Modify

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#8036 closed defect (fixed)

ipad tcp stack issue exposes NAT issue

Reported by: anonymous Owned by: developers
Priority: normal Milestone: Backfire 10.03.1
Component: packages Version: Trunk
Keywords: tcp NAT Cc:

Description

Netflix on iPad stopped working after upgrading to 10.03-rc3. Although I upgraded a week ago and just now noticed that Netflix does not work (so may be unrelated).

I reset the iPad network stack per google, but netflix still does not work.

Running tcpdump on openwrt, I noticed that TCP reset packets are not getting NAT'ed in some scenarios.

root@OpenWrt1:~# tcpdump -n -i pppoe-wan net 192.168.0.0/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

19:55:10.241156 IP 192.168.20.112.50573 > 204.236.233.175.443: Flags [R], seq 763130513, win 0, length 0
19:55:10.243160 IP 192.168.20.112.50573 > 204.236.233.175.443: Flags [R], seq 763130513, win 0, length 0
20:01:23.388957 IP 192.168.20.112.50607 > 204.236.233.125.443: Flags [R], seq 1127523406, win 0, length 0
20:01:23.389443 IP 192.168.20.112.50607 > 204.236.233.125.443: Flags [R], seq 1127523406, win 0, length 0
20:01:25.483185 IP 192.168.20.112.50614 > 204.236.233.125.443: Flags [R], seq 4143011772, win 0, length 0
20:01:25.483751 IP 192.168.20.112.50614 > 204.236.233.125.443: Flags [R], seq 4143011772, win 0, length 0
20:01:27.264387 IP 192.168.20.112.50615 > 204.236.233.125.443: Flags [R], seq 136328407, win 0, length 0
20:01:27.266877 IP 192.168.20.112.50615 > 204.236.233.125.443: Flags [R], seq 136328407, win 0, length 0

Seems like the iPad network stack is generating a packet that does not match the iptables/netfilter connection tracking, but seems
openwrt should still NAT this packet.

I was also able to generate these packets using iPad safari browser and surfing a couple media streaming web sites. I could not generate these packets with my laptop using the same openwrt
wifi.

Some info on my system (wrtsl54gs):

root@OpenWrt1:~# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:10:18:90:20:DB

inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:34529 errors:0 dropped:0 overruns:0 frame:0
TX packets:44279 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4332713 (4.1 MiB) TX bytes:51917648 (49.5 MiB)

root@OpenWrt1:~# ifconfig pppoe-wan
pppoe-wan Link encap:Point-to-Point Protocol

inet addr:75.47.112.98 P-t-P:151.164.182.8 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:3433932 errors:0 dropped:0 overruns:0 frame:0
TX packets:2277184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3463802838 (3.2 GiB) TX bytes:285868104 (272.6 MiB)

root@OpenWrt1:~# cat /etc/openwrt_release
DISTRIB_ID="OpenWrt
DISTRIB_RELEASE="10.03"
DISTRIB_CODENAME="backfire"
DISTRIB_DESCRIPTION="OpenWrt Backfire 10.03.1-rc3"
DISTRIB_TARGET="brcm47xx"
DISTRIB_REVISION="r22796"
DISTRIB_OFFICIAL="1"

Attachments (0)

Change History (4)

comment:1 Changed 7 years ago by anonymous

its due to netflix. DNSMASQ is using rebind protection. Its unlikely netflix will resolve it anytime soon. As a workaround, you can exclude that specific netflix host in /etc/config/dhcp

config dnsmasq
	...
	option rebind_protection 1
	option rebind_localhost 0
	list rebind_domain ihost.netflix.com

comment:2 Changed 7 years ago by dirtyfreebooter <openwrt@…>

I swear at first, ihost.netflix.com didn't resolve to 127.0.0.1, but now it certainly does, so jow's fix in r23270 should do the trick nicely

comment:3 Changed 7 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

see r23270

comment:4 Changed 7 years ago by anonymous

I applied changeset r23270. Issue resolved. Thanks.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.