Amazon Kindle 3 Blocked by pfSense

cmb

Attach a full packet capture of all the traffic to/from the Kindle when it happens.

cwagz

CMB,

Here is a full packet capture (hope I did this right) that was taken while trying to sync to Amazon.

22:56:48.320523 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
22:56:48.320589 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
22:56:53.026687 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 10432, offset 0, flags [DF], proto UDP (17), length 74)
    192.168.1.108.52720 > 192.168.1.1.53: [udp sum ok] 11855+ A? dogvgb9ujhybx.cloudfront.net. (46)
22:56:53.038182 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 1760, offset 0, flags [none], proto UDP (17), length 202)
    192.168.1.1.53 > 192.168.1.108.52720: [udp sum ok] 11855 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181 (174)
22:56:58.400733 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 30977, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.48930 > 72.21.214.129.443: Flags [.], cksum 0x7b89 (correct), seq 3120133706:3120135166, ack 2182726147, win 455, length 1460
22:56:58.613152 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 242, id 30178, offset 0, flags [DF], proto TCP (6), length 40)
    72.21.194.2.443 > 192.168.1.108.59167: Flags [R.], cksum 0x005d (correct), seq 3270780324, ack 1057533559, win 9300, length 0
22:57:09.960727 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 12126, offset 0, flags [DF], proto UDP (17), length 74)
    192.168.1.108.33339 > 192.168.1.1.53: [udp sum ok] 6974+ A? dogvgb9ujhybx.cloudfront.net. (46)
22:57:09.961921 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 39617, offset 0, flags [none], proto UDP (17), length 202)
    192.168.1.1.53 > 192.168.1.108.33339: [udp sum ok] 6974 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.123 (174)
22:57:10.237323 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 12153, offset 0, flags [DF], proto UDP (17), length 64)
    192.168.1.108.33761 > 192.168.1.1.53: [udp sum ok] 55696+ A? cde-g7g.amazon.com. (36)
22:57:10.277034 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 31649, offset 0, flags [none], proto UDP (17), length 80)
    192.168.1.1.53 > 192.168.1.108.33761: [udp sum ok] 55696 q: A? cde-g7g.amazon.com. 1/0/0 cde-g7g.amazon.com. A 72.21.211.177 (52)
22:57:10.283178 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64224, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [s], cksum 0x8fe2 (correct), seq 126408094, win 5840, options [mss 1460,sackOK,TS val 12158 ecr 0,nop,wscale 4], length 0
22:57:10.318318 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
    192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
22:57:10.365646 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 242, id 64256, offset 0, flags [DF], proto TCP (6), length 48)
    72.21.211.177.443 > 192.168.1.108.46357: Flags [S.], cksum 0x934e (correct), seq 2140135257, ack 126408095, win 8190, options [mss 1460,nop,wscale 6], length 0
22:57:10.428481 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 64225, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xdda9 (correct), seq 1, ack 1, win 365, length 0
22:57:10.637855 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 171: (tos 0x0, ttl 64, id 64226, offset 0, flags [DF], proto TCP (6), length 157)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [P.], cksum 0xe58c (correct), seq 1:118, ack 1, win 365, length 117
22:57:10.720445 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 769: (tos 0x0, ttl 242, id 59453, offset 0, flags [DF], proto TCP (6), length 755)
    72.21.211.177.443 > 192.168.1.108.46357: Flags [P.], cksum 0xe465 (correct), seq 1:716, ack 118, win 553, length 715
22:57:10.723165 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 64227, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xda0f (correct), seq 118, ack 716, win 455, length 0
22:57:10.780258 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64228, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:10.788138 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 254: (tos 0x0, ttl 64, id 64229, offset 0, flags [DF], proto TCP (6), length 240)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [P.], cksum 0x49a9 (correct), seq 1578:1778, ack 716, win 455, length 200
22:57:10.898686 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 242, id 61326, offset 0, flags [DF], proto TCP (6), length 40)
    72.21.211.177.443 > 192.168.1.108.46357: Flags [.], cksum 0xd9ad (correct), seq 716, ack 118, win 553, length 0
22:57:11.068338 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64230, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:11.652272 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64231, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:12.811964 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64232, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:13.671998 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 12497, offset 0, flags [DF], proto UDP (17), length 74)
    192.168.1.108.57643 > 192.168.1.1.53: [udp sum ok] 27981+ A? dogvgb9ujhybx.cloudfront.net. (46)
22:57:13.673183 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 4084, offset 0, flags [none], proto UDP (17), length 202)
    192.168.1.1.53 > 192.168.1.108.57643: [udp sum ok] 27981 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242 (174)
22:57:15.129777 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64233, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:19.771727 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64234, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:29.049686 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64235, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:57:34.046411 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
22:57:34.046458 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
22:57:37.316661 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
    192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
22:57:44.810744 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 15611, offset 0, flags [DF], proto UDP (17), length 74)
    192.168.1.108.38555 > 192.168.1.1.53: [udp sum ok] 34146+ A? dogvgb9ujhybx.cloudfront.net. (46)
22:57:44.811954 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 30332, offset 0, flags [none], proto UDP (17), length 202)
    192.168.1.1.53 > 192.168.1.108.38555: [udp sum ok] 34146 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118 (174)
22:57:47.610635 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64236, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
22:58:04.317681 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
    192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
22:58:09.317189 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
22:58:09.317234 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
22:58:10.079750 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 30978, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.108.48930 > 72.21.214.129.443: Flags [.], cksum 0x7b89 (correct), seq 0:1460, ack 1, win 455, length 1460

[/s]

cmb

the whole pcap file, not just the text output. If you do it via Diag>Packet Capture, you can click the "Download" button after you're finished and it'll give you the pcap. You may not be able to attach that here, you can email it to me (cmb at pfsense dot org) with a link to this thread so I know what it's referencing.

cwagz

CMB,

I emailed the packetcapture.cap file to you as requested.  While the capture was running I tried several times to get the Kindle to Sync.  I also rebooted the Kindle and then tried to sync again.

Regards,
Chad

thedaveCA

What version of the Kindle OS?  Prior to 3.0.3, there is an issue if your DNS server is in the same subnet as the Kindle but not located on the default gateway.  In this situation the Kindle sends the packets to the default gateway instead of the correct DNS server, then displays a relatively useless error message.

If this describes your network, either upgrade to 3.0.3 pre-release from http://www.amazon.com/gp/help/customer/display.html/?nodeId=200529700 (installable via USB cable), or hardcode a wifi IP, the appropriate default gateway and either your pfSense box (if you run DNS forwarder) or 8.8.8.8 (Google DNS) as a DNS server.

cwagz

Insert Quote
What version of the Kindle OS?  Prior to 3.0.3, there is an issue if your DNS server is in the same subnet as the Kindle but not located on the default gateway.  In this situation the Kindle sends the packets to the default gateway instead of the correct DNS server, then displays a relatively useless error message.

If this describes your network, either upgrade to 3.0.3 pre-release from http://www.amazon.com/gp/help/customer/display.html/?nodeId=200529700 (installable via USB cable), or hardcode a wifi IP, the appropriate default gateway and either your pfSense box (if you run DNS forwarder) or 8.8.8.8 (Google DNS) as a DNS server.

Thanks for the reply.  The first thing I did when trying to troubleshoot this was update the Kindles to version 3.0.3.

I just tried hardcoding the network information on the kindle and using the google DNS server.  No luck.

Default pfSense 2.0 setup - Kindle can browse store but cannot sync or download books on WiFi.

Default pfSense 1.2.3 setup - Kindle works fine.

thedaveCA

In that case I don't have much else to suggest.  We've got a couple Kindle 3s on 3.0.3 here, initially on pfSense 1.2.3 and now on 2.0-BETA4 (Built On: Thu Dec 23 13:17:58 EST 2010), both work fine.

My device is wifi-only so there's no possibility of a 3G failover or anything else happening, things "just work"

cwagz

@The:

In that case I don't have much else to suggest.  We've got a couple Kindle 3s on 3.0.3 here, initially on pfSense 1.2.3 and now on 2.0-BETA4 (Built On: Thu Dec 23 13:17:58 EST 2010), both work fine.

My device is wifi-only so there's no possibility of a 3G failover or anything else happening, things "just work"

Mine are both wifi + 3G…  But they don't failover I have to turn wifi off in order to download books with 2.0.  Since yours are working I had better clean install the latest 2.0 and try again...

Thanks again and Merry Christmas, Happy New Year

danswartz

I just got a kindle3 wifi for christmas and it too works fine with 2.0.

cwagz

@danswartz:

I just got a kindle3 wifi for christmas and it too works fine with 2.0.

Are you able to actually download books over wifi?  I can browse the store and buy them, but the download just sits forever at "pending"…  On pfSense 1.2.3 the download would authenticate and occur instantly.

thedaveCA

I tested delivering a book sent via email, and also downloading a new book (although it was already purchased and downloaded to another Kindle on our account, but had never been downloaded to my Kindle yet)

So at least in my case, yes, downloading books works as does synchronizing (to update my place across devices)

danswartz

Working fine here - of course I don't have the 3G kindle, so that is one less variable…

cmb

@cwagz:

I emailed the packetcapture.cap file to you as requested.  While the capture was running I tried several times to get the Kindle to Sync.  I also rebooted the Kindle and then tried to sync again.

From the packet capture, I can see packet loss but no indications as to where that's occurring. The Kindle is retransmitting several times and not getting any response. Repeat that capture on the WAN instead, and minimize any other Internet traffic as you can't easily filter that down to just the Kindle's traffic, and send me that pcap.

cwagz

@cmb:

From the packet capture, I can see packet loss but no indications as to where that's occurring. The Kindle is retransmitting several times and not getting any response. Repeat that capture on the WAN instead, and minimize any other Internet traffic as you can't easily filter that down to just the Kindle's traffic, and send me that pcap.

CMB - I am a little new to all of this.  Would I set the IP to capture as the gateway address (ie. 192.168.1.1) or my actual public IP address supplied by the ISP?

Thanks,

Accounts

Public side would be your WAN interface AKA yes the real IP assigned by your ISP to you WAN on the pfsense box. Need to see if pfsense is sending those packed out to Amazons server.