pixelserv-tls on external device

[tweakertje]

Hi all
is there an possibility to change the mac address of pixelserv-tls so that its not the mac address of the router? This gives problems on banking apps.
if this is not possible i run pixelserv-tls on a raspi for a few years to eliminate the issue but after an update of diversion it changed the IP address and I can't find anymore how I did this?


How can I change the pixelserv-tls ip without using it....


AX88U with last merlin fitmware and a lot of addons....

 

[ColinTaylor]

Are you sure this is a problem with the MAC address and not a problem with the IP address?

 

[tweakertje]

Are you sure this is a problem with the MAC address and not a problem with the IP address?

Yes I'm quite sure if I run it on a PI it works (same version) when I enable it on the router it falls to run the rabobank app and the only difference is that the mac address is different
but now I can't change the ipadres without running it on therouter......

 

[ColinTaylor]

Yes I'm quite sure if I run it on a PI it works (same version) when I enable it on the router it falls to run the rabobank app and the only difference is that the mac address is different

That's a fairly tenuous assumption. Do you have any error messages that indicate the MAC address is the problem.

but now I can't change the ipadres without running it on therouter......

What IP address are you referring to, the Pi? If so is the Pi configured as a DHCP client? Do you have a DHCP reservation for it set on the router?

 

[tweakertje]

I don't get any error messages just that the app does not log in (white screen) and when I disable pixtelserv it works
router 192.168.1.1
Router -> pixtelserv 192.168.1.2 or 192.168 1.22
RASPI pixtelserv 192.168.1.2 or 192.168.1.22
tried both but its quite simple pixtelserv on an PI works an pixtelserv on the router gives problems
I invested the problem a view years ago but they said that it cannot be an router problem but after a while I mentioned to get pixtelserv working on an pi and the problem did never showed up anymore
I cant find anything else difference as the mac address (if I could test pixtelserv on the router with an virtual MAC that would be nice )

If I get pixtelserv IP to 192.168.1.22 without start running it on the router it works again.......
The frustrating part is that nobody has this problem (or rabobank app) so they don't believe me but its really true...

maybe the app does an arp-scan and finds 2 ip's on the gateway maybe the find this an risk or so

 

[ColinTaylor]

I cant find anything else difference as the mac address (if I could test pixtelserv on the router with an virtual MAC that would be nice )

I'd imagine there are other differences if you look hard enough. The certificates would be the most obvious. Why would your app be using pixelserv-tls at all? It's effectively doing a man in the middle attack which presumably the banking app doesn't like?

Sorry, I don't understand IP address question.

 

[SomeWhereOverTheRainBow]

I'd imagine there are other differences if you look hard enough. The certificates would be the most obvious. Why would your app be using pixelserv-tls at all? It's effectively doing a man in the middle attack which presumably the banking app doesn't like?

Sorry, I don't understand IP address question.

From what I understand, Pixelserv-tls instructions has the user piggy backing from the routers LAN interface using aliasing to assign a seperate network address within the same network range. e.g. 192.168.1.0/24 with pixcelserv-tls ip of 192.168.1.2. Both would use the mac address of the interface. I am not seeing how they are determining a man in the middle attack here though unless we are talking about the banking app being able to detect "false" certificates pixelserv-tls is using. There is not much that can be done in this regard since the they maybe using sophisticated detection methods that are beyond simply looking at a requesting devices mac address. The only thing advisable would be to ensure the banking apps domains are whitelisted (or allowlisted) so they bypass the pixelserv-tls block.

 

[SomeWhereOverTheRainBow]

Are you sure this is a problem with the MAC address and not a problem with the IP address?

Are you thinking DNS rebind protection here?

 

[ColinTaylor]

I am not seeing how they are determining a man in the middle attack here though unless we are talking about the banking app being able to detect "false" certificates pixelserv-tls is using.

That's exactly what I was thinking.

The only thing advisable would be to ensure the banking apps domains are whitelisted (or allowlisted) so they bypass the pixelserv-tls block.

My thinking also.

Are you thinking DNS rebind protection here?

No. I just couldn't follow what he was saying about the IP addresses being changed.

 

[SomeWhereOverTheRainBow]

My thinking also.

I would also check those domains with tools like DIG for granular inspection of other domains such as CNAMES or other domains involved in the path of the request. Sometimes blocking those have been known to cause issues as well. Especially in setups that lack a sophisticated checking mechanism for such.

 

[tweakertje]

In what way can the cert's make difference? those are from an other ip but what I mean with the ip address is, how can i change the blocking ip without activating pixtelserv on the router
so my blocking ip is 192.168.1.22 an pixtelserv is not running
if disable pixtelserv the blocking ip is 0.0.0.0 that sould then be 192.168.1.22 per example
If that's possible again the problem has been solved fot me

By the way at an collegae from me the same problem persist but he doesn't use pixelserv anymore because of this probem, so Im not the only one

 

[SomeWhereOverTheRainBow]

In what way can the cert's make difference? those are from an other ip but what I mean with the ip address is, how can i change the blocking ip without activating pixtelserv on the router
so my blocking ip is 192.168.1.22 an pixtelserv is not running
if disable pixtelserv the blocking ip is 0.0.0.0 that sould then be 192.168.1.22 per example
If that's possible again the problem has been solved fot me

By the way at an collegae from me the same problem persist but he doesn't use pixelserv anymore because of this probem, so Im not the only one

[Solution] allowlist the domains that are creating the problem for you to use your banking app. Apparently the whole issue is being created when pixelservtls tries to mimic certificates from one of those blocked domains. If you don't attempt to block the specific domain, then the issue will go away.

 

[elorimer]

I assume the OP is aware of the last time the rabobank application came up: https://www.snbforums.com/threads/banking-application-not-working.69281/#post-668761

And the time before that: https://www.snbforums.com/threads/pixteltls-problem.56778/#post-493840

 

[SomeWhereOverTheRainBow]

I assume the OP is aware of the last time the rabobank application came up: https://www.snbforums.com/threads/banking-application-not-working.69281/#post-668761

And the time before that: https://www.snbforums.com/threads/pixteltls-problem.56778/#post-493840

You would think. But apparently the banking application is now MAC address aware as well. Somehow giving pixelserv-tls a different MAC address will thwart the oppression of the mobile app refusing the Pixelserv-tls cert.

 

[SomeWhereOverTheRainBow]

Hi all
is there an possibility to change the mac address of pixelserv-tls so that its not the mac address of the router? This gives problems on banking apps.
if this is not possible i run pixelserv-tls on a raspi for a few years to eliminate the issue but after an update of diversion it changed the IP address and I can't find anymore how I did this?


How can I change the pixelserv-tls ip without using it....


AX88U with last merlin fitmware and a lot of addons....

You should checkout DIVERSIONS lan blocking IP , change it to the correct IP your Raspi is on. You should also take care to make sure your Raspi is a static address on your network using the WebUI manual assignment of addresses. However, this will not solve your problem if you are blocking domains used by the banking app. Your Banking app will still give you problems until you whitelist all domains associated with its use.

 

[tweakertje]

You would think. But apparently the banking application is now MAC address aware as well. Somehow giving pixelserv-tls a different MAC address will thwart the oppression of the mobile app refusing the Pixelserv-tls cert.

if its possible to change the blocking ip from 0.0.0.0 to my own IP it solves it for me but how can I do that

 

[SomeWhereOverTheRainBow]

It might help if you explain your pixelservtls setup. Are you using it through the addon diversion? IF SO, IIRC there is a menu option inside the Diversion addon to specify a lan blocking ip address. Simply modifying it there should solve your problem. However, if you are doing it with your own "custom" configuration instead of through diversion addon, then you need to speak alittle more about the scripts you are utilizing to do such.

For more information on modifying diversion, take a look at this page

Diversion - the Router Ad-Blocker - Diversion

diversion.ch

There is a really great FAQ with pictures and written instructions that will guide you in any diversion endevors.

 

[tweakertje]

update
just did an test
stop pixelserv and not stopping the ip (192.168.1.2 responds to ping by router) no webserver (timeout)
the app keeps working
enable pixelserv on 192.168.1.2 and again it stopped working
so there were 2 ipadresses on the routermac and it did work
its geding more complicated...

really strange

 

[tweakertje]

It might help if you explain your pixelservtls setup. Are you using it through the addon diversion? IF SO, IIRC there is a menu option inside the Diversion addon to specify a lan blocking ip address. Simply modifying it there should solve your problem. However, if you are doing it with your own "custom" configuration instead of through diversion addon, then you need to speak alittle more about the scripts you are utilizing to do such.

For more information on modifying diversion, take a look at this page

Diversion - the Router Ad-Blocker - Diversion

diversion.ch

There is a really great FAQ with pictures and written instructions that will guide you in any diversion endevors.

Where can I find the menu for manual blocking ip, I can't find it anymore

 

[SomeWhereOverTheRainBow]

Where can I find the menu for manual blocking ip, I can't find it anymore

That is why I sent you the link to diversions website. The information you need is all on there. Maybe is @thelonelycoder is available he might be able to pop by when he is available to help. As for me, I am away from my setup and have been for work. I have been communicating from my cellphone and laptop whenever I get time to use it.

I have tried to narrow it down for you Check out this link please:

Starting Diversion - Diversion

diversion.ch

After reading that, You might want to read through the "use" tab and its sub-tabs.

Here is the link for that:

Features - Diversion

diversion.ch

Some where in this guide under the USE tab, it specifies how to use different aspects such as the LAN blocking IP. if it is not there, then it is with Manual and its sub-tabs.

The main menu - Diversion

diversion.ch