Specific app doesn't connect to its server when on my network, but does while off
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
By default pfSense will use Unbound in resolving mode. It resolves directly and doesn't use the DNS servers passed by the ISP or those configured in General Setup except as a fall back. It also passes it's own IP to DHCP clients to use for DNS.
Are you using pfSense for DHCP?
Do you have wifi clients on a separate VLAN? Do you have restrictive rules on that interface?
We have seen similar errors where apps or clients are hard coded to use some external DNS server and rules do not pass UDP port 53 except to the firewall itself for example.
Steve
Yes. I'm using DHCP for all LAN clients regardless of being Ethernet of WiFi. I use Ubiquiti APs throughout the house with the SSIDs mapped to my two tagged VLANs.
I don't have any restrictions on the WiFi network she was on other than to block access to the pfSense login. But, I will ask her to try the other SSID which has no firewall rules at all just to be sure. Guess I should have thought of that.
So it's possible this app is trying to resolve its own IP address and either the port or protocol isn't being passed through something in my network?
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
Hmm, just to be clear this is the app syncing to the Oura cloud service?
Not syncing to the ring?
The ring is connecting to the iPhone via Bluetooth just fine. The Oura app on her iPhone isn't sync'ing to the Oura cloud, which I think is backed by Heads Up Health.
-
@scottlindner said in Specific app doesn't connect to its server when on my network, but does while off:
So it's possible this app is trying to resolve its own IP address and either the port or protocol isn't being passed through something in my network?
Yes, something like that. We have seem some odd quirks with apps that always try to use IPv6 if it appears available and never fall back. Or domains that require using DNS over TCP because the data they are sending is too large for regular UDP query.
But, yeah, hardcoded DNS servers are disappointingly common. More so in IoT devices directly though.
Steve
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
hardcoded DNS servers are disappointingly common
That is one way to put it ;) I would prob use harsher language ehheheh
Is it my device, and my network? Then use the F'ing dns I hand to you via dhcp, or tell you to use in your config..
If you want to check if dns or internet is available - then lookup a public fqdn via the dns I handed you, and try and ping it that would be fine.. But hard coding some DNS is not ok..
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
@scottlindner said in Specific app doesn't connect to its server when on my network, but does while off:
Yes, something like that. We have seem some odd quirks with apps that always try to use IPv6 if it appears available and never fall back. Or domains that require using DNS over TCP because the data they are sending is too large for regular UDP query.Is there a solution to these cases that I can try? I don't use IPv6 in my home network because I don't care about it and frankly I never spent the time to adapt my "eyes" for looking at IPv6 addresses like I just know IPv4 addresses.
But, yeah, hardcoded DNS servers are disappointingly common. More so in IoT devices directly though.
That sorta makes sense. No.. no.. it doesn't make any sense at all. Lol
-
@scottlindner sync where to the cloud?
So this ring is a fitbit you wear on your finger right?
Doesn't it just sync its info to the phone via bluetooth. So the problem is your phone while on your wifi won't send this info on?
I would sniff (packet capture) on pfsense for the IP of your GF phone.. Look to where its trying to that doesn't get an answer, or what dns its doing that doesn't get an answer, etc.
Or maybe it has to use IPv6, tell you almost 100% sure that your phone has IPv6 when its on cell connection.
-
The phone app also syncs data to the cloud and that's what's failing. Not the bluetooth to the ring part.
If it is using hard coded DNS and you are not allowing that for whatever reason you can still redirect it to pfSense:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlI think you will need to capture the failing traffic to know for sure what's happening.
Steve
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
I think you will need to capture the failing traffic to know for sure what's happening.
Odd that the phone would use hard coded dns just for this one app, I wouldn't put it past some of these app makers..
But the only real way to figure out what is failing is sniff and so you can tell what it is, and then either allow that, or port in a work around for it, etc.
-
@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:
I think you will need to capture the failing traffic to know for sure what's happening.
That is exactly what I think, but I don't have a clue how to set that up. I suppose I could create a separate VLAN and WiFi SSID just for her phone until I sort those out just so I have a good isolation to look at in the logs.
-
@scottlindner you don't need to do that, you can just set your packet capture to the IP of the phone. You could setup a reservation in your dhcp so the phone always get the same IP.
-
@johnpoz said in Specific app doesn't connect to its server when on my network, but does while off:
@scottlindner you don't need to do that, you can just set your packet capture to the IP of the phone. You could setup a reservation in your dhcp so the phone always get the same IP.
Ahhh.. I see it now. I'll do that the next time she is over. Thank you! I'll follow up here regardless. If I figure it out, I'll post what was wrong and the solution, and obviously if it doesn't make sense to me I'll be asking for more guidance.
Appreciate you guys!!
