Thread Info
  • State Not Answered
  • Replies 20 replies
  • Subscribers 0 subscribers
  • Views 5662 views
  • Users 0 members are here
Options
Suggested

[8.165][BUG][FIXED] Transparent Proxy does not work with Wireless Networks

BrucekConvergent
I've recently up2dated to version 8.165, and found the issue that I reported here: 

https://community.sophos.com/products/unified-threat-management/astaroorg/f/110/t/70174

is still a problem.  Not sure why it got moved to the closed threads forum...

Any ideas?
  • 0 in reply to BrucekConvergent
    More information... I found that the Client Isolation setting has no effect on the problem... but... when I changed the wireless network in question from Separate Zone configuration to Bridge to AP LAN (and clone the Separate Zone MASQ and Packet filter rules and apply them to the AP LAN, of course), it works fine.  This seems to definitely have something to do with Separate Zone configuration.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    More information... I found that the Client Isolation setting has no effect on the problem... but... when I changed the wireless network in question from Separate Zone configuration to Bridge to AP LAN (and clone the Separate Zone MASQ and Packet filter rules and apply them to the AP LAN, of course), it works fine.  This seems to definitely have something to do with Separate Zone configuration.


    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...
  • 0 in reply to 67ef1d
    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...


    I can think of a simpler way to handle this -- let me set it back the way it was, and I'll zip up a backup file, and upload it to your tech support site, etc.  Just PM me the details on how you'd like to get it.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Here's the data you requested.

    The laptop I'm using with this has a reserved IP on the wireless network of 192.168.11.10 

    Note the 172.32.10.0/24 network on eth3 is the physical network that the single AP is attached to; the 192.168.11.0/24 network is the "Separate Zone" network that does not work correctly with the transparent proxy.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

    putty.zip
  • 0 in reply to BrucekConvergent
    Bumpity Bump...

    Let me know if you need more info...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to 67ef1d
    We tried to reproduce this, but so far we haven't seen any problems.
    Could you re-store your "broken" setup and send us output of:
    - ebtables-save
    - iptables-save
    - ipset list
    (plus a hint what ip address you're using on your wireless client).
    I guess we will need to re-build the identical setup you're using...


    Update:  Sent backup file to 67ef1d per his request via email....

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Does disabling "client isolation" result in correct behavior?
    Helmut
  • 0 in reply to hschaa
    Does disabling "client isolation" result in correct behavior?
    Helmut


    Ahh, ignore that. You answered that already before [:)]
  • 0 in reply to hschaa
    Just an update for the thread, the Astaro person I sent the config to was able to confirm the issue, they think it's the spoof protection acting up... I'll be able to test that theory this evening (by disabling spoof detection).

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Update; changing Spoof Protection from Normal to Off allows the traffic to pass... there's some sort of bug here, this configuration does work under previous versions.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.