Ring and Eufy client behind pfSense
-
@johnpoz Sorry, he's just going to re-invite you again
-
@brtech killed all the apps, cleared my phones dns cache, setup sniffing - and then opened the app and nothing there ;) hehehe
-
@brtech Ok now the trick is trying to figure out if all ring related, or my phone doing other stuff. I closed all the apps.. Flushed the dns by toggle airplane mode.. and then back into airplane mode so it should of had to do all the dns stuff.
That is what I saw for dns queries and answers.
But there were some other protocols in use DTLS for example.. Which would make sense for streaming video..
Here is all the conversations I saw, the last biggest one has to be the few seconds of video..
I will keep this sniff, and we could compare it to one where we fail.. I could send it to you if you want it for your own comparison.. Just email me at the email address I gave you on where you want me to send it. its like 5MB..
-
@stephenw10 said in Ring and Eufy client behind pfSense:
Could it be an IPv6 issue?
While sure it could be, I don't have IPv6 enabled on my wifi networks.. While I agree its the future, its just too much trouble if you ask me - for zero benefit.. I been playing with it for like 12 years. And have a /48 from HE, and I do run it on a few machines. I feel I have a pretty good handle on it.. Setup a /32 with Arin, and setup all the routing for it for a work project..
But when it comes to day to day use, i just don't have any use for it... And I don't care how much our local ipv6 cheerleader wants to think its gods gift to man.. Like how Prometheus gave man fire when he stole it from the gods..
I personally just leave it off if not test/playing with something specific - I left it on awhile back on my pc.. And took me a bit to figure out why freaking tvmaze.com wasn't loading - A first thought, ok they are just down.. But then later when still down, like wtf.. DNS was fine, etc. bam soon as turned off ipv6 on my box - loaded instantly..
So yeah - sure could be ipv6 related, should be easy enough to just turn it off for a test, if they have it enabled.
-
@brtech saw your email - sent along my sniff.
-
This is a failed ring attempt from an android client (not sure how different it is between that and Apple).
I'm going to go through the pfBlockerNG alerts to see if there's anything blocked there at this time, then I need to capture if on the android client when it works.
-
@brtech
Here's the working one from Android.
-
@johnpoz Looks like we never get a good STUN response on the failing ones.
-
@johnpoz Ok, when I capture the WAN I can see the bind success messages, so something on my rules is dropping these, is there any quick way of finding out what rule this is?
-
@brtech and what are these rules? Do you have floating rules? Out of the box this works - so what rules have you put in place?
Are you doing vpn? Can you send me the sniff? The conversations list isn't a lot of help.
-
@johnpoz I'll email you the traces.
Problem is I've lots of rules for various things, pfBlockerNG, rules to allow traffic to and from internal systems, vendor access, so unraveling it is a bit of a mare!
My home firewall has the option to provide an ip, interface and port and it displays what will happen tot he packet, that's something that I think is missing from pfSense, as editing every drop rule and turning on logging is a bit of a pain, but if that's what I need to do I'll do it.
-
@brtech you mean like a test of the rules?
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
If something is not allowed, then it would be logged by the default deny. if your putting in specific block rules, then no by default they wouldn't be logged unless you log that rule.
You shouldn't have any "return" rules - state allows return traffic. Could you send me picture of your rules.. Are you using pfblocker rules to allow it to auto block stuff?
Out of the box any any is default, so pfsense shouldn't be blocking your access to anything on the internet. If I could see your rules - maybe something obvious would jump out at me - are you policy routing traffic out a vpn? etc. Are you blocking large geopip ranges, or IPs in a list from pfblocker?
-
@johnpoz I've sent the rules, no policy routing, we are using pfblockerNG but I've just checked the alias lists on the WAN for 52.210 and nothing there as far as I can see.
-
@brtech first thing that jumps out at me is why are you block bogon on an internal interface?
That sort of rule should really never be on an internal interface.
Why are you natting internal traffic? You have rules that say nat to prod, etc.
Can you send your outbound nat rules and port forwards?
-
@johnpoz Just turned off the bogon on the WLAN, no idea why that was on!
-
@brtech so sniff you sent me has a 10.215 address - but in your outbound nat your not natting this address range.. How is to talk to public IPs?
You have your outbound nat in manual mode - and blocking bunch of stuff from natting..
-
@johnpoz The comments on the WLAN rules are wrong, it's just a pass rule, not a NAT, it's just to allow access to certain internal services for WLAN users,
-
@brtech Where is this 10.215.173.1 that is in the sniff with all the stun? That isn't going to be able to talk to the internet through pfsense - because pfsense has no outbound nat rule for this 10 network..
-
@johnpoz That's the packet capture software on android, it uses an internal vpn to collect the traffic, it just looks odd (the android device isn't routed so that's the way to achieve packet capture)
-
@brtech why are you sniffing on the device? Sniff on pfsense..
We are interested in packets that go through pfsense, there is no reason to sniff on the device.
the android device isn't routed so that's the way to achieve packet capture
How would it talk to the internet??? To stream ring video?