Google G-Suite App Issues
-
@stephenw10 Thank you for sending that to me. I added the NAT rule this morning. I have attached a picture of the rules. Is this setup in the correct order for the rule to be applied?
I am still having the same residual issues, I have been running WireShark on the network and notice now that the network is being spammed with MDNS queries.
From what I read this protocol is a collective DNS server between computers on the network. We are a mostly Apple campus. Am I correct to suspect this as being a culprit causing DNS interference and should block the port number 5353?
Thanks again,
Patrick
-
mDNS should not effect global DNS like that. It's probably not an issue.
The firewall is OK but it needs a port forward to actually redirect the traffic. Can we see that too?
Steve
-
@stephenw10 Ok thank you. I have attached the picture of the port forwarding down below.
Before I left I made a breakthrough on the issue. I was going through the squid configuration and deselected the "Enable SSL Filtering". Everything after that point worked and seemed to resolve the issue. However, doing so completely disabled the filtering of websites.
The setting below was also set to Splice All. The next option is Splice Whitelist, Bump otherwise. So it's clearly something wrong with the splicing that was occurring. What options do I have at this point?
Thanks,
Patrick
-
Ok, that looks correct.
I don't see any states or packets on the firewall rule against that so there might not have been any DNS traffic there. If you enable logging on the firewall rule you can review it later.
The issue only really occurs with https traffic simply because all the large CDNs are almost exclusively https on the modern internet. It you disable https filtering none of that traffic is inspected so it never resolves differently.
Steve
-
@stephenw10 Perfect thank you! So my settings within Squid have not changed so what variables could have caused the splice setting to have this effect on Google? Is there any workaround to fix Google apps while preserving HTTPS filtering?
Edit: Also I avoided the Secondary option within squid which would require CA's to be applied to computers. We support a BYOD and that I think would become an operational headache.
Thanks,
Patrick
-
The only fix I'm aware of for those 409 errors is to make sure everything is resolving to the same IP and that is usually accomplished by using the same DNS server. It's likely to become more if an issue as more things start to use DNSoverHTTPS etc.
Steve
-
Hi all,[link text]
Finally this issue is the same i have link link text it summarized as following :
google suit and whatsapp and other applications using websocket will be cut off by squid ssl filtering which i believe this is a bug with the squid that's lead me to find other solution rather than pfsense to filter https websites until pfsense solve the issue -
That looks like a completely different problem unless you were also seeing 409 errors. I don't see that anywhere.
-
@stephenw10 So if my DNS config is correct as I have verified, this is the now a squid issue. Is there a way to add an exception to the Man In the Middle configuration? Could this have been caused by an automatic update to the squid package?
Is there another package that can do content filtering that won't be affected by DNS over HTTPS?
Thanks,
Patrick
-
@msaeed said in Google G-Suite App Issues:
link text
Dear msaeed,
My issue has been based exclusively on Google application suite on iOS and Android devices only. All other internet functionalities on the device as well work fine just with the apps. I checked my DNS routing and all was correct. I finally disabled Squid SSL Filtering and the problem has been resolved. The issue is in doing so my content filter is now down.
-
The only other option for web filtering is doing it via DNS using DNS Blacklist in pfBlocker-ng. That is quite effective and a lot lighter than Squid. Devices using DNSoH or DNSoT will bypass the filtering but will not fail to connect.
https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
Steve
-
@stephenw10 Perfect thank you very much I will pursue that option! I am only trying to block Social Media and other inappropriate sites.
Thanks again for all of your help it is greatly appreciated!
Patrick
