OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: ruggerio on March 20, 2018, 10:33:07 pm
-
Hi,
i changed today to opnsense. Everything works fine, except connections from Android-Devices. There i always get "no internet". But i can connect to internet, it works. On Windows, it works without any error.
Why do i get this message, that there is no internet connection? Anybody else having this issue? Btw. connection passes by transparent proxy. If i change to not use the proxy, it works fine.
Roger
-
i am a little bit @the end...
The problem is:
- all Android-Devices warn "no Internet Connection" when connecting to an AP which ist connected to LAN
- all other devices (Windows-Tabs) connect via WLAN with no warning
- Devices connected by cable connect without any problem
So, the problem seems to be Android-related (Android Oreo?)
- If the Android connects via Proxy...error
- If the Android connects directly...works
*grummel*
So, after googling, i found that all Android-Devices connect to a specific URL, depending on its version. So for oreo, its something like http://play.googleapis.com/generate_204
I tried to insert rules, that play.googleapis.com is not redirected to proxy, but it did not help.
Is somebody else having this issue? Am i alone with that?
Thx,
Roger
-
Next step: its not forwarding in general, the problem is on forwarding SSL-Sites to Squid on port 3129. 3128 for normal HTTP works.
-
for the interested ones:
you need a bunch of entries in the no ssl bump list as exceptions:
google.[your country, seems important]
.google.com
.googleapis.com
.gstatic.com
.1e100.net
Your CA needs to be installed as "VPN and Apps".
This did it for me.
Roger
-
Well, what else should/ can we say, other than a big THANK YOU?!?! :)
-
I made a PR to add this to the docs too.
-
Good stuff! Thank you, Roger. :)
-
I did al this but it's still not working for me.
-
Same with me. I performed all the steps in the howto. This part worked, because bumped sites gave no error notice when I browsed to them, but the others complained about the certificate. I imported the certificate to my browser, and everything was working on my laptop.
I bumped the google sites mentioned above, and imported the certificate to android twice. Once as WiFi and onces as VPN and apps. But I cannot reach the google play store. This is a .ewer version, BTW.
Never mind, it eventually started working on its own. Maybe some old cached info.
Another update: and then stopped workings again. Why so flaky?
-
@Pimb/Jdb:
What are your squid-logs saying? What Android-Version are you using? I am now on pie and it's still working.
Check the squidlogs for bumps while connecting to the wlan. this will give you some ip's back, which can be resolved. Eventually, Goo changed again some hosts...
-
The problem was with pihole blocking the domain: android.clients.google.com at the same time (coincidentally) that I set up the transparent proxy. I wonder if this domain should be added to the bump list. I found the list of play store urls from here:
https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663 (https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663)
-
have you added it to your ssl bump list or just excluded it in pihole?
-
I do not have transparent proxy enabled right now. I would indeed add that to the list if I did.
For the moment, I have whitelisted it in pihole, and mentioned the problem to the maintainer of the list.