(XG) VLAN traffic showing up on unexpected interfaces

That is actually normal. It will be more likely a app issue. Check the app, if there is a problem. Invalid traffic is not a problem, instead just a symptom. 

Not App specific. 
E.G.: Mail App on iOS fetching Mail from four mail boxes via IMAP/port 993 - three work and keep their traffic on the VLAN interface, while the fourth shows the behavior described above. 

What about SSL/TLS Inspection. Check the destination server via logviewer and go to detailled view. 

I’ve had SSL inspection completely turned off on the rules and the respective tab (under “rules”) for testing. Same results….

p.s.: 
I‘ll set up a new try tomorrow with completely disabled SSL-engine.

Hi,

if I was setting this site up I would have a seperate firewall rule for each VLAN that makes debugging issues like this one simpler. I would not use linked NAT unless you have multiple ISP/RSP connections.

Ian

VLAN firewall rules are separate so far. 
But why a single NAT rule per ISP? To have a single table instead of N smaller ones created by the linked rules? 

Hi,

linked NAT rules are designed for multiple IPS connections, a single MASQ should cover your general internet access requirements and also make debugging easier.

Also for firewall rules source LAN, Network VLANx.x network, destination Wan netwoirk, any, service all, log. I would also use the proxy without any decrypt functions, also makes debugging easier.

Ian

Hi,

linked NAT rules are designed for multiple IPS connections, a single MASQ should cover your general internet access requirements and also make debugging easier.

Also for firewall rules source LAN, Network VLANx.x network, destination Wan netwoirk, any, service all, log. I would also use the proxy without any decrypt functions, also makes debugging easier.

Ian

Morning, 
Ian, first off: thanks for your patience :) 

My firewall rule set reads a bit different as I have set up the guest VLANs in a separate zone. 
So it’s source GuestWIFI / Network VLANxx / dest WAN / any host / any service / log.

As the appliance is not subscribed to Web Protection, the web proxy isn’t an option. 

No proxy, that will be your problem trying to stop SSL/TLS trying to decrypt applications because the SSL/TLS exceptions are web based not port based.

Ian

Hm. As far as I’ve understood, if the web proxy isn’t enabled in the firewall rules, the SSL/TLS inspection is always carried out by the DPI engine.

Exceptions for the DPI are defined via “web”->”URL groups” and then enabled via “rules”->”SSL/TLS inspection rules”.
The “URL Group” field is independent of the Web Protection/web proxy license. 

Update:

even completely disabling the SSL decrypt engine (“rules”->”ssl inspection”->””settings”) doesn’t fix this issue. 

There’s either some other element in the XG that still intercepts secure traffic, or my appliance has a serious issue and needs a factory reset. 

Hi,

please try a firewall rule at the top

source LAN network "local network", destination WAN, network any, service all, log, WEB policy, none, Application policy none and IPS lantowan general.

Ian

Hi,

tried around a bit (also with your suggested rule). 
Added an “allow-all” policy in Web security section to make sure this wasn’t the reason. 
Tried applying Web proxy, IPS, HTTP(s) scanning to my rule and then removed the tick boxes, to make sure there wasn’t any bugged entry. 
Added a “don’t touch” rule to TLS inspection. 
Ran a policy test after each change. 

Result:
All rules and options do show up in the policy test as expected (proxy vs. no proxy an so on)

Still there’s a bunch of sites that are not working. E.g. iCloud Browser Login, IMAPS connection to web.de and gmx.net, certain browser-based online banking sites.

A policy test returns the following (or similar, if options for proxy etc. were applied)

Hi,

have you tried accessing the internet directly without the XG eg your PC and check if the applications work correctly? I just tried web.de but not having an account and not speaking German I am not able to test their IMAPS setup. Are you trying to access the web.de mail from a web.de internet connection or via someone else network? gmx.net looks very much like web.de

Your issue is begining to look like a PC issue.

Ian

Hi and happy New Year :) 

I’m running WAN via FTTH GPON SFP in the XG. But I’ve checked the same applications via mobile phone/personal hotspot.
Also, the behavior shows across different devices. I’d assume that rules out erroneous client software config. 

web.de and gmx are quite similar in behavior. 
web access via browser works just fine. POP and IMAP fail. Both services are hosted by the same provider (oneandone / ionos). Just noticed while typing: I haven’t tried yet to add these domains to the exclusion lists…

Apple could be related to some domain not being properly excluded, too. You’ve been elaborating on that in a few different threads, right?

And you're not getting certificates rejected or anything? Even at the minimal setting for TLS, it will reject malformed, outdated, etc, certificates.

The common thread in your list (IMAPS, banking sites) is TLS decryption and the app/server rejecting you -- which would not show up in any logs -- because they're not seeing the pinned certificate.Which leads me to wonder if you're not being handed off to a second site -- that you don't disable TLS for -- to do authentication?

I'd be tempted to put my web browser into Developer Mode and look at the URLs the web page is accessing to see if there's something different in there. Might be blocking the URL (in which case it would be red and not get what it wants) but probably a TLS issue.

Hi

This is exactly what I’m assuming, but I haven’t checked the client side yet, 
My shots so far all aim at getting the XG to simply ignore TLS traffic as far as possible. 
I went as far as disabling the complete TLS inspection engine and adding a whole bunch of sites to the web exceptions.. Still same results. 

My current guess is that something in the options froze when my trial licenses (web protection etc.) expired, and I can’t toggle it anymore. 
Next try will be a factory reset, just to make sure that there’s no old / bugged config stuck somewhere. 
Unfortunately, this will happen in about four weeks earliest as I won’t be having physical access to the appliance before that. 

Will keep this thread open and posted as soon as news arise.