Cannot reach mozilla.org through proxy

21

I just tried 63.245.208.195 to reach mozilla.org.

I got the browser warning (regarding the certificate?) which I dismissed.
Then I got a timeout like when I tried to reach mozilla.org directly.
mozilla.org is also automatically inserted as the browser URL.

So this means that the DNS is working, right?

What else could it be?

22

Upstream proxy.

Check the firewall log for the ip.

23

I do not see 63.245.208.195 in my firewall log.

Accessing web pages (successful or not) does not seem to put an entry into the log.
I only have entries with “Proto” being 2 or UDP…

24

I think I can’t help you with that. I would switch RED to WWAN just to make sure it’s not related to my ISP. I can’t explain why ipfire should filter websites when it’s not supposed to and don’t come up in the logs.

25

All right, thanks anyway! I will try to get some local support who can hopefully resolve this.
Will tell you if we have found the cause for this…

26

Hello Linus,

I got three questions on this.

First of all, do you have set your ipfire as primary ntp server of your network? (and if yes, do you set the ntp server at your dhcp options tab?)
On your clients where you try to access mozilla.org

just to eliminate possible errors, do you have checked the local time and date settings on your clients?

On your clients, where you have set your proxy settings? do you have set it in the OS proxy settings or in the browser settings? - If not, you can try it again and set the proxyserver also at the browser settings tab.

possibly it is logged not as ip but as fqdn?

27

i got another idea:

just for testing purposes - do you got the same error message if you change the port of the proxy - and enable/disable the transparent proxy?

28

Thanks for your suggestions.

Setting up the proxy also in the browser (instead of not just in the OS) did not change anything.

Switching between “Transparent on Green” on and off in the IPFire proxy configuration did also not change anything.

The local time of my clients seems to be the correct time of my time zone.

What do you mean by changing the port? Just enter a port other than 800 for “proxy port” in the IPFire configuration? Which should I use?

I am afraid I don’t know how to do this… As I said, the network and firewall here was setup by an external contractor. I am trying to get hold of them since last week…

This is what my firewall log looks like:

Untitled-1
Untitled-11048×989 218 KB

29

Hi everybody,

it seems we solved the mystery!

When running nslookup on an ipfire shell, we realised that the used server was 127.0.0.1.
So we changed this in /etc/resolv.conf to:
nameserver 1.1.1.1

We then restarted IPFire via the browser interface and from there on it worked.

Could anybody explain to me what has happened here?
What is the difference between the DNS server set in /etc/resolv.conf and those (primary and secondary) set in the Network -> Assign DNS-Server?

30

127.0.0.1 is the local recursor when - for example - your dnssec fails.

31

So do you understand why it works for me when I put nameserver 1.1.1.1 into /etc/resolv.conf?
Is this even a “good solution”?

32

127.0.0.1 is the localhost. This means the local unbound is used as DNS Server.
The servers assingned in the webgui are used from unbound.

IPFire reset /etc/resolv.conf at every boot to its default so it should again not work after a restart.

33

No I don’t know. That shoudn’t happen. As arne said the change will be gone after a reboot and as long as you don’t write a script that changes it at every boot time you will have to redo the chnage every time again. Also I don’t think it’s an good idea. In my understanding the change will make the system not to use unbound as dns server anymore and you shouldn’t have the ability to use the url filter etc.

35

OK, back to square one then… :crazy_face:

36

One more question if I may:

Does the fact that chaning the DNS in /etc/resolv.conf seemingly solves my problem, hint at where to search for the real cause?

37

Maybe the cause for my problem is that there is no DNS server setup for dnsmasq? (https://wiki.archlinux.org/index.php/dnsmasq)

I tried to check, but my ipfire VM does not have the /etc/dnsmasq.conf file.
How can this be configured?? Thanks!

38

IPFire has no dnsmasq anymore so there is no config. We have switched to unbound years ago.

39

Hm, is it possible my IPFire is that old?

[root@ipfire /]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address    State    PID/Program name  
tcp        0      0 0.0.0.0:53           0.0.0.0:*          LISTEN   11414/dnsmasq      
tcp        0      0 0.0.0.0:222          0.0.0.0:*          LISTEN   2652/sshd          
tcp        0      0 10.16.1.254:800      0.0.0.0:*          LISTEN   3776/(squid-1)     
udp        0      0 0.0.0.0:57927        0.0.0.0:*                   3776/(squid-1)     
udp        0      0 0.0.0.0:53           0.0.0.0:*                   11414/dnsmasq      
udp        0      0 0.0.0.0:68           0.0.0.0:*                   11891/dhcpcd       
udp        0      0 192.168.2.102:123    0.0.0.0:*                   2596/ntpd          
udp        0      0 10.16.1.254:123      0.0.0.0:*                   2596/ntpd          
udp        0      0 127.0.0.1:123        0.0.0.0:*                   2596/ntpd          
udp        0      0 0.0.0.0:123          0.0.0.0:*                   2596/ntpd

uname -r
3.14.65-ipfire

uname -v
#1 SMP Tue Jun 14 06:21:39 GMT 2016

What should I do?

40

Hi Linus,

make a backup of your settings. Do a cleaninstall of Ipfire 2.25 Core 141. Restore your backup.

1 Like