• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Where is pfSense support for HTTP/3 and QUIC protocol support?

Scheduled Pinned Locked Moved General pfSense Questions
91 Posts 12 Posters 17.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee @Patch
    last edited by JonathanLee Oct 4, 2022, 5:11 AM Oct 4, 2022, 5:09 AM

    @patch maybe some form of adapting attestation that is being used with the TPM chips? TPM key attestation?

    Make sure to upvote

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator @Patch
      last edited by Oct 4, 2022, 1:57 PM

      @patch said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

      Perhaps using pfblocker to create and alias native for the ASN then include that in the black or white list for the QUIC rule

      Exactly that ^.

      L 2 Replies Last reply Oct 4, 2022, 5:45 PM Reply Quote 1
      • L
        lohphat @stephenw10
        last edited by Oct 4, 2022, 5:45 PM

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • L
          lohphat @stephenw10
          last edited by lohphat Oct 4, 2022, 6:37 PM Oct 4, 2022, 5:51 PM

          @stephenw10 I didn't know pfBlocker could be used to create aliases which could then be used by a normal f/w rule. Interesting. I'm found a link to walk me though this. Thanks!

          https://dannyda.com/2021/04/22/how-to-block-asn-autonomous-system-number-with-pfsense-firewall-how-to-block-an-organization-using-pfsense/

          UPDATE: The linked tutorial demo uses an older pfB UI, I had to change the Action to "Alias Native" so the aliases (I did a v4 and v6 list) are created aren't deduped with the other pfBl lists.

          Also note the pfBLocker help text doesn't mention these new list action modes of Alias Deny/Permit/Match/Native either and needs updating, In only mentions "Alias Only"

          https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html

          1 Reply Last reply Reply Quote 1
          • S
            stephenw10 Netgate Administrator
            last edited by Oct 4, 2022, 5:55 PM

            ASN aliases are usually better for blocking than allowing because they rely on the organisation in question maintaining them and can often be incomplete.
            You only need to block 80% of IPs to make something unusable but you need to allow a lot more than that to make it usable. But it can work.

            Steve

            L 1 Reply Last reply Oct 4, 2022, 6:41 PM Reply Quote 0
            • L
              lohphat @stephenw10
              last edited by lohphat Oct 4, 2022, 8:10 PM Oct 4, 2022, 6:41 PM

              @stephenw10 So I've created pfB IPv4 and IPv6 aliases for Google to pass then log all other requests to see who else is using it.

              I don't use FB so I don't mind blocking their use of QUIC ;-)

              UPDATE: After permitting AS15169 [ GOOGLE, US ] (for YouTube traffic) the only other ASN logged during YT testing was AS13335 [ CLOUDFLARENET, US ].

              Not too surprising since they're a CDN.

              UPDATE: Google is also using IP blocks not associated with an ASN for YouTube QUIC traffic. This MAY be their ad servers.

              NetRange: 34.64.0.0 - 34.127.255.255
              CIDR: 34.64.0.0/10
              NetName: GOOGL-2
              NetHandle: NET-34-64-0-0-1
              Parent: NET34 (NET-34-0-0-0-0)
              NetType: Direct Allocation
              OriginAS:
              Organization: Google LLC (GOOGL-2)
              RegDate: 2018-09-28
              Updated: 2018-09-28

              I knew this was going to be like this...hunting down scopes of addressing per whitelisted domain. So I'm not too discouraged and it's become a bit of a learning experience.

              1 Reply Last reply Reply Quote 1
              • L
                lohphat @Patch
                last edited by lohphat Oct 15, 2022, 4:38 AM Oct 4, 2022, 9:00 PM

                @patch Done! And it's working as expected. Thanks for the tip as it's NOT obvious that pfBlockerNG can be used this way (ASN lookup and enumeration) to create aliases for regular f/w rules.

                UPDATE: There seems to be a bug/feature in the pfBlockerNG-devel where the Alias list isn't including custom CIDR network lists with the ASNs. I have had to duplicate all the rules so that the ASNs are enumerated in one alias and the CIDR blocks in another instead of being generated in the same alias list.

                Alias Native not combining ASN enumeration with custom list in same rule

                1 Reply Last reply Reply Quote 3
                • S
                  Sergei_Shablovsky
                  last edited by Sergei_Shablovsky Dec 28, 2022, 5:49 AM Dec 22, 2022, 11:55 PM

                  I wrote about this around YEAR+ ago Using BBR2, QUIC, RACK Congestion Control (CC) protocols in pfSense, so it’s time to wake up for someone ;)

                  Take my congrats ;)

                  Moreover, still thinking that initiatives like ZTNA become more popular (40% grow in 1 year for now) + widely using the QUIC protocol bring us a lot of surprises and a lot of Manual work in firewalling and IDS-ing traffic.

                  —
                  CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                  Help Ukraine to resist, save civilians people’s lives !
                  (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                  1 Reply Last reply Reply Quote 1
                  • J
                    JonathanLee
                    last edited by JonathanLee Jul 8, 2024, 4:41 AM Jul 8, 2024, 4:35 AM

                    QUIC is starting to run on Facebook has been for sometime however it was developmental before now it seems like a requirement at times...

                    Again 17.248.245.134 is apple... why does it turn on with Facebook running??

                    QUIC.PNG

                    Squid seems to already be working on a solution I don't know if this helps. Squid might become more useful very soon with splice mode only.

                    https://github.com/squid-cache/squid/pull/919

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • J
                      JonathanLee
                      last edited by JonathanLee Jul 11, 2024, 4:55 AM Jul 11, 2024, 3:10 AM

                      @stephenw10 I can the pcap on pfsense.

                      HTTP/3 is no longer experimental and is fully active in the iMac it can no longer be disabled manually

                      2017--> was still in development
                      Screenshot 2024-07-10 at 20.05.52.png

                      2021--> This was the background and code for how it works with applications
                      https://developer.apple.com/videos/play/wwdc2021/10094/?time=16

                      2024--> Apple has fully activated this on the Sonoma 14.5 and Safari 17.5 it has no option to disable like the link above has.

                      It also has HTTP/3 DNS much like DoH however pure UDP let's call it DoH/3

                      DoH/3 seen here:
                      f065612b-98b0-4959-9e37-68c032208922-image.png

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        [[user:consent.lead]]
                        [[user:consent.not_received]]