Question about NAT / Changing the User Agent

Hi All,

I am hoping to increase my security a bit by altering the user agent of packets flowing from my LAN to my WAN. I wasn’t able to find anything like this in the docs, yet it seems perhaps at one time there was this functionality, so perhaps it moved?

Thanks in advance for the assist!

You can probably do this in the mangle chain or similar (search for a hexstring and replace it with something else) but since most traffic nowadays is SSL/TLS (aka HTTPS) it will be a hard time for your VyOS to achieve this without implementing outgoing SSL-termination (not to mention CPU intensive since VyOS doesnt support offloading into ASIC/FPGA like PaloAlto Networks and similar firewalls does).

The proper solution to your needs is to modify the user-agent directly in the browser you are using.

Some browsers need an extension while others can change directly in its settings, here are some examples on how to do this:

Makes sense, I was hoping to have more control over my IoT type devices, yet I suppose it doesn’t matter too much. Appreciate the feedback!

I think for now traditional port and IP-address/range allow/block (along with GeoIP) is the way to go to deal with your IoT-devices (along with network segmentation like put each IoT-device on their own VLAN and such so once they get compromised they dont have carte blanche to the rest of your network).

The webproxy feature of VyOS uses Squid so that should be capable of doing SSL-termination but its configuration is not exposed in the VyOS config-mode as it seems (since you must be able to install which custom CA to be used to create the termination certificates on the fly etc, the same custom CA as your devices who will get their HTTPS traffic terminated must install as a trusted CA): Webproxy — VyOS 1.4.x (sagitta) documentation

I think best would be if you can file this as a feature request towards https://vyos.dev

Note however that doing SSL-termination is a CPU intensive task. Except for acting as a webproxy for each request the device must also:

  • Decrypt the incoming connection (from client).
  • Perform initial SSL-handshake towards destination (in order to fetch the true public cert that the destination presents).
  • Create a new temporary cert (unless already cached) based on the information fetched from above (start/end time for validity etc) and sign using this custom CA cert.
  • Use the above to return to the client to complete the SSL-handshake.
  • Fetch rest of the data from destination and decrypt it (in order to do url-filtering, url-category, logging etc the regular webproxy stuff).
  • If accepted encrypt this data using the temporary cert used for this connection and send to the client.

So all this decrypt and re-encrypt along wtih one SSL-handshake towards client and another towards server eats up CPU cycles fast. PaloAlto and most others have solved this with FPGA/ASICs doing the heavylifting.

But having this said I still think its a good option to implement in VyOS (unless its not already there and I missed it through the docs). Specially when you dont have like thousands of devices concurrently bashing your internet connection at once then doing the SSL-termination should be fine with modern hardware.

2 Likes

I’ll definitely submit that to the queue. I like the idea of using ssl termination for my IoT subnet at least. My Vyos instance sits on and 96 thread virtual KVM host with a TB of RAM and dedicated 10gbe NICs passed through for it’s use exclusively. As long as it scales properly I don’t believe it’ll be an issue with regard to power. I also have processor AES, I suppose that’s good for this situation as well. My device count is currently 64.

Thanks for the detailed response, reassurance that I made a good choice in replacing PFSense.

All the best!

Keith

While waiting for this feature to show up (unless I missed if this already exists) a workaround can be to use opnsense instead of pfsense :wink:

https://docs.opnsense.org/manual/how-tos/proxytransparent.html

I never had much luck pushing 5 gig of internet through either of the forks,.hence my move to Vyos,.which does seem to handle it pretty well. Granted my current config is very simple, just basic NATs, so we’ll see as I add more functionality. I’m a little concerned as enabling flow exports brought it to it’s knees on bandwidth, yet I haven’t started that troubleshoot yet, I just disabled.it for now.

Wondering if I should just move it to a dedicated bare metal host. I have an appliance sized 1U dual Xeon that works well as a firewall, yet it also adds a consistent 200 watts to my power bill. However it would be nice to keep internet when I reboot my virtual infrastructure,.which is often in the lab. Pisses off the housemates.

I don’t want to over engineer and would prefer one border device.is possible.

Or get a opnsense DEC750 box which should be sufficient for most needs and call it a day with typical power consumption of 15W? And its fanless :slight_smile:

https://shop.opnsense.com/dec700-series-opnsense-desktop-security-appliance/

There are of course other options out there today aswell.

https://www.youtube.com/@ServeTheHomeVideo/videos have evaluated some of them.

I’m concerned that if the overpowered box can’t push 5 gig that I’d be just as mucked if I brought down the power. Almost seems like I’d need ASICs to manage anything over a gig with with my past experiences with CPU dependant firewalls. Maybe I’ll try it on bare mental and find that it’s the additional layer virtual layer…? I don’t believe even the $2K Negate appliances can push 5 gig, however, so I don’t have a ton of hope.l considering the dedicated NICs, however, one less layer is one less potential headache.

I was looking at the Netgate software router as an option as well, yet since I’m a systems guy and no so much network, I’m not sure how it would help. I understand it can route faster, by skipping the kernel, yet that doesn’t seem to help with firewalling to me. I’m not doing any intensive routing, however, people seem to be employing it somehow to make the software firewall devices push more traffic. This seems odd to me as you’re still pushing your traffic through the firewall as well, I suppose I’m just not grasping the idea.

Also the MikroTik CFW is somewhat my radar for ease of config, yet I am a bit concerned about the nature of that product as a whole.

Dunno, thoughts? This was a bit easier before my ISP bumped me from 1 to 5 gig, yet not complaining, of course as my price stayed the same, about a hundred a month.

I do love a good challenge, it’s what has kept me in the industry, honestly. A tenacious nature has kept me going for the past 25 years. :wink:

Keith

I think both the opnsense hardware with opnsense or VyOS will work just fine.

You have the metrics they have tested their software with when it comes to each hardware model.

Other options is as you mentioned Mikrotik and they too provides performance numbers on their site for each model.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.