Pfsense blocking Drucva InSync
-
Yeah I would also check you do a sniff on the wan.. You will see the server hello or not.. And sniff on the lan side will show you if pfsense sends it on to the client.
Pfsense would not filter the server hello.. Just doesn't work that way.
Did you happen to update anything on your box.. Say openssl or something?
-
yeah am using squid proxy server in transparent mode.
When running without firewall it goes through and backup successful.we used network monitor tool on the client machine and they description of the problem was :Backups fail in the networks having proxy servers or firewalls.
Check the attachment for description of the problem.
Is there a way I can get the Druva support on board to describe explain it more ? He said, in case I need to bring him on board I can let him know to bring a clear understanding.0_1550496733640_druva support.txt
-
Test it with pfsense, but without the proxy!!! Is your proxy doing ssl? If so quite often THEY do not trust the cert, etc. Or if doing mitm the cert handed back is not trusted by the client.
Just BYPASS this dest from using the proxy..
There is a HUGE freaking difference between what firewall does with traffic (NOTHING!) Its either allowed or denied.. And what a proxy does with traffic..
-
@philipo said in Pfsense blocking Drucva InSync:
yeah am using squid proxy server in transparent mode.
When running without firewall it goes through and backup successful.Ah, well there you go! The application is probably seeing either an error page or a cert error.
That traffic will be sent to Squid because for some unknown reason:
'The backup runs on TCP SSL port 80 .'You need to exclude that traffic from the port forward Squid uses in transparent mode.
Steve
-
Where did you see was doing ssl over 80... Yeah that would break the shit out of ssl and a proxy normally ;)
-
On the dupe post
https://forum.netgate.com/topic/140489/backup-fails-with-ssl-or-certificate-error-during-certificate-validation-behind-pfsense-firewall
-
Yeah see it now - yup what is pretty much BORKED right out of the gate!!
-
@johnpoz they told me it uses port 80 over SSL.
-
Well that is FAIL to start with!! Especially with a proxy - if they are doing that no wonder they have problems with proxies ;)
Quite often proxy will not touch ssl traffic.. Unless specifically setup to do MITM, SSL interceptioni, SSL Bump and Splice, etc. etc.. So if they were doing it over the normal 443 port of ssl the proxies wouldn't mess with the traffic.
-
@stephenw10 Kindly guide me how to exclude that traffic from the port forward squid uses in transparent mode
-
Ok you need to bypass the proxy either by source or destination IP in the Squid Proxy > General tab > Transparent Proxy Settings section.
So if you just have one device accessing this service you can add it's internal IP in the source section there.
If you have numerous clients using this and they also need to use the proxy then you will need to bypass by destination IP so you will need a list of the server IPs being used which may be difficult. Create an alias and add them to that then add that alias to the bypass destination IPs field.
Alternatively you may be able to match and not NAT that traffic some other way. Perhaps they use a fixed source port given they're using SSL on port 80. Or maybe you can change that port and avoid it entirely.
Steve
-
Their docs say they don't use port 80 though....
https://docs.druva.com/001_inSync_Cloud/Cloud/020_Backup_and_Restore/010_Set_up_inSync/010_Configuration/Network_ports
Are you using SSL filtering in Squid?
A list of server IPs is going to be impractical here.
Steve
-
Am not using SSL filtering its unchecked/ disabled.
-
So back to the beginning - LETS SEE A SNIFF on your WAN!! Vs just your log... Then we will KNOW what is going on.. Vs just guessing..
You have destination IP? Then sniff on your want with that when you try and connect for backup.. Well will see the exchange for the ssl connection.
-
here is the Link for the capture behind firewall and on WAN .Check it out
-
Where were those pcaps taken? What were they filtered by? What was happening at the time?
-
they were taken while trying to run backup. One was done behind the firewall and another was done on WAN without the firewall
-
Ok yes I see the backup and indeed it appears to be using port 80.
The default port for that application is 443 though. If it has been deliberately changed then simply changing it back to 443 would solve this.Otherwise you will need to disable the proxy or bypass it for all traffic trying to use this.
Or potentially upload the proxy setup to each client, there does appear to be settings for that in inSync.
Steve
-
@stephenw10 said in Pfsense blocking Drucva InSync:
Otherwise you will need to disable the proxy or bypass it for all traffic trying to use this.
whats the best method to bypass it and how ? Is it possible to be done while still behind pfsene firewall ?
-
What are you backing up? Do you need this to work for a lot of clients? Do they need to use the proxy also?
The easiest thing to do here is just disable Squid for clients that need to use inSync. Or just disable it completely.
A better thing to do would be find out why it's using port 80 and go back to using port 443 if that can be done. Or even a completely different port.
Steve
