Thread Info
  • State Not Answered
  • Replies 20 replies
  • Subscribers 0 subscribers
  • Views 5602 views
  • Users 0 members are here
Options
Suggested

[8.165][BUG][FIXED] Transparent Proxy does not work with Wireless Networks

BrucekConvergent
I've recently up2dated to version 8.165, and found the issue that I reported here: 

https://community.sophos.com/products/unified-threat-management/astaroorg/f/110/t/70174

is still a problem.  Not sure why it got moved to the closed threads forum...

Any ideas?
Parents
  • 0
    I've recently up2dated to version 8.165, and found the issue that I reported here: 

    http://www.astaro.org/astaro-beta-versions/asg-v8-200-beta/asg-v8-200-beta-closed-threads/36026-8-160-bug-fixed-http-transparent-proxy-not-working-wireless-networks.html

    is still a problem.  Not sure why it got moved to the closed threads forum...


    It got moved because we believe that this issue has been resolved.

    Is the wireless network in the httpproxys allowed network list?

    Otherwise, could you provide output of:
    ebtables -t broute -L --Lc
    iptables-save -t mangle -c

    Thanks.
  • 0 in reply to 67ef1d
    Everything is set correctly;  when I have a chance, I will run the commands above and post the info here.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    As requested... see attached files.  Some are screenshots of the config, and the textfiles are the data requested.  192.168.11.0/24 is the Wireless Network in question.

    ETA:  Looks like the TPROXY Hook does not include the wireless network as it should.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

    wirelessconfig.zip
  • 0 in reply to BrucekConvergent
    As requested... see attached files.  Some are screenshots of the config, and the textfiles are the data requested.  192.168.11.0/24 is the Wireless Network in question.

    ETA:  Looks like the TPROXY Hook does not include the wireless network as it should.


    Thanks.  I do not see anything obviously wrong with this.
    The wireless network for the TPROXY hook is probably hidden in the ipset
    "0VQkPX232TjZnNPmbRa4VA".

    You could run "ipset list" to show the content of all sets.
    It would be good to know wheter your wireless network is inside the set
    (OVQk...) or the skiplist (A87... in the config log you posted).

    What is weird though is that the ebtables list rule counters are all zero.
    Was this after a fresh boot? If so, could you try to connect to a web page
    via wireless and paste those rules again?

    Oh, and please also post output of  "ip rule show" and "ip route show table 252".

    Sorry for all of this work I am pushing on you but httpproxy/bridge works fine for me...
  • 0 in reply to 67ef1d
    I'll do these things when I get a chance... but no, this was not after a fresh boot -- the system had been up for some time.

    Question:  Do you have Client Isolation enabled for the wireless network you are testing with -- and do you have it set as a Separate Zone?  Seems that this may have something to do with it.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Please see the attached for more information as requested...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

    putty.zip
  • 0 in reply to BrucekConvergent
    More information... I found that the Client Isolation setting has no effect on the problem... but... when I changed the wireless network in question from Separate Zone configuration to Bridge to AP LAN (and clone the Separate Zone MASQ and Packet filter rules and apply them to the AP LAN, of course), it works fine.  This seems to definitely have something to do with Separate Zone configuration.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    More information... I found that the Client Isolation setting has no effect on the problem... but... when I changed the wireless network in question from Separate Zone configuration to Bridge to AP LAN (and clone the Separate Zone MASQ and Packet filter rules and apply them to the AP LAN, of course), it works fine.  This seems to definitely have something to do with Separate Zone configuration.


    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...
  • 0 in reply to 67ef1d
    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...


    I can think of a simpler way to handle this -- let me set it back the way it was, and I'll zip up a backup file, and upload it to your tech support site, etc.  Just PM me the details on how you'd like to get it.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to 67ef1d
    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...


    I can think of a simpler way to handle this -- let me set it back the way it was, and I'll zip up a backup file, and upload it to your tech support site, etc.  Just PM me the details on how you'd like to get it.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
Cookie Information Banner