Pfsense blocking Drucva InSync
-
@philipo said in Pfsense blocking Drucva InSync:
yeah am using squid proxy server in transparent mode.
When running without firewall it goes through and backup successful.Ah, well there you go! The application is probably seeing either an error page or a cert error.
That traffic will be sent to Squid because for some unknown reason:
'The backup runs on TCP SSL port 80 .'You need to exclude that traffic from the port forward Squid uses in transparent mode.
Steve
-
Where did you see was doing ssl over 80... Yeah that would break the shit out of ssl and a proxy normally ;)
-
On the dupe post
https://forum.netgate.com/topic/140489/backup-fails-with-ssl-or-certificate-error-during-certificate-validation-behind-pfsense-firewall
-
Yeah see it now - yup what is pretty much BORKED right out of the gate!!
-
@johnpoz they told me it uses port 80 over SSL.
-
Well that is FAIL to start with!! Especially with a proxy - if they are doing that no wonder they have problems with proxies ;)
Quite often proxy will not touch ssl traffic.. Unless specifically setup to do MITM, SSL interceptioni, SSL Bump and Splice, etc. etc.. So if they were doing it over the normal 443 port of ssl the proxies wouldn't mess with the traffic.
-
@stephenw10 Kindly guide me how to exclude that traffic from the port forward squid uses in transparent mode
-
Ok you need to bypass the proxy either by source or destination IP in the Squid Proxy > General tab > Transparent Proxy Settings section.
So if you just have one device accessing this service you can add it's internal IP in the source section there.
If you have numerous clients using this and they also need to use the proxy then you will need to bypass by destination IP so you will need a list of the server IPs being used which may be difficult. Create an alias and add them to that then add that alias to the bypass destination IPs field.
Alternatively you may be able to match and not NAT that traffic some other way. Perhaps they use a fixed source port given they're using SSL on port 80. Or maybe you can change that port and avoid it entirely.
Steve
-
Their docs say they don't use port 80 though....
https://docs.druva.com/001_inSync_Cloud/Cloud/020_Backup_and_Restore/010_Set_up_inSync/010_Configuration/Network_ports
Are you using SSL filtering in Squid?
A list of server IPs is going to be impractical here.
Steve
-
Am not using SSL filtering its unchecked/ disabled.
-
So back to the beginning - LETS SEE A SNIFF on your WAN!! Vs just your log... Then we will KNOW what is going on.. Vs just guessing..
You have destination IP? Then sniff on your want with that when you try and connect for backup.. Well will see the exchange for the ssl connection.
-
here is the Link for the capture behind firewall and on WAN .Check it out
-
Where were those pcaps taken? What were they filtered by? What was happening at the time?
-
they were taken while trying to run backup. One was done behind the firewall and another was done on WAN without the firewall
-
Ok yes I see the backup and indeed it appears to be using port 80.
The default port for that application is 443 though. If it has been deliberately changed then simply changing it back to 443 would solve this.Otherwise you will need to disable the proxy or bypass it for all traffic trying to use this.
Or potentially upload the proxy setup to each client, there does appear to be settings for that in inSync.
Steve
-
@stephenw10 said in Pfsense blocking Drucva InSync:
Otherwise you will need to disable the proxy or bypass it for all traffic trying to use this.
whats the best method to bypass it and how ? Is it possible to be done while still behind pfsene firewall ?
-
What are you backing up? Do you need this to work for a lot of clients? Do they need to use the proxy also?
The easiest thing to do here is just disable Squid for clients that need to use inSync. Or just disable it completely.
A better thing to do would be find out why it's using port 80 and go back to using port 443 if that can be done. Or even a completely different port.
Steve
-
We back up client data and sone critical audit files for a number of clients.
Let me see possibility of asking the Druva support on working on port 443 instead of port 80.The users need the proxy too.
-
You might try configuring the client to use the proxy directly:
https://docs.druva.com/005_inSync_Client/inSync_Client_5.8/002Install_inSync_Client/003_Configure_inSync/050_Configure_proxy_settings_on_the_inSync_clientEven there though it shows port 443....
Steve
-
Is there a way we can make sure that there is no sniffing for SSL packets or cipher packets coming from inSync cloud?
and also whitelist entire druva domain on TCP Port 80
