Weird Browser lock up
-
Hello fellow Netgate community members can you please help?
I seem to be having an issue with Safari, where it starts to lock up after about 20 minutes of browsing on the This is with the proxy enabled or the proxy disabled. This is with IPV6 he tunnel enabled and IPV6 disabled have tried a different port. I have tried a different AP. Have also calculated the MTU and set MSS clamping to -40 from the MTU setting. All results in same situation. Does anybody know what can cause this or how to resolve it?
I am confused as to what causes this As it acts as though it’s overloaded, I close the browser and reopen it and the issues resolved, and the fan slows down. The way the system spins up it acts like it’s mining bitcoin or RNA folding.
-
I even went the route of using a separate AP with no firewall settings and just passing it through and utilizing that connection for testing and it still does the same exact thing 20 minutes go by and the browser locks up. This is on an M1 Apple. The other products in the house do not do this.
-
I originally thought it had to do with squid so I disabled it and removed squid from the situation to isolate it and it still had a browser lock up. At this point, I suspect that it has to do with the Apple software however I wanted to ask if anyone else has seen this or has pfsense installed and is utilizing an M1 apple product.
-
Mmm, from what you're saying it sounds like a Safari problem. Do you see it in other browsers on that client?
-
@stephenw10 I got to check that, I had chrome, I got to download it again, and or Firefox, mozilla etc Opera
-
@JonathanLee not sure why you would think it has anything to do with your router/firewall..
When you say lock up - what it can't resolve stuff or open anything? Drop to cmd line, can you ping? can you resolve via dns query - then 99.99999% its not the router..
Or does it lock - like tabs/menus are not response - that is a lock up to me, not that some page won't load.
If you close/kill the browser does it then function?
-
@johnpoz This is wha occurs Safari stops responding you open a new tab and nothing shows up the computer fan goes crazy it won't stop. You close Safari the fan slows down and stops the high speed run, you reopen it and it works again. 10-20 mins later same thing, most often this occurs with Facebook reels only
-
It only does it in Safari I found a weird process in Firefox when I ran it that is linked to Facebook and shows a URL with the word proxy in that that was pointing to Facebooks CDN. I think that might be causing the issues but in Firefox it’s not an issue.
-
@johnpoz Its QUIC ...
Facebook wants access to QUIC and locks up...
Check out my PCAP
I don't want to allow UDP https3 to run as it will do whatever it wants. I wonder how to deal with this ....
-
https://github.com/squid-cache/squid/pull/919
Squid is already working on this... This is gonna be bad for DNS based filters soon... Don't give up on Squid yet this may be the only option to keep URL filters working once QUIC starts to go a lot more mainstream
-
So only Safari tries to use it? And then just ignores the ICMP reply?
I would expect it to just fall back to https(s).
-
Yup as @stephenw10 mentions that is a browser problem - if trying to do http or https over quic, ie UDP - and it doesn't work it should instantly fall back to using tcp.
-
@stephenw10 it takes some time before it settles down they are really pushing the https3 on the M1 iMac, you can’t even disable it with Safari. I had to get Firefox to solve it. Yeah it’s like all the sudden it’s enabled. I am glad I looked at the pcap. You know that http3-DoH is coming soon too. That is gonna be some fun code to write for firewalls. Someone has a video on YouTube of setting up wireshark to decode QUIC traffic and he got the get requests out of it, there should be a way to make it secure
-
@johnpoz yes it is, best temporary solution is to use Firefox
-
stephenw10 Netgate Administratorlast edited by stephenw10 Jul 10, 2024, 4:19 PM Jul 9, 2024, 3:50 PM
Can it be disabled as shown here?: https://developers.cloudflare.com/cloudflare-one/policies/gateway/http-policies/http3/
Still seems like a browser bug though because it should see the ICMP denied reply and fall back. Even if it can't be disabled from trying.
-
@stephenw10 thanks!!
-
@stephenw10 should I allow ping on Squid and on the firewall to fix the auto disable? On Squid I have pinger disabled and on the firewall no icpm allowed for the imac
-
Where did you run the pcap above? It shows the icmp replies going back to the iMac already.
-
@stephenw10 I can the pcap on pfsense.
HTTP/3 is no longer experimental and is fully active in the iMac it can no longer be disabled manually
2017--> was still in development
2021--> This was the background
https://developer.apple.com/videos/play/wwdc2021/10094/?time=162024--> Apple has fully activated this on the Sonoma 14.5 and Safari 17.5 it has no option to disable like the link above has.
It also has HTTP/3 DNS lets call it DoH/3
DoH/3 will cause issues with DNS based URL blocking as it is pure UDP over HTTP3
This makes Squid ever more attractive for URL blocking as they are already working on having QUIC support
unreal how fast that moved versus ipv6
-
@stephenw10 It just cycles that for a while in the pcap file it does it so long it is noticeable on the browsers, it also has taken over Firefox it routes it with streams into https/3 also and attempted it anyway. Apple at it's finest that is impressive.. Edge also is getting forced as the iMac software data marshes the NIC and forces HTTPS/3 it will downgrade but it goes so slow like this now... I got to tell you it should disable and not keep doing this with every connection. New to me.. I sure like the nice Apple Development videos I found they explain it all
