Amazon Kindle 3 Blocked by pfSense



  • Hi,

    I just purchased a couple Kindle's for my wife and I.  It appears my pfSense 2.0-BETA4 (i386) built on Fri Nov 19 22:35:43 EST 2010 is blocking the secured connection between the Kindle's and Amazon's server.  In the Firewall log the reason for blocking is @1 scrub in on em0 all fragment reassemble and @1 block drop in log all label "Default deny rule".

    The Kindles are on the LAN network with everything else I have.  I do not understand why they are being blocked.  Shouldn't the default allow LAN to any rule allow the traffic out?

    Any help is appreciated.

    Thanks,
    Chad



  • Just an update and another question.

    I tried a clean install of the latest 2.0 snapshot.  The Kindle still cannot authenticate with Amazon.

    I tried my stock Netgear WNDR3700 Firmware which is openwrt based and the Kindle works fine.

    I tried Smoothwall Polar and the Kindle works fine.

    I really prefer pfSense to Smoothwall and would like to use it, but I need our Kindles to be able to use the network.  Is there something inherently different in the way FreeBSD works compared to Linux that could likely cause the problem?

    Would using pfSense 1.2.3 likely solve the problem or am I stuck with Linux based solutions?

    Thanks,
    Chad



  • Ok - I remembered that I could boot pfsense 1.2.3 off the live CD and give it a try.

    The kindle connects fine through pfsense 1.2.3.

    Not sure what was causing the problem with 2.0

    Chad



  • @cwagz:

    Would using pfSense 1.2.3 likely solve the problem or am I stuck with Linux based solutions?

    I find it pretty hard to say without more information about the problem. For example I understand the Kindles can come with WiFi and/or 3G. Presumably you are referring to a Kindle using WiFi. Is the WiFi encrypted? What is the Access Point (if any)? Does the Kindle get an IP address from the Access Point? Does it get a ping response from pfSense? Is there anything unexpected in the firewall logs? etc.



  • @wallabybob:

    I find it pretty hard to say without more information about the problem. For example I understand the Kindles can come with WiFi and/or 3G. Presumably you are referring to a Kindle using WiFi. Is the WiFi encrypted? What is the Access Point (if any)? Does the Kindle get an IP address from the Access Point? Does it get a ping response from pfSense? Is there anything unexpected in the firewall logs? etc.

    The Kindle was in WiFi mode.
    WiFi is through a Netgear WNDR3700 with WPA2-AES
    Kindle receives IP from pfSense 2.0 through AP
    Kindle can surf the net and the store over WiFi on pfSense 2.0
    Kindle cannot authenticate with Amazon to download a book or synchronize
    Saw some port 443 traffic being blocked in the firewall logs as I mentioned above.  I put PASS rules in for these but still no dice.

    Installed latest 2.0 from CD - Same Issue
    Setup WNDR3700 as Router / Firewall and took pfSense offline - Worked fine without any changes to the WiFi settings
    Setup Smoothwall and placed WNDR3700 back as AP with same WiFi settings - Worked fine
    Setup pfSense 1.2.3 from CD - Works fine with same WiFi setup…

    I am up and running on pfSense 1.2.3 now and all is well - faster than Smoothwall it seems to me and the Kindles are still able to authenticate with Amazon - No rules were needed either.

    I am at a lose as to what could have caused the Kindle / Amazon connection issue with 2.0 but hope the information will help the developers.

    Chad



  • Any more ideas on this?  I recently went back to the latest snapshot (2.0 2.0-BETA4 (i386) built on Sat Dec 18 19:57:37 EST 2010) and the Kindle still cannot sync with Amazon's server.

    Here is a packet capture from when I try to sync and download a book…

    01:08:10.901850 IP 192.168.1.108.59198 > 192.168.1.1.53: UDP, length 46
    01:08:10.912628 IP 192.168.1.1.53 > 192.168.1.108.59198: UDP, length 174
    01:08:12.693613 IP 192.168.1.108.47943 > 72.21.214.129.443: tcp 1460
    01:08:13.322822 IP 192.168.1.108.58909 > 184.73.176.177.49317: UDP, length 149
    01:08:31.254680 IP 192.168.1.108.47943 > 72.21.214.129.443: tcp 1460
    01:08:39.527061 IP 192.168.1.108.33724 > 192.168.1.1.53: UDP, length 46
    01:08:39.528214 IP 192.168.1.1.53 > 192.168.1.108.33724: UDP, length 174
    01:08:40.323604 IP 192.168.1.108.58909 > 184.73.176.177.49317: UDP, length 149
    01:08:40.330963 IP 192.168.1.108.34993 > 192.168.1.1.53: UDP, length 32
    01:08:40.340013 IP 192.168.1.1.53 > 192.168.1.108.34993: UDP, length 48
    01:08:40.342450 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.424851 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:40.426033 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.444787 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 55
    01:08:40.527573 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:40.527749 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:40.527841 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 34
    01:08:40.529469 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.530344 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.530446 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.688627 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 139
    01:08:40.698640 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 6
    01:08:40.705879 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 53
    01:08:40.769812 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:40.779822 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:40.787415 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:40.787521 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 59
    01:08:40.796327 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:40.823939 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 485
    01:08:40.831188 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 357
    01:08:40.904846 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:40.912428 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 0
    01:08:43.377543 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 997
    01:08:43.377702 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.377786 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.377881 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 497
    01:08:43.377960 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.378033 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.378110 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.378191 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 785
    01:08:43.379876 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.384819 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.384904 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.384987 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 33
    01:08:43.385062 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.385137 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.385219 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.385309 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.387619 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1277
    01:08:43.387717 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.387797 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.533284 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.543260 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.544741 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.547378 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.550619 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.552506 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.552985 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.553236 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.554736 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.554984 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.555235 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.555326 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.555483 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.615044 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.615135 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.615227 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 29
    01:08:43.615302 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.615374 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.621445 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.623197 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.623443 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.623531 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.623816 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.627511 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.627597 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 401
    01:08:43.627675 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.627750 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.627829 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1301
    01:08:43.627909 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.627986 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.628061 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.628147 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.628222 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 37
    01:08:43.629440 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.630564 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.630690 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.631689 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.631940 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.632051 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.632435 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.632939 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.633566 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.634312 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:43.637517 IP 72.21.211.176.443 > 192.168.1.108.39306: tcp 1460
    01:08:43.671936 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:59.243002 IP 192.168.1.108.39306 > 72.21.211.176.443: tcp 0
    01:08:59.250363 IP 192.168.1.108.47943 > 72.21.214.129.443: tcp 0
    01:08:59.392158 IP 192.168.1.108.68 > 192.168.1.1.67: UDP, length 548
    01:09:11.071332 IP 192.168.1.1.67 > 192.168.1.108.68: UDP, length 302
    

    The Kindle works fine without any changes with pfSense 1.2.3.  Let me know what I can do to help troubleshoot this issue as it may affect more than just the Kindle.

    Thanks…



  • Attach a full packet capture of all the traffic to/from the Kindle when it happens.



  • CMB,

    Here is a full packet capture (hope I did this right) that was taken while trying to sync to Amazon.

    
    22:56:48.320523 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
    22:56:48.320589 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
    22:56:53.026687 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 10432, offset 0, flags [DF], proto UDP (17), length 74)
        192.168.1.108.52720 > 192.168.1.1.53: [udp sum ok] 11855+ A? dogvgb9ujhybx.cloudfront.net. (46)
    22:56:53.038182 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 1760, offset 0, flags [none], proto UDP (17), length 202)
        192.168.1.1.53 > 192.168.1.108.52720: [udp sum ok] 11855 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181 (174)
    22:56:58.400733 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 30977, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.48930 > 72.21.214.129.443: Flags [.], cksum 0x7b89 (correct), seq 3120133706:3120135166, ack 2182726147, win 455, length 1460
    22:56:58.613152 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 242, id 30178, offset 0, flags [DF], proto TCP (6), length 40)
        72.21.194.2.443 > 192.168.1.108.59167: Flags [R.], cksum 0x005d (correct), seq 3270780324, ack 1057533559, win 9300, length 0
    22:57:09.960727 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 12126, offset 0, flags [DF], proto UDP (17), length 74)
        192.168.1.108.33339 > 192.168.1.1.53: [udp sum ok] 6974+ A? dogvgb9ujhybx.cloudfront.net. (46)
    22:57:09.961921 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 39617, offset 0, flags [none], proto UDP (17), length 202)
        192.168.1.1.53 > 192.168.1.108.33339: [udp sum ok] 6974 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.123 (174)
    22:57:10.237323 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 12153, offset 0, flags [DF], proto UDP (17), length 64)
        192.168.1.108.33761 > 192.168.1.1.53: [udp sum ok] 55696+ A? cde-g7g.amazon.com. (36)
    22:57:10.277034 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 31649, offset 0, flags [none], proto UDP (17), length 80)
        192.168.1.1.53 > 192.168.1.108.33761: [udp sum ok] 55696 q: A? cde-g7g.amazon.com. 1/0/0 cde-g7g.amazon.com. A 72.21.211.177 (52)
    22:57:10.283178 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64224, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [s], cksum 0x8fe2 (correct), seq 126408094, win 5840, options [mss 1460,sackOK,TS val 12158 ecr 0,nop,wscale 4], length 0
    22:57:10.318318 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
        192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
    22:57:10.365646 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 242, id 64256, offset 0, flags [DF], proto TCP (6), length 48)
        72.21.211.177.443 > 192.168.1.108.46357: Flags [S.], cksum 0x934e (correct), seq 2140135257, ack 126408095, win 8190, options [mss 1460,nop,wscale 6], length 0
    22:57:10.428481 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 64225, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xdda9 (correct), seq 1, ack 1, win 365, length 0
    22:57:10.637855 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 171: (tos 0x0, ttl 64, id 64226, offset 0, flags [DF], proto TCP (6), length 157)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [P.], cksum 0xe58c (correct), seq 1:118, ack 1, win 365, length 117
    22:57:10.720445 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 769: (tos 0x0, ttl 242, id 59453, offset 0, flags [DF], proto TCP (6), length 755)
        72.21.211.177.443 > 192.168.1.108.46357: Flags [P.], cksum 0xe465 (correct), seq 1:716, ack 118, win 553, length 715
    22:57:10.723165 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 64227, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xda0f (correct), seq 118, ack 716, win 455, length 0
    22:57:10.780258 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64228, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:10.788138 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 254: (tos 0x0, ttl 64, id 64229, offset 0, flags [DF], proto TCP (6), length 240)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [P.], cksum 0x49a9 (correct), seq 1578:1778, ack 716, win 455, length 200
    22:57:10.898686 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 242, id 61326, offset 0, flags [DF], proto TCP (6), length 40)
        72.21.211.177.443 > 192.168.1.108.46357: Flags [.], cksum 0xd9ad (correct), seq 716, ack 118, win 553, length 0
    22:57:11.068338 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64230, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:11.652272 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64231, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:12.811964 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64232, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:13.671998 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 12497, offset 0, flags [DF], proto UDP (17), length 74)
        192.168.1.108.57643 > 192.168.1.1.53: [udp sum ok] 27981+ A? dogvgb9ujhybx.cloudfront.net. (46)
    22:57:13.673183 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 4084, offset 0, flags [none], proto UDP (17), length 202)
        192.168.1.1.53 > 192.168.1.108.57643: [udp sum ok] 27981 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118, dogvgb9ujhybx.cloudfront.net. A 216.137.45.242 (174)
    22:57:15.129777 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64233, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:19.771727 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64234, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:29.049686 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64235, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:57:34.046411 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
    22:57:34.046458 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
    22:57:37.316661 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
        192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
    22:57:44.810744 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 15611, offset 0, flags [DF], proto UDP (17), length 74)
        192.168.1.108.38555 > 192.168.1.1.53: [udp sum ok] 34146+ A? dogvgb9ujhybx.cloudfront.net. (46)
    22:57:44.811954 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype IPv4 (0x0800), length 216: (tos 0x0, ttl 64, id 30332, offset 0, flags [none], proto UDP (17), length 202)
        192.168.1.1.53 > 192.168.1.108.38555: [udp sum ok] 34146 q: A? dogvgb9ujhybx.cloudfront.net. 8/0/0 dogvgb9ujhybx.cloudfront.net. A 216.137.45.242, dogvgb9ujhybx.cloudfront.net. A 216.137.45.123, dogvgb9ujhybx.cloudfront.net. A 216.137.45.181, dogvgb9ujhybx.cloudfront.net. A 216.137.45.101, dogvgb9ujhybx.cloudfront.net. A 216.137.45.161, dogvgb9ujhybx.cloudfront.net. A 216.137.45.35, dogvgb9ujhybx.cloudfront.net. A 216.137.45.29, dogvgb9ujhybx.cloudfront.net. A 216.137.45.118 (174)
    22:57:47.610635 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 64236, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.46357 > 72.21.211.177.443: Flags [.], cksum 0xcf9b (correct), seq 118:1578, ack 716, win 455, length 1460
    22:58:04.317681 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 177)
        192.168.1.108.51070 > 184.73.176.177.49317: [udp sum ok] UDP, length 149
    22:58:09.317189 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.108, length 46
    22:58:09.317234 00:1b:21:2d:ea:a4 > 28:ef:01:47:2b:68, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:1b:21:2d:ea:a4, length 28
    22:58:10.079750 28:ef:01:47:2b:68 > 00:1b:21:2d:ea:a4, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 30978, offset 0, flags [DF], proto TCP (6), length 1500)
        192.168.1.108.48930 > 72.21.214.129.443: Flags [.], cksum 0x7b89 (correct), seq 0:1460, ack 1, win 455, length 1460
    
    [/s]
    


  • the whole pcap file, not just the text output. If you do it via Diag>Packet Capture, you can click the "Download" button after you're finished and it'll give you the pcap. You may not be able to attach that here, you can email it to me (cmb at pfsense dot org) with a link to this thread so I know what it's referencing.



  • CMB,

    I emailed the packetcapture.cap file to you as requested.  While the capture was running I tried several times to get the Kindle to Sync.  I also rebooted the Kindle and then tried to sync again.

    Regards,
    Chad



  • What version of the Kindle OS?  Prior to 3.0.3, there is an issue if your DNS server is in the same subnet as the Kindle but not located on the default gateway.  In this situation the Kindle sends the packets to the default gateway instead of the correct DNS server, then displays a relatively useless error message.

    If this describes your network, either upgrade to 3.0.3 pre-release from http://www.amazon.com/gp/help/customer/display.html/?nodeId=200529700 (installable via USB cable), or hardcode a wifi IP, the appropriate default gateway and either your pfSense box (if you run DNS forwarder) or 8.8.8.8 (Google DNS) as a DNS server.



  • Insert Quote
    What version of the Kindle OS?  Prior to 3.0.3, there is an issue if your DNS server is in the same subnet as the Kindle but not located on the default gateway.  In this situation the Kindle sends the packets to the default gateway instead of the correct DNS server, then displays a relatively useless error message.

    If this describes your network, either upgrade to 3.0.3 pre-release from http://www.amazon.com/gp/help/customer/display.html/?nodeId=200529700 (installable via USB cable), or hardcode a wifi IP, the appropriate default gateway and either your pfSense box (if you run DNS forwarder) or 8.8.8.8 (Google DNS) as a DNS server.

    Thanks for the reply.  The first thing I did when trying to troubleshoot this was update the Kindles to version 3.0.3.

    I just tried hardcoding the network information on the kindle and using the google DNS server.  No luck.

    Default pfSense 2.0 setup - Kindle can browse store but cannot sync or download books on WiFi.

    Default pfSense 1.2.3 setup - Kindle works fine.



  • In that case I don't have much else to suggest.  We've got a couple Kindle 3s on 3.0.3 here, initially on pfSense 1.2.3 and now on 2.0-BETA4 (Built On: Thu Dec 23 13:17:58 EST 2010), both work fine.

    My device is wifi-only so there's no possibility of a 3G failover or anything else happening, things "just work"



  • @The:

    In that case I don't have much else to suggest.  We've got a couple Kindle 3s on 3.0.3 here, initially on pfSense 1.2.3 and now on 2.0-BETA4 (Built On: Thu Dec 23 13:17:58 EST 2010), both work fine.

    My device is wifi-only so there's no possibility of a 3G failover or anything else happening, things "just work"

    Mine are both wifi + 3G…  But they don't failover I have to turn wifi off in order to download books with 2.0.  Since yours are working I had better clean install the latest 2.0 and try again...

    Thanks again and Merry Christmas, Happy New Year



  • I just got a kindle3 wifi for christmas and it too works fine with 2.0.



  • @danswartz:

    I just got a kindle3 wifi for christmas and it too works fine with 2.0.

    Are you able to actually download books over wifi?  I can browse the store and buy them, but the download just sits forever at "pending"…  On pfSense 1.2.3 the download would authenticate and occur instantly.



  • I tested delivering a book sent via email, and also downloading a new book (although it was already purchased and downloaded to another Kindle on our account, but had never been downloaded to my Kindle yet)

    So at least in my case, yes, downloading books works as does synchronizing (to update my place across devices)



  • Working fine here - of course I don't have the 3G kindle, so that is one less variable…



  • @cwagz:

    I emailed the packetcapture.cap file to you as requested.  While the capture was running I tried several times to get the Kindle to Sync.  I also rebooted the Kindle and then tried to sync again.

    From the packet capture, I can see packet loss but no indications as to where that's occurring. The Kindle is retransmitting several times and not getting any response. Repeat that capture on the WAN instead, and minimize any other Internet traffic as you can't easily filter that down to just the Kindle's traffic, and send me that pcap.



  • @cmb:

    From the packet capture, I can see packet loss but no indications as to where that's occurring. The Kindle is retransmitting several times and not getting any response. Repeat that capture on the WAN instead, and minimize any other Internet traffic as you can't easily filter that down to just the Kindle's traffic, and send me that pcap.

    CMB - I am a little new to all of this.  Would I set the IP to capture as the gateway address (ie. 192.168.1.1) or my actual public IP address supplied by the ISP?

    Thanks,



  • Public side would be your WAN interface AKA yes the real IP assigned by your ISP to you WAN on the pfsense box. Need to see if pfsense is sending those packed out to Amazons server.


Locked