Specific app doesn't connect to its server when on my network, but does while off

scottlindner

This one has me scratching my head. My girlfriend uses a Oura Ring with her iPhone and when she is on my WiFi it won't sync but when she flips off my WiFi it syncs fine. But everything else on her phone works fine while on my WiFi. I don't see anything in the pfSense logs to help me figure this out. My best theory is that it is some funky DNS issue specific to that company but I don't know how to sort that out either. I don't have any crazy firewall rules other than some port forwarding. Any thoughts on where to look and how I might be able to isolate this?

stephenw10

Do you have any package running? Snort, Suricata or pfBlockerNG could do that.

Have you tested that app on any other device?

Does it give you any sort of useful error output?

Steve

scottlindner

@stephenw10

Those are good questions and my head kinda went to that sort of thing too. I have the following packages installed:

• Cron
• darkstat
• iperf
• Netgate_Firmware_Upgrade
• openvpn-client-export
• Status_Traffic_Totals

The only two that could possibly be related are darkstat and Status_Traffic_Totals. And I just don't see it being the case.

The only thing "special" about my pfSense configuration is that I have multiple VLANs for separation of traffic. The rest is all pretty basic config to get it working with the Internet and as your typical home network which is pretty boring.

I did have some public DNS servers configured and I have been having a lot of DNS issues lately that have caused me to use cron to reboot pfSense every day and I still have to restart faster than that some days. I used to just restart DNS Resolver but when that wasn't enough on a daily basis I just said eff it... let's reboot daily. But this whole thing has me wondering if the public DNS servers I was using might be partly to blame. So I removed those and am using juts the DNS servers that my ISP assigns via DHCP. I was using: 8.8.4.4, 9.9.9.9, 8.8.8.8.

I ask her if there is a way for me to test her Oura Ring with one of my phones. I have a feeling that's a no go though.

As for errors it just doesn't sync. It spins and spins. The instant she flips off my WiFi and boom, it syncs.

stephenw10

By default pfSense will use Unbound in resolving mode. It resolves directly and doesn't use the DNS servers passed by the ISP or those configured in General Setup except as a fall back. It also passes it's own IP to DHCP clients to use for DNS.

Are you using pfSense for DHCP?

Do you have wifi clients on a separate VLAN? Do you have restrictive rules on that interface?

We have seen similar errors where apps or clients are hard coded to use some external DNS server and rules do not pass UDP port 53 except to the firewall itself for example.

Steve

stephenw10

Hmm, just to be clear this is the app syncing to the Oura cloud service?

Not syncing to the ring?

scottlindner

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

By default pfSense will use Unbound in resolving mode. It resolves directly and doesn't use the DNS servers passed by the ISP or those configured in General Setup except as a fall back. It also passes it's own IP to DHCP clients to use for DNS.

Are you using pfSense for DHCP?

Do you have wifi clients on a separate VLAN? Do you have restrictive rules on that interface?

We have seen similar errors where apps or clients are hard coded to use some external DNS server and rules do not pass UDP port 53 except to the firewall itself for example.

Steve

Yes. I'm using DHCP for all LAN clients regardless of being Ethernet of WiFi. I use Ubiquiti APs throughout the house with the SSIDs mapped to my two tagged VLANs.

I don't have any restrictions on the WiFi network she was on other than to block access to the pfSense login. But, I will ask her to try the other SSID which has no firewall rules at all just to be sure. Guess I should have thought of that.

So it's possible this app is trying to resolve its own IP address and either the port or protocol isn't being passed through something in my network?

scottlindner

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

Hmm, just to be clear this is the app syncing to the Oura cloud service?

Not syncing to the ring?

The ring is connecting to the iPhone via Bluetooth just fine. The Oura app on her iPhone isn't sync'ing to the Oura cloud, which I think is backed by Heads Up Health.

stephenw10

@scottlindner said in Specific app doesn't connect to its server when on my network, but does while off:

So it's possible this app is trying to resolve its own IP address and either the port or protocol isn't being passed through something in my network?

Yes, something like that. We have seem some odd quirks with apps that always try to use IPv6 if it appears available and never fall back. Or domains that require using DNS over TCP because the data they are sending is too large for regular UDP query.

But, yeah, hardcoded DNS servers are disappointingly common. More so in IoT devices directly though.

Steve

johnpoz

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

hardcoded DNS servers are disappointingly common

That is one way to put it ;) I would prob use harsher language ehheheh

Is it my device, and my network? Then use the F'ing dns I hand to you via dhcp, or tell you to use in your config..

If you want to check if dns or internet is available - then lookup a public fqdn via the dns I handed you, and try and ping it that would be fine.. But hard coding some DNS is not ok..

scottlindner

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

@scottlindner said in Specific app doesn't connect to its server when on my network, but does while off:
Yes, something like that. We have seem some odd quirks with apps that always try to use IPv6 if it appears available and never fall back. Or domains that require using DNS over TCP because the data they are sending is too large for regular UDP query.

Is there a solution to these cases that I can try? I don't use IPv6 in my home network because I don't care about it and frankly I never spent the time to adapt my "eyes" for looking at IPv6 addresses like I just know IPv4 addresses.

But, yeah, hardcoded DNS servers are disappointingly common. More so in IoT devices directly though.

That sorta makes sense. No.. no.. it doesn't make any sense at all. Lol

johnpoz

@scottlindner sync where to the cloud?

So this ring is a fitbit you wear on your finger right?

Doesn't it just sync its info to the phone via bluetooth. So the problem is your phone while on your wifi won't send this info on?

I would sniff (packet capture) on pfsense for the IP of your GF phone.. Look to where its trying to that doesn't get an answer, or what dns its doing that doesn't get an answer, etc.

Or maybe it has to use IPv6, tell you almost 100% sure that your phone has IPv6 when its on cell connection.

stephenw10

The phone app also syncs data to the cloud and that's what's failing. Not the bluetooth to the ring part.

If it is using hard coded DNS and you are not allowing that for whatever reason you can still redirect it to pfSense:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

I think you will need to capture the failing traffic to know for sure what's happening.

Steve

johnpoz

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

I think you will need to capture the failing traffic to know for sure what's happening.

Odd that the phone would use hard coded dns just for this one app, I wouldn't put it past some of these app makers..

But the only real way to figure out what is failing is sniff and so you can tell what it is, and then either allow that, or port in a work around for it, etc.

scottlindner

@stephenw10 said in Specific app doesn't connect to its server when on my network, but does while off:

I think you will need to capture the failing traffic to know for sure what's happening.

That is exactly what I think, but I don't have a clue how to set that up. I suppose I could create a separate VLAN and WiFi SSID just for her phone until I sort those out just so I have a good isolation to look at in the logs.

johnpoz

@scottlindner you don't need to do that, you can just set your packet capture to the IP of the phone. You could setup a reservation in your dhcp so the phone always get the same IP.

scottlindner

@johnpoz said in Specific app doesn't connect to its server when on my network, but does while off:

@scottlindner you don't need to do that, you can just set your packet capture to the IP of the phone. You could setup a reservation in your dhcp so the phone always get the same IP.

Ahhh.. I see it now. I'll do that the next time she is over. Thank you! I'll follow up here regardless. If I figure it out, I'll post what was wrong and the solution, and obviously if it doesn't make sense to me I'll be asking for more guidance.

Appreciate you guys!!