[SOLVED] Looking for help getting my VPN to work with Firefox privacy settings
I recently moved to a new place with a new ISP, and my Mullvad VPN isn't playing nicely with Firefox like it used to. Can any of you networking gurus please help me troubleshoot?
When the VPN is enabled, most requests from the browser fail immediately. If I pull up the dev tools Network tab, I can see that these requests fail with an NS_ERROR_FAILURE message before any data is transferred.
I have Firefox configured to use "strict" Enhanced Tracking Protection. When I reduce it to "standard" my requests go through.
I'm also trying to use DNS over HTTPS with a custom provider (Mullvad, via https://dns.mullvad.net/dns-query). I'm configuring this in Firefox, using the "Increased Protection" DoH setting. When I do that, Firefox reports the DoH status as "Status: Not active (NS_ERROR_FAILURE)". This happens even when Enhanced Tracking Protection is set to "standard" — in other words, that reduced setting fixed the NS_ERROR_FAILURE for HTTP requests, but not for DoH.
So how do I fix this so Strict Enhanced Tracking Protection, DNS over HTTPS, and Mullvad all work together? I never had this problem with my old ISP, so I suspect something's being blocked at the WAN level that I need to circumvent.
- OS: macOS Sonoma 14.5
- VPN protocol: WireGuard
- ISP: AT&T Fiber
I'm just using the official Mullvad client app with mostly default settings. The fiber gateway modem/router came with some default packet filtering firewall rules but I disabled everything in the admin panel. Weirdly, rebooting my machine fixed this temporarily, but the next time I disconnected/reconnected the VPN it broke again. Other browsers (with default settings and no DoH) are working fine when the VPN is connected.
Edit: Solved! Solution here.
Maybe because it's a different ISP they issue you an IPv6 address whereas your previous one didnt?
Found this (note: reddit link)
Ah, that's interesting. I'll poke around with IPv6 settings and see what I can learn. Thanks!
Huh, I think that was the problem. The Mullvad client has a setting called "Enable IPv6" which has a help icon revealing this:
I toggled that on and things appear to be working normally now. That's so funny, before reaching out here I tried just about every other setting in Mullvad, Firefox, macOS settings, and my router admin. Turns out the issue was the one thing I assumed it wasn't! I'll post here again if I have any other trouble but for now this appears to be solved.
Thanks, @0x29A!
Oh heck yeah! Glad that worked :D
Edit: I wonder why they don't recommend enabling it. Not sure if there would be any security/privacy implications of changing that setting (vs. maybe the inverse- which would be disabling IPv6 on the device instead)? Interesting
From a privacy perspective, IPv6 exposes your device IP rather than your home’s IP (i.e. if your device is behind a NAT), though I would bet the more likely reason they don’t advise IPv6 is because it lacks ubiquitous support. This Firefox bug might be one of the very use cases why they don’t default to IPv6.
I don't have a solution, but chiming in to say I had the same issue with Mullvad and Firefox, except without DNS over HTTPS. It was sometime in the past week while I was away from home, on a different ISP. I rebooted my machine and kept the client running so that it wouldn't happen again. As you pointed out, other browsers worked fine during this time.
Firefox 128.0.3 was released with a possibly related fix:
The timeline matches up with the problem we were seeing, it might have been a bug in Firefox version 128.
You might want to turn IPv6 back off and try the new Firefox update.
Thanks for the idea! I was away from my home network yesterday so I couldn't test it until just now. Unfortunately, with IPv6 disabled in Mullvad, the Firefox update still shows the same behavior.
I'm still having infrequent issues that feel more like there's a stale cache somewhere, that's hard to pin down exactly. But just disconnecting/reconnecting the VPN fixes it, so I'm still considering the IPv6 setting in Mullvad to be the definitive solution.