• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Google QUIC protocol issues

Scheduled Pinned Locked Moved Firewalling
6 Posts 5 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    atxcoder
    last edited by Feb 19, 2018, 3:42 AM

    So I have seen here and there mentions of the QUIC protocol and people trying to block it. Since everyone in my family is on Google and uses a Android phone and Chrome Browser on their laptops, I was getting complaints about slow Youtube, quic error message in Google Chrome, etc. I saw where QUIC uses port 80 and 443 both over UDP and even though I had a rule allowing it from any LAN source, it still had issues. The only workaround I have found so far is to block traffic over 80/443 UDP plus disable QUIC protocol in Chrome via the chrome flags.

    The above Chrome flag fix worked on the laptops, but the issue still remain for things like the YouTube app on Android Phones. Anyone had similar issues? Solutions? I would love to fix this at the firewall level and not have to fix a bunch of client devices.

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by Feb 19, 2018, 7:06 AM

      Hi,

      I had to look up what that actually is, QUIC..
      Is is comparable to SPDY, and if so, then https://blog.chromium.org/2015/02/hello-http2-goodbye-spdy.html
      http/2 is the future for every browser.

      pfSense handles TCP and UDP just fine, on every port. If something is blocking it for you, then it must be something upstream. Tread the mentioned Wiki page - and point number https://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf : it appears "some users" have UDP connectivity problems.
      Possible, but be assured that doesn't come from pfSense.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by Feb 19, 2018, 10:51 PM Feb 19, 2018, 6:12 PM

        QUIC is a layer 4/5 protocol that works around poor TCP implementations by streaming over UDP and handling congestion control itself. I assume BBR or something similar will replace this once TCP congestion control algorithms stabilize. A few main goals. Reduce buffer bloat, don't be so sensitive to loss because wifi is lossy, be sensitive to congestion based loss, quickly maximize bandwidth, packet pacing.

        HTTP2/SPDY are layer 7 protocols. One of the main benefits is asynchronous multiplexing over a single stream, which allows browsers to stop creating tons of connections due to head-of-queue blocking in HTTP1.1. Lots of TCP connections are bad. Not only eat up more resources, but the have a "thundering herd" problem due to natural synchronization that occurs, and effectively a scaling factor on top of "slow start", making slow start less slow resulting in larger bursts that over congest links.

        1 Reply Last reply Reply Quote 1
        • F
          foresthus
          last edited by May 3, 2018, 4:55 PM

          Hi,

          so what is the solution? When will pfsense be able to filter such connections (quic)?

          I hope soon.

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by May 6, 2018, 7:00 PM May 3, 2018, 5:17 PM

            Define "filter". pfSense itself does not care about above Layer 4. Some of the custom packages might.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by May 6, 2018, 10:58 AM

              "to block traffic over 80/443 UDP"

              Looks like your already filtering it at firewall to me..

              You might want to change that to a reject, so your clients will know right away that its blocked and not have to wait for timeout, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received