Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Discord Firewall Exception(Sophos XG)

Hi All

Currently I am experiencing issues building a Discord firewall exception. When users are joining a voice/video channel within Discord, channel status is: No Route, connecting RTC.

WHen I create a firewall exception, things are just not working. If i create a firewall rule for that specific computer, allow: any/any, things work correctly. If I want to narrow it down, using a specific domain: (*.discord.gg), things do not work. 

Can anyone point me in the right direction? I cant find a Discord server IP list. 



This thread was automatically locked due to age.
Parents
  • Use web proxy instead of DPI engine is turned off. So I am using DPI engine. 

  • Hi,

    do you have any boxes ticked in the web section, if so that will enable the web proxy.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Adding discord.com gives me the same output unfortunately

  • What does the ssl/tls log show? When you had the generic rule, what were the urls that were passed, sounds like there might be others than those you have added exceptions for?

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Action with every URL is: Do not decrypt. So wouldnt be an issue?

  • Hi,

    some sites do not like ssl/tls regardless of the settings that is why occasionally it is best to use the web proxy with exceptions. Also ssl/tls does not handle UDP so you need to allow for that. The web proxy will allow for it without scanning.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ok, but which exception do i need to define in the FW rules? I can't find a list of ip addresses or anything like that?

  • There is a SSL/TLS exception list, though I think your existing exception list covers most items. I would setup your generic rule again and use one PC as the source to see what sites and ports are used because you might find that there are special ports involved though I searched through the discord web site and did not find any useful information.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I already did that. I will show you.
    Test client is specified, ACL rule is being hit in logs.

    IIn this example, i have extracted the IP addresses from Discord from the logs. However, yesterday I had 3 other IP addresses, they keep changing. I noticed when I test with multiple clients, they all get different Discord server IP Addresses
    I can't seem to find a complete Discord server list. If I know which IP addresses to allow the voice traffic to, i can easily make an exception.

  • Hi,

    I am a little confused by your use of ACL, please explain. I could not read your firewall rule, but I suspect you need to change the destination to wan zone.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Destination Zone is WAN indeed, sorry, blurred too much. However, if I rejoin the Discord voice channel, Discord server IP keeps changing

    Only thing i did, i rejoined the Discord voice channel. Different IP. If I would have a group of Discord IP's, i could make an exception, however, the Discord server IP keeps changing.

  • Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data