Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where is pfSense support for HTTP/3 and QUIC protocol support?

    Scheduled Pinned Locked Moved General pfSense Questions
    91 Posts 12 Posters 26.6k Views 14 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      michmoor LAYER 8 Rebel Alliance @johnpoz
      last edited by

      @johnpoz thats where i was going with my line of questinong. essentially, why does it matter if connections are made outbound for tcp/443 vs udp/443.
      I suppose the thinking is i want google traffic over udp/443 but not microsoft.

      overall i see the point being made. pfblockerng has a DoH feed that can be used to block DoH so basically there needs to be a UDP/443 feed and that is what is being requested.
      At the end of the day, a list will need to be provided either through some other 3rd party or curated by the OP.
      The attempt to make this into a limitation of pfsense is where the conversation falls apart to be quite honest.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      lohphatL 1 Reply Last reply Reply Quote 0
      • lohphatL Offline
        lohphat @johnpoz
        last edited by lohphat

        @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

        Why would I allow a client to destination X IP via tcp 443 but not udp 443?

        For "standard" TCP traffic a connection for each web page component is a separate TCP request (e.g. CSS vs JS or image are their own TCP requests) and those TCP headers reveal more information (albeit minimal but more than QUIC).

        QUIC allows for multiple streams to be encapsulated in a single request -- the f/w can't tell any longer how many objects are being requested.

        So with TCP/443 if there are ads being served, the FQDN of the ad server for that object is revealed in the header and can thus be blocked. With QUIC, no more -- so more ads (or any other object desired to be filtered/blocked) can no longer be intercepted separately.

        It's a game changer -- either wholesale block UDP/443 or come up with a compromise to enumerate popular destinations to permit some traffic optimization and improve performance or just leave it up to the admin to enumerate block lists on their own. Doable but it seems like a waste of collective effort. Thus coming up with a base list of popular QUIC/443 destinations for the admin to allow and then add sites as needed. Is that unreasonable? Sure I'm all for it being a package too. However it would be nice in the base pfSence functionality to track and graph QUIC alongside TCP and UDP traffic stats since the "goal" is to move more TCP traffic to QUIC.

        All I'm trying to suggest is there might be a sweet-spot for dealing with the new reality of QUIC since it's already more than 25% of traffic at this point.

        Ignoring this growing traffic trend without some sort of minimal out of the box controls seems odd. It's only going to grow as a percentage of traffic and the black and white proposed solutions of block it all or not seems overly simplistic.

        A base list of popular permit sites/domains so that each admin doesn't have to hunt down the proper FQDN/IPs seems like a reasonable start.

        Again, I'm not pontificating, just trying to see what options we need to plan for as this grows in traffic popularity and handling it -- or not -- will affect performance. At some point some popular sites may decide that it's QUIC and no TCP fallback as there is today.

        OK, fine, block just them. Communicating that decision to your internal customers is going to be an interesting conversation.

        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @lohphat
          last edited by johnpoz

          @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

          the FQDN of the ad server for that object is revealed in the header and can thus be blocked

          Still in that the dns has to be queried for the fqdn..

          It is the same thing with tcp, if I serve up content at www.domain.tld and the ad is served via www.domain.tld/ad

          Then the header doesn't change - you also have esni or the new name for it ech. where even in tcp the header wouldn't be seen for the fqdn.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          lohphatL 2 Replies Last reply Reply Quote 0
          • lohphatL Offline
            lohphat @johnpoz
            last edited by lohphat

            @johnpoz Not really.

            Now with QUIC, the browser makes a request to google.com for a page, within that request multiple streams of data are returned in that single request. The server, not the client is potentially determining where the stream data is coming from -- as I understand it currently, I may very well be incorrect.

            So instead of e.g. 3 TCP requests by the browser to 3 different FQDNs, a single request is made to one FQDN and the multiple data streams are returned in the response. The source of the ad may not be revealed to the client. Again, it's as I currently understand it via the examples demonstrated in the video I originally posted. I may be interpreting the QUIC response incorrectly, but it seemed pretty clear. One request, multiple stream responses from the single request.

            Note: This was written pre-coffee.

            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @lohphat
              last edited by

              @lohphat again to lookup www.domain.tld vs www.otherdomain.tld where the ad is served would require a dns lookup. You can still filter on the dns be it tcp for the website or udp.

              You are correct if the ad is served off www.domain.tld/ad there would be no dns needed since www.domain.tld is already known.

              I do not need to create a new session ie handshake to pull www.domain.tld/ad, but if going to another fqdn www.otherdomain.tld/ad a new session would need to be created.

              Even if with quic it would be a different session.

              With esni or ech, there is no header seen, so you don't know if its www.domain.tld or www.domain.tld/ad

              All of this is behind what pfsense is meant to do.. Pfsense is a stateful firewall, it has no method outside of a ips/ids package to see the headers. When esni/ech becomes mainstream then they won't be able to see the headers. Be it they are there or not.

              All of this is great discussion - but its not really a pfsense thing. All the stuff you talking about looking at, or not able to look at with quic, etc. Is not a pfsense thing, its a ips/ids thing. Until such time that ips/ids is integrated into pfsense this is thing to talk to the ips/ids makers about. If they do X, then if pfsense is running them they could do X.

              Even if integrated into pfsense - you could really only fault pfsense in being behind the times if the ips/ids did Y, but pfsense did not allow it to do Y. And only allowed it to do A or B, etc.

              What your talking about is beyond the scope of a traditional stateful firewall.. Where it can filter on IP, port (source or destination). Protocol upd or tcp, etc. What is in the "headers" of some data transfer be it tcp or udp (encrypted or not encrypted) is beyond what pfsense is meant to do as a stateful firewall. The IPS/IDS being used may or may not be able to do what your ask.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              1 Reply Last reply Reply Quote 0
              • lohphatL Offline
                lohphat @johnpoz
                last edited by lohphat

                @johnpoz I'm not so sure.

                In a single QUIC request multiple streams can be returned, the CSS file, the JS for the page, the HTML, and ad content. The browser doesn't see the FQDN for all the page components (if they come from different sources), only the FQDN of the initial page it's after.

                This would be a choice of the content management of the server to use its bandwidth to serve ads via a QUIC stream vs making the browser load the ad via another request. In Google's case, their ads are coming from inside their house anyway so the client browser only sees the FQDN for the web page access, not the potential components.

                That's why Google, MSFT, and FB pushed for QUIC -- to serve web pages faster by delivering multiple components in a single request and since they want their ads too, can push them via an embedded QUIC stream and not a separate TCP request exposing the FQDN of the ad server.

                SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @lohphat
                  last edited by

                  @lohphat

                  Currently, UDP 443 is used for HTML 3. I understand that QUIC can also be used with other protocols. What will happen with something like SSH? Will it use UDP 22? Or UDP 443, with the appropriate SSH port 22 inside? If the former, then filtering on protocol will be largely the same as now.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  lohphatL 1 Reply Last reply Reply Quote 0
                  • lohphatL Offline
                    lohphat @JKnott
                    last edited by lohphat

                    @jknott Even though "technically" QUIC can replace any TCP transaction, it's raison d'être was to optimize HTTP+TLS+HTTP/2-multistream requests to load a webpage. It can do it all in one transaction instead of the 3-way TCP+TLS handshake taking a lot more time.

                    I think it will seek it's own level and only be used for multistream applications like parallel file transfers where one TCP connection, even with windowing, isn't good enough.

                    I don't think it will be used to replace single stream TCP connections as there's little benefit. But that's just a wild-assed-guess.

                    There's a huge gap between "in theory" and "in practice".

                    QUIC does a good job in optimizing an ugly situation of TCP+TLS+HTTP/2 into a streamlined solution for now. We shall see how it spreads by natural selection.

                    SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ Offline
                      JKnott @lohphat
                      last edited by

                      @lohphat

                      Quite so. I was only using SSH as an example, not because it had a need, though other protocols, such as email, also use TLS.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • lohphatL Offline
                        lohphat @michmoor
                        last edited by

                        @michmoor said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                        I suppose the thinking is i want google traffic over udp/443 but not microsoft.

                        This is what I've been trying to play with. i.e. setup an alias of permitted QUIC destinations then block the rest.

                        The problem is that QUIC is usually used with large content providers with CDNs and pfSense doesn't support wildcard domain aliases -- they must be individual FQDNs only. I'm looking for a solution to say, permit "*.1e100.net" (Google's CDN) then toss all other QUIC (UDP/443)

                        From the pfSense docs relating to aliases:

                        Warning
                        This process only supports forward name resolution of FQDNs using A and AAAA records such as host.domain.com. Aliases do not support pattern matches, wildcard matches (e.g. *.domain.com), or any other style of record comparison.

                        If the DNS query for a hostname returns multiple IP addresses, all of the IP addresses returned in the result are added to the alias.

                        Note
                        This feature is not useful for allowing or disallowing users to large public web sites such as those served by content delivery network (CDN) providers. Such sites tend to have constantly rotating or random responses to DNS queries so the contents of the alias on the firewall do not necessarily match up with the response a user will receive when they resolve the same site name. It can work for smaller sites that have only a few servers and do not include incomplete sets of addresses in their DNS responses.

                        So

                        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @lohphat
                          last edited by johnpoz

                          @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                          pfSense doesn't support wildcard domain aliases

                          Nothing supports a wildcard domain alias - because its pretty much an infinite possible amount of IPs.

                          If you want to filter on user trying to go to wildcard.domain.tld you would need to do a proxy..

                          But a firewall that blocks on a wildcard aliases isn't a thing.. What you could have is some firewall that did a query on whatever fqdn a user is trying to resolve and let that resolve or not, You can do that now with pfsense and unbound.. If you don't want user to go to wildcard.domain.tld then don't let him resolve domain.tld.

                          Firewall rules are based on IPs - it is impossible to resolve every IP in an infinite alias.. So you would need to control if that can even be attempted to be resolved which is dns, not the actual firewall that allows or blocks on an IP, etc.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          lohphatL 1 Reply Last reply Reply Quote 0
                          • lohphatL Offline
                            lohphat @johnpoz
                            last edited by lohphat

                            @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                            But a firewall that blocks on a wildcard aliases isn't a thing.. What you could have is some firewall that did a query on whatever fqdn a user is trying to resolve and let that resolve or not, You can do that now with pfsense and unbound.. If you don't want user to go to wildcard.domain.tld then don't let him resolve domain.tld.

                            I understand that.

                            A proxy may be the answer, but I can also envision is a rule which can be specified to do a reverse lookup and if the returned FQDN is within the permitted wildcard, then permit it. And instead of doing this for every request have a tunable cache of IP to reverese lookup names to speed up subsequent requests.

                            Essentially it's a reverse concept to pfBlocker but for a specific permit rule.

                            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @lohphat
                              last edited by johnpoz

                              @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                              I can also envision is a rule which can be specified to do a reverse lookup and if the returned FQDN is within the permitted wildcard

                              Great and not all IPs even have a PTR.. So this system might work or might not work.. PTRs don't always list the "domain" etc.. could just be a generic name for the IP and what part of the world its in, etc

                              So now you want your "firewall" to do a PTR query on every single hit of traffic that wants to go through the firewall.. That is going to be a shit ton of dns queries, where most of them as far as PTRs go wont even resolve to anything..

                              ;; QUESTION SECTION:                                                                
                              ;www.amazon.com.                        IN      A                                   
                                                                                                                  
                              ;; ANSWER SECTION:                                                                  
                              www.amazon.com.         30      IN      CNAME   tp.47cf2c8c9-frontier.amazon.com.   
                              tp.47cf2c8c9-frontier.amazon.com. 30 IN CNAME   d3ag4hukkh62yn.cloudfront.net.      
                              d3ag4hukkh62yn.cloudfront.net. 30 IN    A       99.84.166.43                        
                              
                              ;; QUESTION SECTION:
                              ;43.166.84.99.in-addr.arpa.     IN      PTR
                              
                              ;; ANSWER SECTION:
                              43.166.84.99.in-addr.arpa. 82726 IN     PTR     server-99-84-166-43.ord52.r.cloudfront.net.
                              

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              lohphatL 2 Replies Last reply Reply Quote 0
                              • lohphatL Offline
                                lohphat @johnpoz
                                last edited by

                                @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                So now you want your "firewall" to do a PTR query on every single hit of traffic that wants to go through the firewall.. That is going to be a shit ton of dns queries, where most of them as far as PTRs go wont even resolve to anything..

                                Not at all, the overhead would be incurred not for all traffic but for a specific rule requesting the reverse lookup (e.g. UDP/443 requests only), and caching the results to reduce the need for a reverse lookup for each request.

                                I know PTRs are not required and may not match but it's what we have available and the larger CDNs I'm trying to target (Google, MSFT, et al) usually (not always) have more consistent DNS records.

                                SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @lohphat
                                  last edited by

                                  @lohphat Can't wait for you to come out with this magic firewall of yours.. Since clearly pfsense is just not doing it right..

                                  Free as well like pfsense I assume.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  lohphatL 1 Reply Last reply Reply Quote 1
                                  • lohphatL Offline
                                    lohphat @johnpoz
                                    last edited by

                                    @johnpoz

                                    Aug 4 09:11:16 LAN QUIC HTTP/3 (1659322461)[2603:xxxx::1d04]:49375
                                    [2607:f8b0:4006:823::200a]:443
                                    lga34s39-in-x0a.1e100.net
                                    

                                    So in the case of YouTube, the destination address DID resolve into a sane FQDN

                                    SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @lohphat
                                      last edited by johnpoz

                                      @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                      into a sane FQDN

                                      but is not the domain user was trying top go to - so where is this list pfsense is magic going to have that says oh if user looks up domainX something, and the PTR comes back otherdomainY or somethinG or xyzdomainX then sure let it through..

                                      How does this magic firewall even know that IP 1.2.3.4 should have a ptr done on it and only if in its list of ok domains should it be allowed.

                                      So any destination IP using udp 443, it should do a ptr on and only allow from your list of domains that are permitted. Who is compiling this list of PTR domains that are ok? How is it going to be updated?

                                      What if going to udp 8443, what about udp 10443, or 4430, etc.. Just block all those? Or should it do PTR queries on the IPs

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      lohphatL 1 Reply Last reply Reply Quote 0
                                      • lohphatL Offline
                                        lohphat @johnpoz
                                        last edited by

                                        @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                        @lohphat Can't wait for you to come out with this magic firewall of yours.. Since clearly pfsense is just not doing it right..

                                        Free as well like pfsense I assume.

                                        I don't think the snark is necessary.

                                        Having a method to trigger an additional address verification for a specified rule -- and not all traffic (I don't know where you got that impression I was suggesting that) -- doesn't seem impossible or need to "create a new firewall".

                                        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                        1 Reply Last reply Reply Quote 0
                                        • lohphatL Offline
                                          lohphat @johnpoz
                                          last edited by lohphat

                                          @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                          @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                          into a sane FQDN

                                          but is not the domain user was trying top go to - so where is this list pfsense is magic going to have that says oh if user looks up domainX something, and the PTR comes back otherdomainY or somethinG or xyzdomainX then sure let it through..

                                          You're not getting the point -- AT ALL.

                                          1. I want to PERMIT google UDP/443 requests for YouTube.
                                          2. I know that Google uses *.1e100.net for most if not all their YT content.
                                          3. I want a rule to check if the UDP/443 destination address is within *.1e100.net
                                          4. For THIS RULE, take the time to reverse lookup the destination FQDN and cache it for any subsequent requests, and match the domains in the permit rule.
                                          5. For ALL OTHER UDP/443, drop.

                                          @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                          but is not the domain user was trying top go to - so where is this list pfsense is magic going to have that says oh if user looks up domainX something, and the PTR comes back otherdomainY or somethinG or xyzdomainX then sure let it through..

                                          I have no idea where you got this from. I never suggested this was the use case.

                                          SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator @lohphat
                                            last edited by johnpoz

                                            @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                            I know that Google uses *.1e100.net for most if not all their YT content.

                                            How do you know this - where does pfsense learn this from... You going to manually put that in? What if google now starts having ptrs that resolve with new1e200.net etc..

                                            Where is this info going to come from - who is going to put it in to the firewall, how is it going to be updated and maintained as it changes, etc.

                                            And you want this only for quic but not tcp - because why exactly? The same stuff that can happen over quic can happen over tcp 443..

                                            So pfsense should also do all this over tcp 443 as well..

                                            Lets say you query when user hits udp 443 going to 1.2.3.4 - how fast does that ptr resolve? What if takes longer than normal, clients hasn't got an answer and has already sent 3 retrans - oh well guess I can't get there - sorry user.. Try again later in his browser window.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            lohphatL 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.