Issues with android app

[MarieSophieSG]

Packets captured on LAN2 for IP 192.168.102.103

Code Select Expand

View capture
Interface Timestamp SRC DST output
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:13.458246 Tablet MAC LAN2 MAC IPv4, length 688: 192.168.102.103.48346 > Public IP : tcp 622
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:13.570098 LAN2 MAC Tablet MAC IPv4, length Public IP > 192.168.102.103.48346: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:13.580465 LAN2 MAC Tablet IP IPv4, length 480: Public IP > 192.168.102.103.48346: tcp 414
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:13.584274 Tablet MAC 192.168.102.103 LAN2 MAC IPv4, length 66: 192.168.102.103.48346 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:17.972276 Tablet MAC 192.168.102.103 LAN2 MAC IPv4, length 74: 192.168.102.103.33891 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:18.875502 Tablet MAC Unknown MAC or IPv6 ? IPv4, length 133: 192.168.102.103.5353 > Public IP.5353: UDP, length 91
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:19.089311 Tablet MAC LAN2 MAC IPv4, length 66: 192.168.102.103.38107 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:21.742308 Tablet MAC LAN2 MAC IPv4, length 66: 192.168.102.103.60959 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:21.863101 LAN2 MAC Tablet MAC IPv4, length 66: Public IP.443 > 192.168.102.103.60959: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:21.866320 Tablet MAC LAN2 MAC IPv4, length 66: 192.168.102.103.60959 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:24.643595 Tablet MAC LAN2 MAC IPv4, length 74: 192.168.102.103.46383 > Public IP.443: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:24.665528 LAN2 MAC Tablet MAC IPv4, length 74: Public IP.443 > 192.168.102.103.46383: tcp 0
IGC2_Cisco6co_ETH3_CAT7blue
igc2 2024-10-09
18:45:24.669333 Tablet MAC LAN2 MAC IPv4, length 66: 192.168.102.103.46383 > Public IP.443: tcp 0

Is it normal that the public IPs have 5 sections, the last one being .443 ? it looks like the port, but it should be :443 rather than .443, right ?

[cookiemonster]

Ah!. Unlikely unless you hare doing something wacky with certificates and breaking TLS.
Some of those use certificate pinning.

If it is so, then it's completely out of my wish/controle, I just use the tablet the same way I did while connected to my previous router, which was much of a strainer, letting most going through, hence me on OPNsense now

To me the next step in diagnostic is to do a packet capture and analysis.

I would be happy to oblige, using the search I found "packet capture" and set it up to interface LAN2, IP 192.168.102.103 (Tablet)
And will post it below

You are using Unbound, right ?
And do they (the apps) give some error or some indication of the problem?

Unbound, yes
with or without blocklist (AdWare, ...) doesn't change anything
The app asks for passphrase, then spin for about a minute and then drop saying: -"Sorry, there was an issue processing your request, please try again later" kinda standard msg

Right, thanks for this.

5 sections seem right from the header: Interface   Timestam  SRC   DST   output.
Do me a favour. Can you provide the capture in the download format. In other words, set it and when finished, provide the file instead of this pasted output. That way I can put it in wireshark and see more easily and quickly.
Interfaces: Diagnostics: Packet Capture (what you did).
Select the interface where the traffic is coming IN from the firewall's perspective, which is the netowork your client is.
Select promiscuous. All other as any/ and defaults except the count. Set it to say 10000 just to ensure it won't runaway.
Then start the capture, trigger what you want to test with the client attached to that network/interface, wait for it to do its thing, could then move to open a tab on browser for instance and navigate to a known place, say google.com  so we have a postitive one to compare against on the same capture.
Then stop the capture, download the file (will be a compressed one possibly). Attach or send to me if you're more comfortable and I'll give it a check. If you want.

[MarieSophieSG]

Will do, as soon as I get my GUI access back .. :/

[MarieSophieSG]

Ha !
I've re-started the VPN, and now I have access to App2 !
Still not with App1 (gov.cnct), but it's going in the right direction (at least as user, not so much as admin)

So my VPN going through, that means, I suppose, the IPs the apps was trying to reach was block/denied by OPNsense, but I've tried without IDS/IPS on, and without Blocklist, so IDK what could have blocked these ?

[cookiemonster]

I imagine there are no blocks or they would still be failing. More likely to be some sort of routing problem.
Remember a VPN is another network, albeit one that is inside/alongside another depending on your point of view.
Why restarting it unclogged things ? Dunno. Some connection became stale, gremlins, will prob never know.
What you do want to know as an admin is what are your network routing setup with those i.e. their interactions.
I've mentioned it before, draw yourself a diagram and keep it updated. Easier for everyone when trying to convey a message.

[MarieSophieSG]

My understanding is that the VPN is only 1 IP, so OPNsense only sees that one, and not those that are reached out from the VPN server, therefore invisible to OPNsense, which can't blcok them

A diagram ? I guess that means much more detailed than just:
LAN1 192.168.101.101/24 => switch1 DHCP 192.168.101.116-122

But rather this, plus all the FW rules, the DNS, the redirection, the grinlins and goblins, the packet filter, blocklists, IDS/IPS,

I guess that would be a good exercise indeed, and not only for this forum, but also for my own little self to undertand and have a clear picture of my gates.

[cookiemonster]

Great. That diagram works.
So where is the VPN, an app installed on a device, which one?
I thought you meant the VPN was set as a VPN client on OPN to a provider like say Surfshark or even a rented vps. Can you elaborate?

p.s. you seem to have two ips on the same network for the same device (NAS). That  can cause problems, unrelated to these apps though.

[MarieSophieSG]

Great. That diagram works.
So where is the VPN, an app installed on a device, which one?
I thought you meant the VPN was set as a VPN client on OPN to a provider like say Surfshark or even a rented vps. Can you elaborate?

p.s. you seem to have two ips on the same network for the same device (NAS). That  can cause problems, unrelated to these apps though.

VPN all all of them, except a bunch of IOT for which I will direct the Alias _IOT to Wireguard, but that's for later
My VPN account allow me for ten devices, the 7th will be the OPNsense box to cover all of them

The two IPs goes to the two network interfaces of the NASes, then managed internally, so to the router, it's two NASes, even if it's the same physical one

I did a full re-install, but neither apps are connecting, so it is not an error on my side in whatever configuration I did before :-p

[cookiemonster]

In case you missed it:

The NASes have two network interfaces,
NAS1 has 2x 2,5 GbE and NAS2 has 2x 1GbE, with a failover (if one is down, or one is overloaded, traffic goes to the other)

Each independant from the other, so I can, if I want, connect 1 laptop to 192.168.101.111 as root, and 1 laptop to 192.168.101.112 as user

This is fundamentally impossible in networking. A system cannot have two interfaces in a single network. Period.
One possible cause of your problems.

As for the apps failing with their VPN app whilst in your network, back to packet capture for clues.

[MarieSophieSG]

As you mentioned Zenarmor, I went to see github and their website, they claim they can filter by application ... isn't that what I would need, or is it way above my grade ?

For now, since re-install, I have both apps connecting through VPN, but still not (neither) without VPN

Remaining of the msg moved to its rightfull thread https://forum.opnsense.org/index.php?topic=43205.45

[Patrick M. Hausen]

But *I am* connected to both interface ...

Then everything works as you intend it to do and we can close all the threads. Right?

The fact that you can plug two interfaces of one box into the same switch and have both get an IP address via DHCP does in no way confirm that this is in any way a supported topology in IP networking. It's not.

Read this article, please:
https://www.truenas.com/community/resources/multiple-network-interfaces-on-a-single-subnet.45/

If you think you know better than me, I am obviously in no position to help you.

Kind regards,
Patrick

[MarieSophieSG]

Then everything works as you intend it to do and we can close all the threads. Right?

For this thread, about Android apps, yes.-ish, after I get the box back up to running as expected, I will have a look at Zenarmor to investigate further what these two have so different from the others that they can't connect through OPNsense without a VPN

Remaining of the msg moved to its rightfull thread https://forum.opnsense.org/index.php?topic=43205.45

[MarieSophieSG]

I've installed Zenarmor
It doesn't say much about apps and such, at least not in the "free" version ...
So I guess I wil wait for the next blockage to re-run some deeper tests