lan to wan not functioning in EAP3 for devices (roku, tivo, unifi ap's)

I have a 105 using latest v17 and 106 using EAP 3 v18. Using my v18, many devices get ip's but cannot connect to internet. Plug in 105 and everything is fine. Similar rule setup between both firewall - v18 106 setup manually (no migration). Netflix also does not work. I setup policy bypass and fqdn per https://community.sophos.com/kb/en-us/125061.

1) tivo/roku - cannot connect to internet when 106 plugged in. I have created manual rules (attached below) which do not appear to be running. Do not see any failures in logs. Lan to Wan below. Details of roku but same exp with Roku, unifi devices, etc. IOS/computers work. Being that I setup explicit rules for roku/tivo I would expect them to bypass any other checks I may have enabled.

Rule Details for Roku - Set allow all for webfilter and other security

Thoughts?

Parents

0 rfcat_vk over 5 years ago

Hi,

your rules are set to use the DPI engine. You have web scanning enabled which will probably be the cause of your issue. Have enabled do not scan video and audio steaming?

Ian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gary21 over 5 years ago in reply to rfcat_vk

Where do I have DPI for Roku/Tivo enabled? I have web policy Allow All, and nothing else checked. Should I be checking Use web proxy instead of DPI engine?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rfcat_vk over 5 years ago in reply to Gary21

Hi,

web policy allow all enables DPI and there is a bug in the current version that enabling none is not effective.

Ian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gary21 over 5 years ago in reply to rfcat_vk

Hey Ian - I see the same behaviors with web policy allow all or none. So it sounds like none is the correct value but due to a bug does not work. So it sounds like I will just need to wait for EAP4 and hope this bug is resolved? Or am I missing a workaround? I have added in a ssl/tls inspection rule to not decrypt those devices in the hope this may help, but I doubt this to be the case.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Gary21 over 5 years ago in reply to rfcat_vk

Hey Ian - I see the same behaviors with web policy allow all or none. So it sounds like none is the correct value but due to a bug does not work. So it sounds like I will just need to wait for EAP4 and hope this bug is resolved? Or am I missing a workaround? I have added in a ssl/tls inspection rule to not decrypt those devices in the hope this may help, but I doubt this to be the case.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 rfcat_vk over 5 years ago in reply to Gary21

Hi Gary,

no just build a firewall rule with only IPS settings, do not add web or application other than defaults. Even then your IPS could cause some issues.

You don't need web scanning whether it be proxy or DPI for steaming functions.

Ian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gary21 over 5 years ago in reply to rfcat_vk

Hey Ian - Thanks for the ideas, unfortunately I got the same results. I am working with Apurv to see what we can come up with.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Michael Dunn over 5 years ago in reply to Gary21

In order to make v18 behave like v17.5 you need to do the following things:
For any rule that does anything with port 80/443 traffic, select the "Use proxy instead of DPI engine".
Rules that have "Scan HTTP and decrypted HTTPS" and "Use proxy instead of DPI engine" should not have Web Policy None. Change to Allow All. Known issue.

Doing that will cause the v18 box to use the same web proxy as 17.5. If things still don't work, you've got other issues.

Assuming that does resolve the problems, then the next step is switching the rule for your Roku TV back to the DPI mode and then investigating with logs what it is trying to connect to and why it cannot connect.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel