[SOLVED] Upgraded from Kubuntu 10.04 to 12.04, Wii-U suddenly can't connect.

DeadTOm · 06-16-2013, 02:52 PM

I have a PC acting as a firewall and router, using iptables. We have a Wii-U inside the network and until a few days ago, it had no connectivity problems at all. I upgraded the firewall PC from Kubuntu 10.04 to 12.04 and suddenly the Wii-U cannot connect.

This is not a problem with the Wii-U. If I connect it directly to the Optimum modem, everything works fine. It's something wonky with the Kubuntu PC, since I upgraded. Nothing in my iptables.rules has changed. I'm using the same set of rules as before the upgrade.

I called Nintendo tech support and they insist that there is nothing special that needs to be done. Their solution was to put it in a DMZ but I'd rather not do that if I can avoid it.

I do an internet connection test in the Wii-U and it passes but it can't connect to any services which require talking to the nintendo network, such as Hulu, Netflix, the Nintendo e-shop and quite a few games.

I also have several PC's, three Android devices, an old Wii, two Nintendo DS's, an old Xbox, a PSP and a PS3 and none of them have experienced any problems since the upgrade, they're all able to connect fine.

I checked Nintendo's support site and their advice is to forward all ports (specifically 1-65535) to the Wii-U, which I can't do for obvious reasons.

Other things I've tried:

I've opened the firewall up completely, allowing all traffic through.
I've explicitly allowed all traffic on all ports, to and from the Wii-U.
I've tried running several older kernels.
I've tried shutting down apparmor.

None of these have worked.

The only thing that did work, was to remove the Kubuntu box completely and connect my switch directly to the Optimum modem.

I have no rules in place restricting the Wii-U at all. I do a grep in syslog for the Wii-U's IP and I get a lot of this:

Code:

kernel: [ 7236.919902] Invalid packet: IN=eth0 OUT=eth1 MAC=00:c0:f0:2d:9e:b4:18:2a:7b:85:09:e5:08:00 SRC=192.168.58.38 DST=23.43.226.90 LEN=1042 TOS=0x00 PREC=0x00 TTL=63 ID=3693 PROTO=TCP SPT=1772 DPT=443 WINDOW=32768 RES=0x00 ACK PSH FIN URGP=0

If I'm interpreting this correctly, it thinks that there is a problem with the packets coming from the Wii-U and it's dropping them. I've tried removing the rule that drops invalid packets and it stopped putting these warnings in the log, but the Wii-U still can't connect to the Nintendo network.

There has to be a change in the way that iptables or something else on the system is routing traffic or handling packets, but I have no idea what that is.

Any help or advice is appreciated.

Thanks!

squeel · 06-17-2013, 10:25 AM

do you by chance have SELINUX enabled? if so disable it.

Bill Gates 666 · 06-17-2013, 04:07 PM

Ahhh brings back memories of hacking with iptables on a Firewall box

Sounds like you've covered the basics...

If you've completely opened the firewall...

Code:

 iptables -L -v
Chain INPUT (policy ACCEPT 504K packets, 225M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 394K packets, 74M bytes)
 pkts bytes target     prot opt in     out     source               destination

So you need more data/ information to proceed!!

So it appears that Nintendo are using a bit of edge caching using Akamai servers...

I would suggest your next step is to setup a iptables logging rule for all external packets going to/from the 23.43.0.0/16 (since it appears Akamai have > a class B IP block) on both eth0 and eth1. This problem is likely that a TCP link initiated at the Wii U end is breaking - due to a timeout, MTU packet fragmentation or similar problem... Or that the Nitendo website is trying to initiate a new connection - which will fail as iptables will not know where to route the TCP connection to (without port forwarding or a DMZ Wii U).

Mr Gates

DeadTOm · 06-17-2013, 11:24 PM

Quote:

Originally Posted by squeel

do you by chance have SELINUX enabled? if so disable it.

I'll check that out. Thanks!

Quote:

Originally Posted by Bill Gates 666

I would suggest your next step is to setup a iptables logging rule for all external packets going to/from the 23.43.0.0/16 (since it appears Akamai have > a class B IP block) on both eth0 and eth1. This problem is likely that a TCP link initiated at the Wii U end is breaking - due to a timeout, MTU packet fragmentation or similar problem... Or that the Nitendo website is trying to initiate a new connection - which will fail as iptables will not know where to route the TCP connection to (without port forwarding or a DMZ Wii U).

Ok. I'm still quite the novice when it comes to iptables but I'll do a little research and figure out how to get the correct logging going.

I'll update this thread tomorrow evening.

Thank you too!

DeadTOm · 06-18-2013, 11:20 AM

Quote:

Originally Posted by squeel

do you by chance have SELINUX enabled? if so disable it.

Nope, no selinux installed.

DeadTOm · 06-18-2013, 09:40 PM

So two things have come to light here.

1 - I went back in the logs and those errors have always been there.

2 - I set up logging and rather than just to specific servers, I logged all traffic going to and from the Wiiu. I attached a file with the pertinent log entries. It appears that data is being passed to and from the Wiiu. No packets at all are showing as actually being dropped.

So I'm completely baffled as to what's going on. It must be something other than iptables that's holding up the show here.

Bill Gates 666 · 06-19-2013, 09:23 AM

Quote:

Originally Posted by DeadTOm

So two things have come to light here.

1 - I went back in the logs and those errors have always been there.

2 - I set up logging and rather than just to specific servers, I logged all traffic going to and from the Wiiu. I attached a file with the pertinent log entries. It appears that data is being passed to and from the Wiiu. No packets at all are showing as actually being dropped.

So I'm completely baffled as to what's going on. It must be something other than iptables that's holding up the show here.

I reckon it's got to be something to do with the NAT being performed by your Ubuntu box. Even with a default ACCEPT all policy on your iptables filters external/Internet sourced IP packets must "know where to go in your LAN". This would manifest as valid packets (from Nintendo, or 3rd party servers) being dropped at your eth1 interface.

My knowledge on how iptables works is getting very hazy (use it or lose it

). I think valid Internet sourced packets, that are not detected as part on an existing stream, would just hit your server as an incoming packet (rather than entering the iptables FORWARD chain - which is for routing between interfaces). These packets are the ones you need to check/detect.

Perhaps using one of the most respected (certainly in the ARCH community) iptables firewalling scripts - written by a guy called Arno. The beauty of a script like this is - you can read through to learn how iptables works slowly (vs. IpCop or some other Firewall distro doing all the work for you), it's easier to setup then doing everything manually and it's being actively developed still. You should (!!) be able to DMZ the Wii U using this script (but I have a feeling you might need a third NIC to do this).

Still racking my brains as to why the Wii U worked with 10.04... Hmmm very odd!!

Sorry I can't help that much. Like most folks I went through a "phase" of running my own firewall. Got a bit tired of broken Internets and my crappy PCI ADSL modem (which had very lackluster Linux driver support).

DeadTOm · 06-19-2013, 11:18 AM

Ya I'm confused about why it was working on 10.04 as well. If ports needed to be forwarded, that would have been the case before the upgrade.

I believe a DMZ will also require a static IP and to get one would be more hassle than it's worth.

I do appreciate all your help though. I'll keep plugging away with this and let you know what I come up with.

Bill Gates 666 · 06-19-2013, 02:02 PM

Quote:

Originally Posted by DeadTOm

Ya I'm confused about why it was working on 10.04 as well. If ports needed to be forwarded, that would have been the case before the upgrade.

I believe a DMZ will also require a static IP and to get one would be more hassle than it's worth.

I do appreciate all your help though. I'll keep plugging away with this and let you know what I come up with.

Hi,

Hmmm, all I can do is point you (hopefully) in the right direction

The whole iptables thing may be a complete red herring... So much has changed between 10.04 and 12.04 after all... It could be something as innocuous as a change in the TCP connection timeout...

Good luck anyway!

DeadTOm · 06-20-2013, 09:28 AM

After considerable toil and turmoil, I found the source of the problem. I had suspected an MTU issue early on but after tweaking settings on my wireless routers, my firewall and the Wii-U, to no avail, I gave up on that idea. In desperation, I decided to revisit the possibility yesterday and came across this article:

http://fabiobaltieri.com/2011/09/12/...-firewall-nat/

A little better than half way down the page, I came to this:

Quote:

...On the other side, if you are using that node as a NAT router, the systems behind it have no way to know the real MTU of the PPPoE interface. Therefore the systems will try to use packets bigger than the maximum allowed, which will be dropped without warning by routers.
The solution for that, unless you want to configure all your devices with a reduced MTU, is to instruct the routing host to intercept all the TCP handshake packets and correct in-fly the wrong MSS value requested by internal hosts...

The following rule took care of that:

Code:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Applied the changes to iptables.rules, rebooted the Wii-U and viola! Problem solved.

Bill Gates 666 · 06-20-2013, 07:30 PM

Oh dang...

I thought about the MTU initially... But you were only showing me captures of fragmented packets - rather naively I just assumed the Wii U was just sending out small packets (well below a standard threshold) - rather dumb assumption. So obvious really!! Good catch!!

Yeh my folks seem to have a 1492 MTU for some reason (which is odd 'cause they have standard ADSL). It does cause weird effects if you don't make sure it's enabled for the network adapter(s) (in the OS)...