Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Feb 2020
    Posts
    9

    Default Adblocker not working

    Having Adblocker for a few years now, and it started to work irregular, for e.g. blocking issues with specific sites. Not sure what to do? Does anyone has the same experience? Recently my friend was talking about this NordVPN app, and as he mentioned it's an alternative to avoid annoying ads. However, not planning to go for something new, just want to fix Adblocker's issue. So any help would be greatly appreciated.

  2. #2
    Newbie
    Join Date
    Jul 2019
    Posts
    2

    Default

    Same, I don't see any hits at all. Neither in V14 or V15, I have been using NGFW Home Pro, never having any results?

  3. #3
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I have seen a few people report this sort of experience but I've seen no clear explanations for it. I don't yet have v15 installed but I've had no issues across two installations of v14 (and earlier). I like the cookie filtering most.

    My only thought is that using SSL inspector may make a difference, though I've never tested that idea. There are more robust client-side ad blocking solutions. One that seems attractive is uBlock Origin.

  4. #4
    Untangler
    Join Date
    Mar 2020
    Posts
    38

    Default

    I just went through this, here's what I learned. You definitely need SSL inspector running, which means you also need to install the Untangle root certificate on the computers that you want to filter. A few years ago most connections were not encrypted, they were just strait http on port 80, any man in the middle such as Ad Blocker could look inside. Now almost all connections are encrypted, https on port 443. The whole purpose of encrypted connections is to keep 3rd parties from seeing what's inside, so Ad Blocker cannot look inside encrypted connections directly. SSL Inspector will decrypt the connection so that Ad Blocker can look inside. But SSL Inspector only works if your computers have the Untangle root certificate installed, so that the computers trust the Untangle. I'm over simplifying a bit, but the point is (1) enable SSL Inspector, and (2) Install the Untangle root certificate on your machines, and Ad Blocker will work.

    Side note; some apps, such as youtube on android, use what's called certificate pinning, where you cannot install a new root certificate. In short this means that enabling SSL Inspector on the Untangle will break youtube for any android phones that are connected through the Untangle. I don't know if apple phones have the same issue or not. So if you want youtube on android phones to work over your wifi while SSL Inspector is enabled, you need to add rules to SSL Inspector to ignore the phones. It's easy, just another step. It can be argued that certificate pinning has some security benefits, but I personally think they're (Google) doing it specifically to prevent things such as ad blocking from working, to protect their revenue stream from ads.
    jcoehoorn likes this.

  5. #5
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by MattFL2 View Post
    Side note; some apps, such as youtube on android, use what's called certificate pinning, where you cannot install a new root certificate. In short this means that enabling SSL Inspector on the Untangle will break youtube for any android phones that are connected through the Untangle. I don't know if apple phones have the same issue or not. So if you want youtube on android phones to work over your wifi while SSL Inspector is enabled, you need to add rules to SSL Inspector to ignore the phones. It's easy, just another step. It can be argued that certificate pinning has some security benefits, but I personally think they're (Google) doing it specifically to prevent things such as ad blocking from working, to protect their revenue stream from ads.
    Alternatively, you can use racks. That allows you to customize an instance of SSL Inspector to a device's needs without effectively disabling SSL inspection for that device altogether.

    And as a compete alternative to Ad Blocker, there is Web Filter's ad category (or categories) and SNI capability. I like the granularity of Ad Blocker (I can easily allow ads without affecting other filtering) but for those interested in Untangle's perimeter advantage yet not the whole Ad Blocker approach, Web Filter is an effective alternative.

  6. #6
    Untangler
    Join Date
    Mar 2020
    Posts
    38

    Default

    Can you please expand a bit on racks? I would love to keep SSL inspector enabled for the phones, and the caveat of ignoring youtube connections is fine, but so far I've been unable to create an effective rule in SSL Inspector. Using mac address to identify my phone, if I ignore everything then youtube works fine. If I try ignoring only connections that are identified in some way to be youtube, youtube is still broken. I've tried every combination I can think of using SNI Host Name and Certificate Subject to ignore youtube specific connections, but no luck. I copied an example below. Please elaborate on racks, I would love to get SSL Inspector working for the phones but without breaking youtube.

    temp2.jpg

  7. #7
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Sure. First of all, "racks" is something of an Untangle legacy term for Policy Manager policies. One of the very cool things about Untangle is the ability to create a policy with its own set of apps, and apps cascade in that a specific policy's apps replace the apps installed in the Default Policy. Any policy that does not contain an app included in the Default Policy uses the Default Policy's instance of that app.

    So I have the same sort of situation you do. My wife uses Facebook apps on her iPhone, and SSL Inspector breaks whatever apps those are. But I don't want to uncheck SSL Inspector's default Facebook rule network wide and I don't want to bypass her phone at any level. My solution is to use Policy Manager to create a specific policy that handles her phone.

    The first step is to identify her phone. In my case, her phone has a static IP address and her name as a username (manually assigned).

    The next step is to create a policy that has a single app installed, SSL Inspector. I uncheck that instance of SSL Inspector's default Facebook rule.

    The last step is to create a Policy Manager rule that in my case looks at usernames and directs any device under the target username to my created policy.

    The result is that her iPhone is treated just like any other device on the network with the single exception of the change to SSL Inspector's default Facebook rule. Her apps work and I'm content to allow the exception without losing any other Untangle oversight.

    Let me know if I've just confused things.
    Last edited by Sam Graf; 04-07-2020 at 08:57 AM.

  8. #8
    Untangler
    Join Date
    Mar 2020
    Posts
    38

    Default

    I understand what you're saying. For the one specific case I described above, trying to ignore youtube connections for devices with a specific mac address, I'm not sure how using a policy to apply that rule vs. putting it in the general stack of rules would make a difference? Mostly I'm trying to debug why my rule (screen shot in my previous post) doesn't seem to work, and would applying something different through a policy resolve the issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2