PF weird issues with android devices

[petru garstea]

Hi,

setup: OS FreeBSD 11.2 or head, firewall PF.

The internal network is behind PF-NAT and all the hosts access the internet with no issues, except for Android OS devices I notice tcp retransmission and dup and connection failures.

I tried to adjust PF scrubbing to not fragment packets with DF bit and interface`s MTU but these tuning didn't help.

Please note that these issues I see only on Android devices connected via wifi or ethernet.

Please advise

Regards

 

[SirDice]

I have multiple Android devices on my network at home. Never had a problem. I would suggest removing any and all "tweaks" and try it with a fairly simply and basic ruleset.

 

[petru garstea]

I removed all the tweaks but the result is the same

the network topology is ISP <--> switch L3 <--> RPI2(VLAN10)
LAN(VLAN20) is connected to switch L3


here is pf config file

tcp_services = "{}"
icmp_types = "echoreq"
private="{
          0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, \
          192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, \
          198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32
}"

## OPTIONS
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on {lo0, lan, wlan0}
set ruleset-optimization basic

## NORMALIZATION
scrub in all
#scrub in all no-df max-mss 1440 random-id fragment reassemble

## TRANSLATIONS
nat on wan from lan:network to any -> (wan)

## FILTERS
antispoof log quick for {mgmt, wan, lan}
block drop in quick on wan from $private to any
block drop out quick on wan from any to $private
block all
#block log all

pass out quick on wan

and rc.conf

ifconfig_ue0_name="mgmt"
vlans_mgmt="wan lan"
create_args_wan="vlan 10"
create_args_lan="vlan 20"
ifconfig_wan="DHCP"
ifconfig_lan="inet x.x.x.x/24"

pf_enable="YES"
pf_rules="/etc/pf.conf"
gateway_enable="YES"

 

[Chris_H]

OK I don't have an immediate answer. But if I were you. I'd comment block all, and uncomment block log all.
Because I'd better see what's being dropped, and why.

Just a thought.

--Chris

 

[petru garstea]

for some reasons ISP DHCP sets MTU to 576 on WAN interface, the following scrub setting currently solves the issue

scrub in all no-df random-id max-mss 520

to be continued..

 

[ralphbsz]

for some reasons ISP DHCP sets MTU to 576 on WAN interface

That's extremely weird. A MTU of ~500 on an Ethernet interface is ... insane in this day and age. You should research whether is some obvious and easy-to-fix problem.

 

[Chris_H]

I'd have to agree w/ ralphbsz . It sounds like your upstream connection is training up at half-duplex, or something. Something is definitely not right.

--Chris
EDIT
Just occurred to me. Induction. Do you have any other lines (cables) with voltage laying next to you NIC cable?
Just thought I'd mention it.

 

[petru garstea]

hi,

the problem has been solved by adding to dhcclient.conf

supersede interface-mtu 1500;

and now the maximum segment size is

Pinging 172.217.13.142 with 1272 bytes of data:
Reply from 172.217.13.142: bytes=64 (sent 1272) time=11ms TTL=54
Reply from 172.217.13.142: bytes=64 (sent 1272) time=12ms TTL=54
Reply from 172.217.13.142: bytes=64 (sent 1272) time=12ms TTL=54
Reply from 172.217.13.142: bytes=64 (sent 1272) time=11ms TTL=54

apparently interface-mtu was added in 11.2 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206721
regards