This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Discord Firewall Exception(Sophos XG)

Hi All

Currently I am experiencing issues building a Discord firewall exception. When users are joining a voice/video channel within Discord, channel status is: No Route, connecting RTC.

WHen I create a firewall exception, things are just not working. If i create a firewall rule for that specific computer, allow: any/any, things work correctly. If I want to narrow it down, using a specific domain: (*.discord.gg), things do not work. 

Can anyone point me in the right direction? I cant find a Discord server IP list. 



This thread was automatically locked due to age.
Parents
  • Use web proxy instead of DPI engine is turned off. So I am using DPI engine. 

  • Hi,

    do you have any boxes ticked in the web section, if so that will enable the web proxy.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Action with every URL is: Do not decrypt. So wouldnt be an issue?

  • Hi,

    some sites do not like ssl/tls regardless of the settings that is why occasionally it is best to use the web proxy with exceptions. Also ssl/tls does not handle UDP so you need to allow for that. The web proxy will allow for it without scanning.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ok, but which exception do i need to define in the FW rules? I can't find a list of ip addresses or anything like that?

  • There is a SSL/TLS exception list, though I think your existing exception list covers most items. I would setup your generic rule again and use one PC as the source to see what sites and ports are used because you might find that there are special ports involved though I searched through the discord web site and did not find any useful information.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I already did that. I will show you.
    Test client is specified, ACL rule is being hit in logs.

    IIn this example, i have extracted the IP addresses from Discord from the logs. However, yesterday I had 3 other IP addresses, they keep changing. I noticed when I test with multiple clients, they all get different Discord server IP Addresses
    I can't seem to find a complete Discord server list. If I know which IP addresses to allow the voice traffic to, i can easily make an exception.

  • Hi,

    I am a little confused by your use of ACL, please explain. I could not read your firewall rule, but I suspect you need to change the destination to wan zone.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Destination Zone is WAN indeed, sorry, blurred too much. However, if I rejoin the Discord voice channel, Discord server IP keeps changing

    Only thing i did, i rejoined the Discord voice channel. Different IP. If I would have a group of Discord IP's, i could make an exception, however, the Discord server IP keeps changing.

  • Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I do not think you are hitting TLS problems with DPI mode. Most voice traffic is not over TLS.

    Now that you have found firewall blocks that proves it is not DPI. You can hover over the first column to get the full log (or switch to detailed view). Find the firewall rule that it is hitting. Find the port it is using.
    Create a new firewall rule above the one it is hitting, just for that port. If you want to you can use FQDN hosts as a destination network.

    A simple googling of discord firewall voice port finds sites like this:
    streamersplaybook.com/.../
    That says discord uses a random UDP port between 50,000 and 65,535. You may need to create a Service that matches that, then a firewall rule to allow that.

  • Thanks! Once I added a Discord Service group with all the UDP Ports, without a specific IP destination(so just: ANY), it started to work. The thing that mislead me was the IP blocking, which occurred before UDP Block. 

    In your URL i noticed, we just cant specify a specific Discord IP server, so it clarifies a lot. 
    Thanks all for helping me out!

Reply
  • Thanks! Once I added a Discord Service group with all the UDP Ports, without a specific IP destination(so just: ANY), it started to work. The thing that mislead me was the IP blocking, which occurred before UDP Block. 

    In your URL i noticed, we just cant specify a specific Discord IP server, so it clarifies a lot. 
    Thanks all for helping me out!

Children
No Data