Quantcast
Channel: Sophos User Bulletin Board
Viewing all articles
Browse latest Browse all 14361

Transparent web proxy problem with Google (possibly IPv6 related)

$
0
0
Hello,

I've been using my ASG (8.300, home license) for a few weeks with the transparent web proxy enabled. The web filtering functions are what led me to the ASG in the first place. So far I've liked what I've seen.

I have run into a funny problem with the web proxy and IPv6.

Until today the ASG had no IPv6 connectivity, I had it configured on a static IPv4 address from my ISP (behind the ISP-supplied PPPoE router). Today I reconfigured the ASG so it establishes the PPPoE connection to my ISP directly. This is neater, avoids the ISP-supplied PPPoE router, and has the benefit that the ASG now has native IPv6 connectivity (I have a modern ISP who supports such things).

I'm still running an IPv4 network behind the ASG.

I started to notice some websites would work and some, notably Google, wouldn't. After the usual sort of LAN and DNS checks I tried disabling the transparent web proxy - and then Google worked.

This led me to look in the log for the web proxy, and I saw the line:
2012:02:26-11:34:24 naira httpproxy[10024]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.16.1.6" dstip="2a00:1450:400c:c01::67" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4878" request="0x8cca5e8" url="http://www.google.com/search?q=eframe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a" exceptions="av,auth,content,url,ssl,certcheck,cert date,mime,cache,fileextension" error="Connection timed out"
This immediately looks suspicious - the srcip is the local, IPv4 address of my PC - "172.16.1.6". The dstip however is an IPv6 address - "2a00:1450:400c:c01::67", which is one of the resolutions of Google.

It looks to me like the ASG proxy is intercepting the request, looking Google up itself, choosing an IPv6 version, and then things break. Sites that have no IPv6 returned in their DNS records work fine.

I'm not sure if this is the proxy at fault or my configuration, hence I'm posting here. I would have thought that if the request comes from an IPv4 machine, then the proxy should access the IPv4 version of the target website. That doesn't seem to be happening.

Has anyone else seen this? Anyone got a fix and/or workaround? Even if I roll out IPv6 to my LAN (which I eventually will), not all devices support it and nor should they need to - legacy IPv4 devices should continue to work fine even if the websites I'm visiting have IPv6 versions.

Thanks,
Giles.

Viewing all articles
Browse latest Browse all 14361

Trending Articles