Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(XG) VLAN traffic showing up on unexpected interfaces

MBue

Hi all, 

User Kyle Sexson had this issue a while ago, too, but there’s no solution in his post - so… 

I have a set of VLANs running on a bridge interface. 
This works mostly well, but certain outgoing traffic will show up both on the bridge interface and the associated hardware port the traffic source is physically connected to.
This leads to a dropped server response because the router can’t associate it to the correct connection attempt.

E.g. log entry:

2022-12-27 14:50:31

Invalid Traffic

Denied

N/A

0

Port3

172.24.10.16

212.227.17.170

56111

993

TCP

0

1001

Open PCAP

Could not associate packet to any connection.

2022-12-27 14:50:22

Firewall Rule

Allowed

4

3

br0.10

Port4_ppp

172.24.10.16

212.227.17.170

56111

993

TCP

1

1

Open PCAP


My guess is that I’m having issues with a combination of VLAN on a bridge interface and activated “routing on bridge”. 
But the fact that only a certain (reproducible) part of traffic is affected makes me skeptical. The problem is for example triggered when trying to collect mail from GMX.net via IMAP/SSL (see log entry above) or by specific online banking apps. But other mail providers (also called via IMAP/SSL port 993) do work…

Detailed setup is as follows: 
XG106 running 18.5MR5 / Port 3 is connected to CBS350-10
XG106 Port 1-3 are bridged (br0, IP 192.168.2.222) with activated routing option. No DHCP. 
On the brigde, VLANS br0.10 / br0.20 / br0.30 / br0.40 are set up. IP-ranges are 172.24.10 / 20 / 30 / 40 respectively, with DHCPs.
CBS350-10 receives the four VLANs tagged from XG Port 3 and distributes them via untagged access ports (ge0 to ge3, one VLAN each).
Behind these ports are APX120 in brigde-to-LAN mode. 
(Reason is that the APX are in relatively uncontrolled environments and i want to make sure that even if someone detaches an APX and tried to hook up his own stuff, he always will end up in the desired VLAN).

Any input / thoughts very much appreciated! :) 



This thread was automatically locked due to age.
  • 0 in reply to MBue

    And you're not getting certificates rejected or anything? Even at the minimal setting for TLS, it will reject malformed, outdated, etc, certificates.

    The common thread in your list (IMAPS, banking sites) is TLS decryption and the app/server rejecting you -- which would not show up in any logs -- because they're not seeing the pinned certificate.Which leads me to wonder if you're not being handed off to a second site -- that you don't disable TLS for -- to do authentication?

    I'd be tempted to put my web browser into Developer Mode and look at the URLs the web page is accessing to see if there's something different in there. Might be blocking the URL (in which case it would be red and not get what it wants) but probably a TLS issue.

  • 0 in reply to Wayne Folta

    Hi Slight smile

    This is exactly what I’m assuming, but I haven’t checked the client side yet, 
    My shots so far all aim at getting the XG to simply ignore TLS traffic as far as possible. 
    I went as far as disabling the complete TLS inspection engine and adding a whole bunch of sites to the web exceptions.. Still same results. 

    My current guess is that something in the options froze when my trial licenses (web protection etc.) expired, and I can’t toggle it anymore. 
    Next try will be a factory reset, just to make sure that there’s no old / bugged config stuck somewhere. 
    Unfortunately, this will happen in about four weeks earliest as I won’t be having physical access to the appliance before that. 

    Will keep this thread open and posted as soon as news arise. 

  • 0 in reply to rfcat_vk

    Hello Ian, 

    As promised here’s my follow-up.
    Had to wait for a suitable time slot to factory reset and rework the whole appliance without disturbing the users. 

    My issues all boil down to TLS inspection problems caused by the firewall’s DPI engine. 

    The problems do mainly occur with Apple services (notoriusly) and services provided by United Internet (ionos, web.de, gmx etc.), but will certainly show with every service that has similar certificate handling. Potentially certificate pinning combined with very short authentification timeframes. 

    After activating web proxy scanning in the respective rules, Port 80/443 based apps and services are working.  
    But everything that can’t be sent through the proxy is still not functional. (e.g. IMAP/SMTP communication). 
    I’ve tried a few ways to get the traffic out of the DPI engine’s way: Adding TLS scan exceptions has no effect. Deactivating the TLS-engine itself does neither. Nor does activating / removing mail scanning options in my rules.

    Bottom line:
    I’m stuck.

    My guess is that the option I’m in need of is somewhere inside the email or web protection module, but I’m not subscribed as I don’t really have use for it. 
    All I need is a transparent QoS traffic shaping tool with a good wifi ap management. No need to tamper with secure communications. 

  • 0 in reply to MBue

    Hi,

    you can create a firewall rule with the mail ports as the service and enable the proxy, that will remove them from being scanned by SSL/TLS.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi, 

    I’ve tried that.

    Rule was:
    zones:LAN->WAN / net:any / services:IMAP(s), POP(s), SMTP(s) / checked proxy, proxy scanning and  proxy decryption / tried mail scanning options both checked and unchecked) 

    Policy check against the known issue domains (e.g. https://imap.web.de:993) states that only port 80 and 443 traffic is being redirected to the proxy while all other ports are still processed by the TLS DPI. 
    Same check also states that traffic is matching the exception filters and isn’t decrypted, but it appears that the sole inspection by the DPI is obstructing. 
    Client side, i’ve been testing with macOS Mail and iPadOS Mail. Both don’t throw a “could not connect” error, but simply keep trying to sync mail objects indefinitely. Accessing the same mailboxes through a web browser and port 443 is working though, even with Apple’s known sensibilities around iCloud.

  • 0 in reply to MBue

    Don’t enable decrypt and scan.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks, I’ll give it a try as soon as I’m back in physical reach of the installation. 

    Oddly, I had to activate decryption and scanning on my HTTPS-rule to get Apple browser logins etc to work. 
    I wouldn’t have expected this to have any impact without a web protection subscription. But there it is. So I replicated that experience to my mail transfer rules. 

Unfiltered HTML