Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 7 subscribers
  • Views 3091 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Random disconnection from the Internet: possibly from UTM?

Sean Rome

Greetings everyone,

I've been working hard on a company network problem and need some advice.

Our clients are experiencing random drops off the Internet. It's like DNS stops resolving websites. When a client experiences this I can ping inside the network, and also the LAN interface of the UTM, but not out to the Internet.  Something is randomly blocking them from getting online.

This sometimes affects all users... but mainly randomly one or two at a time.

Any advice would be greatly appreciated.



This thread was automatically locked due to age.
  • 0 in reply to Amodin

    I put these two rules in UTM and webpages started loading. We didn't need to do this before I'm not sure what changed. Our maybe I was supposed to have these all along. Allow DNS traffic to and from UTM and DC. The big test will be in the morning when the troops arrive.

  • 0 in reply to Sean Rome

    Well OpenDNS is Secure DNS.  I don't know if Google DNS uses that same tech or not, and not all sites use SecDNS yet, but it helps against a lot of the DNS maliciousness that is happening.  That TCP/853 traffic you see on your list is Secure DNS port.  The ICMP of course is ping.  Blocking traffic isn't all bad, it's the purpose of UTM.  Slight smile  You can at least see what is being blocked and while some of it of course you use, others you won't use.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Sean Rome

    It's a bind-9 bug I believe, or it's an issues with a recursive server having incorrect records in cache.  I located this article online when looking around:  Why is BIND re-priming the roots from hints more often than it should? - BIND 9 (isc.org)

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Sean Rome

    Not sure I'm comfortable with those new firewall rules, Sean.

    One of the first rules that the installation process creates is one like 'Internal (Network) -> DNS -> Any : Allow', so 12 is likely redundant.

    13 likely has no effect and could leave you open to DNS poisoning by someone spoofing one of those IPs.  The UTM's connection tracker takes care of allowing inbound responses to outbound requests that it allowed.

    In addition to Rulz, you might also be interested in DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML