmed off and the Chrome extensions enabled, the site works.  Cache was cleared and confirmed a couple of times.

With the proxy confirmed on and the Chrome extensions enabled, the site does not work.  Cache was cleared and confirmed a couple of times.  So the issue appears to be related to the proxy.

On the Proxy Filter (PackageProxy filter SquidGuard: Common Access Control List (ACL)Common ACL) I have the following:
own personal Whitelist - whitelist
---only thing on it is the swsheets.com which is on the domain list
[blk_BL_adv] - deny
[blk_BL_spyware] - deny
[blk_BL_tracker] - deny

The list is downloaded from <http://www.shallalist.de/Downloads/shallalist.tar.gz>.

Even with them set to allow the denied ones, the site still will not work correctly.  Thoughts?

Surely based on the following post you can correlate what's missing from the whitelist?

I have confirmed with the site owner that it uses CSS and Javascript. Most CSS and Javascript is hosted on swsheets.com itself, but some CSS is loaded from googleapis.com and some JS from maxcdn.com.

I'd add the following to the whitelist maybe?

googleapis.com
maxcdn.com

Just a suggestion, I'm new here so don't know if this will fix your issue, but it sounds logical.

Regards,

MATT (infiniti25)