lan to wan not functioning in EAP3 for devices (roku, tivo, unifi ap's)

I have a 105 using latest v17 and 106 using EAP 3 v18.  Using my v18, many devices get ip's but cannot connect to internet.  Plug in 105 and everything is fine.   Similar rule setup between both firewall  - v18 106 setup manually (no migration).  Netflix also does not work.  I setup policy bypass and fqdn per https://community.sophos.com/kb/en-us/125061.

 

1)  tivo/roku - cannot connect to internet when 106 plugged in.  I have created manual rules (attached below) which do not appear to be running. Do not see any failures in logs.  Lan to Wan below.  Details of roku but same exp with Roku, unifi devices, etc.  IOS/computers work.  Being that I setup explicit rules for roku/tivo I would expect them to bypass any other checks I may have enabled.

Rule Details for Roku - Set allow all for webfilter and other security

 

Thoughts?

Parents Reply
  • Hey Ian - I see the same behaviors with web policy allow all or none.  So it sounds like none is the correct value but due to a bug does not work.  So it sounds like I will just need to wait for EAP4 and hope this bug is resolved?  Or am I missing a workaround?  I have added in a ssl/tls inspection rule to not decrypt those devices in the hope this may help, but I doubt this to be the case.

Children
  • Hi Gary,

    no just build a firewall rule with only IPS settings, do not add web or application other than defaults. Even then your IPS could cause some issues.

    You don't need web scanning whether it be proxy or DPI for steaming functions.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hey Ian -  Thanks for the ideas, unfortunately I got the same results.   I am working with Apurv to see what we can come up with.

  • In order to make v18 behave like v17.5 you need to do the following things:
    For any rule that does anything with port 80/443 traffic, select the "Use proxy instead of DPI engine".
    Rules that have "Scan HTTP and decrypted HTTPS" and "Use proxy instead of DPI engine" should not have Web Policy None. Change to Allow All. Known issue.

    Doing that will cause the v18 box to use the same web proxy as 17.5. If things still don't work, you've got other issues.

    Assuming that does resolve the problems, then the next step is switching the rule for your Roku TV back to the DPI mode and then investigating with logs what it is trying to connect to and why it cannot connect.