Nintendo Switch connection issue Error code

johnpoz

@JonathanLee well your nintendoswitch keeps sending ack, after the lee_family sent a fin,ack - so yeah if NS keeps talking to LF with sending acks, LF is going to keep telling it to F off with a RST..

Not sure where pfsense comes into play in this conversation. Is this traffic routed over pfsense? 3128 is proxy port, so this NS wants to keep this conversation going after LF has told its done with the fin,ack..

JonathanLee

@johnpoz yes Squid proxy 3128 this is during the Nintendo Switch Network test it does an upload test right after the Nintendo Switch shows I have NAT type B next it does a download test that passes goes to UL test and this is in the PCAP. It has a ton right before it fails. LF my SG-2100. I wonder if I can increase the connection timers or something

https://bugs.squid-cache.org/show_bug.cgi?id=5084

mcury

@JonathanLee said in Nintendo Switch connection issue Error code:

@johnpoz yes Squid proxy 3128 this is during the Nintendo Switch Network test it does an upload test right after the Nintendo Switch shows I have NAT type B next it does a download test that passes goes to UL test and this is in the PCAP. It has a ton right before it fails. LF my SG-2100. I wonder if I can increase the connection timers or something

https://bugs.squid-cache.org/show_bug.cgi?id=5084

I wonder if in Nintendo Switch, you could use a .pac file instead of setting the proxy by IP address and port, or, if there is a configuration field such as "Do not proxy connections for this destinations"..

If this field existis in the Nintendo Switch proxy configuration, try to include nintendo.net there.

Or, perhaps, if it is possible, try this .pac file in the Nintendo Switch configuration:

This is the .pac file I used to have in a few customers back in the day that I was using squid..

function FindProxyForURL(url, host) {
//BYPASS POR REGEX
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.home.arpa") ||
//BYPASS BY DESTINATIONS NETWORK
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0") ||
//LOCAL SITES
        dnsDomainIs(host, "mywebsite.home.arpa") ||
//Windows and Nintendo Switch
        dnsDomainIs(host, "windowsupdate.com") ||
        dnsDomainIs(host, "live.com") ||
        dnsDomainIs(host, "microsoft.com") ||
        dnsDomainIs(host, "nintendo.net") ||
//Other
        dnsDomainIs(host, "whatsapp.com"))
      return "DIRECT";
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY pfsense.home.arpa:3128";
}

Edit: If you follow this route, bypass Nintendo's Switch IP address from the transparent proxy.

JonathanLee

@mcury I like your pac WPAD file, however Nintendo does allow for Proxy use, meaning it should not have to bypass it. I have found a bug reported in bugzilla that matches the half closed issue. Your auto configuration file for me opens to many addresses. I do like the .arpa return direct I will use that for my internal devices thanks.

mcury

@JonathanLee What you gain with using a PAC file is the possibility to bypass destinations by domains, regex..

You don't need to know the destination address as you would need to know when using transparent proxy.

Browsers also have a builtin option to make use of that, that you can use with or without a .pac file.

So, as I see it, Nintendo switch proxy implementation is poor, I mean, only an IP and address, port and a switch ON/OFF ?

michmoor

@mcury

The usage of Squid (to no ones surprise) is now deprecated.

https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

mcury

@michmoor said in Nintendo Switch connection issue Error code:

The usage of Squid (to no ones surprise) is now deprecated.

https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

I can't say I'm surprised indeed.. Thanks for the info.

JonathanLee

What is an alternative ???

Dang looks like I will have to stay with 23.09 until 2100 hardware twightlighted. I spent years getting this to actually work =(, it's just sad to me. :(

JonathanLee

This post is deleted!

JonathanLee

What is the next official Netgate product that will continue to support a proxy with SSL intercept that can be purchased? Now that this is being twightlighted?

What version should I upgrade too for proxy cacheing abilities? I have a SG-2100 currently. Should users move to Palo Alto?

michmoor

@JonathanLee There is nothing after Squid. Squid is really the only Forward proxy application that i know of. Your alternatives are going to be DNS blocklist or DNS server that can handle content filtering(OpenDNS or NextDNS).
Within my home, ive loaded up AdGuard within a container and pointed my "Family_VLAN" toward it. AdGuard has features to block content of various degrees and you can also upload blocklists. So its handy and arguably better than Squid.

Squid is just a very unsupported project without a lot of updated features and lots of CVEs. Its long past its prime and it had a good run. Im sad to see it go but there just isnt a better or any OSS alternative.

michmoor

@JonathanLee said in Nintendo Switch connection issue Error code:

Should users move to Palo Alto?

Palos/Fortinet/Ciscos all have heavy subscription fees to use their products. Assuming you can get a PA-440 with a home lab license for a "cheap" price it's going to be very costly.
I suspect that if there are folks out there that need to MITM traffic flows they are probably within an enterprise or Financial space or even military and could well afford the pricey security vendors. I can't say what you should do but if you really need that feature set and you are willing to pay then the options you have are vast.
It all comes down to what your security/network requirements are.

JonathanLee

if (! isResolvable(host)) {
return "PROXY proxy.example.com:3128";
}

In the mean time I wonder if this would help with the WPAD.

Ref:
https://wiki.squid-cache.org/KnowledgeBase/ProxyPacSlow

Squid's website states there next upgrade to resolve bugs every 2 years.

"Major stable releases follow a two-year schedule. Beta branches are spawned six months before the corresponding major stable release."

So Feb 2025 is when the security issues will be resolved?

Good run it's still running great. I am not at all concerned with the security issues from it. I am going to keep running it personally. It's million times better from day one of setting up my 2100. It's like a dream to see it run now on my system. I have one issue with a time out connection.

I actually feel like I have control of my privacy. I have asked many times per CCPA for sites to stop tracking me. Again they don't, this gave me the ability to force privacy with block lists. I am to invested in the configurations and stuff with it to give up on it. Yes it has some bugs like anything.

I keep thinking about Microsofts enteral blue bug. It's been abused over and over and patched and reopened for NSA tools and released.

pfSense and Squid provided me everything I needed in a firewall. So much so I would buy a new Netgate if it had the ability to run it still. It's perfect. Sure I block some advertising abuse from tracking us, that's them not following CCPA and GDPR laws.

I am on a tangent sorry because I personally Iove Squid Squidguard and lightsquid.

There run is not over yet... Squid keeps on protecting my GDPR and CCPA rights. It really took the Zoo/panopticon feeling out of advertising company abuses.

Again for the average users it's a living nightmare to configure, something that requires a cyber security degree and years of configuration changes after with a team of open source community members coding and searching for any issue.

It really was an amazing product.

michmoor

@JonathanLee
IMO, you are taking a huge gamble running an insecure application.
https://www.theregister.com/2023/10/13/squid_proxy_bugs_remain_unfixed

No one on the development side of the Squid project is taking ownership of these vulnerabilities. There is no roadmap to fix.

"He also acknowledged that the Squid proxy's maintainers – like most open source developers – are largely volunteers and may not have the support necessary to quickly fix all these problems.

"The Squid Team have been helpful and supportive during the process of reporting these issues," Rogers conceded. **"However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won't get far."

As Netgate suggested, i would highly advise you to not use it anymore. If you really need more control over devices that are other methods availble today with less overhead.

JonathanLee

@michmoor I am a computer science student, after I take a C++ class and php class I can start helping fix the issues. I just don't know how to debug something like this yet. I also will learn that soon, I think GitHub has virtual instances where it's a VM. I have to learn about better GitHub use also in class soon.

michmoor

@JonathanLee
What I don’t understand is why isn’t this a project that Netgate supports? They advertise a free project in all marketing. They fully utilize an open source tool to make money . IMO, Netgate should have a role in fixing this or offering an alternative

https://www.netgate.com/pfsense-plus-applications/content-filtering

JonathanLee

@michmoor

https://docs.opnsense.org/manual/proxy.html

Opensense is another alternative I can see once Squid is removed. However I really don't want to go to a new vendor. I bet Netgate will find a great SSL intercept web cache replacement in the end.

JonathanLee

@michmoor I admit Squid was a reason I went with Netgate also the great community.

michmoor

@mcury @JonathanLee

Not saying a switch of vendors is appropriate BUT...the ability to offer per network blocklist is available.
Looks like they paywall that feature. https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

Nevertheless, its possible but pfBlocker only has a single maintainer and we havent had a package update in quite a while. If you check the redmines, there are quite a few feature requests open and unassigned.
I did call it with Squid and im calling it with pfBlockerNG. The lack of any ticket updates on a package is usually a bad sign that the maintainer has left. I told everyone that this /409 issue with Squid breaks the package and a pretty detailed write up on the redmine along with a potential solution but no one from Netgate picked it up.
The pattern is repeated again, this time with pfblocker. I hope im wrong but with a single maintainer and unassigned redmines, the writing is on the wall for the package.

Features requests pile up...

Bug tickets pile up...

JonathanLee

@michmoor I personally never used pfblocking because of DoH DoT and HTTPS3 QUIC. It was changing every 3 months with ways around DNS based filtering. I use to work with government clearances so I have a target on my back for anything at home. It was so bad one year I couldn't get through a single Netflix film without getting hit with denial of service attacks. I found a solution.

I use the SG-2100 internal wifi card for the Nintendo switch on a separate unfiltered WiFi. And all my my university stuff and home NAS sits on the RJ45 based external AP with a different subnet.

With AppID and the full text rules I could see the Nintendo switch doing Curl all the time on my network, now it can do it all day on a separate subnet and never see my firewalles LAN.