Xbox one 100% packet loss

[sadoneli]

When configured udp proxy through TPROXY as described in wiki.
everything works fine，PS4 get nat2 in -u mode.
but X1 have an issue of 100% packet loss.
I am not sure weather this problem comes from ss-redir

If the problem comes from ss-redir,
Is there any test I can do to help?

[smartepsh]

Hi,
Can you share your configuration with iptables?
When configured udp relay with TPROXY in wiki, My Dns will not work...100% timeout...

[madeye]

It'd be a compatibility issue of ss-redir. You can run ss-redir with -v option and post the logs when X1 running the speed test.

[madeye]

Also try to enlarge the timeout of ss-redir, e.g. -t 600

[sadoneli]

@smartepsh
you can not redirect all udp traffic，it will cause problem,blow is my setting for udp part

# create ip rules
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
# creat mangle chain
iptables -t mangle -N SHADOWSOCKS2
# return these ip
iptables -t mangle -N SHADOWSOCKS2
iptables -t mangle -A SHADOWSOCKS2 -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d $ss_server -j RETURN
# redirect udp traffic to tpoxy
iptables -t mangle -A SHADOWSOCKS2 -p udp -m set ! --match-set chnroute dst -j TPROXY --on-port 3333 --tproxy-mark 0x01/0x01
# apply rule for udp redirect
iptables -t mangle -A PREROUTING -p udp -j SHADOWSOCKS2

[sadoneli]

@madeye

when x1 test failed

Is this any help？
test three ss servers，all my own vps，with shadowsocks 2.6.11 on it

[madeye]

Try to redirect all logs to a plain text file and upload somewhere.

According to the screenshot, I cannot find anything useful.

On Thu, Jul 30, 2015, 10:23 PM sadoneli notifications@github.com wrote:

@madeye https://github.com/madeye
[image: qq 20150730220346]
https://cloud.githubusercontent.com/assets/10495520/8985324/5f159042-3709-11e5-8b51-102b1121b54b.jpg
when x1 test failed
[image: qq 20150730215220]
https://cloud.githubusercontent.com/assets/10495520/8985341/797bcf1e-3709-11e5-8026-8aa4730e834c.gif

Is this any help？
test three ss servers，all my own vps，with shadowsocks 2.6.11 on it

—
Reply to this email directly or view it on GitHub
#361 (comment)
.

[smartepsh]

@sadoneli Thanks, But it still not work...Can u post all your iptables rules and /etc/dnsmasq.conf ?
Only 5 kinds of ss-redir logs I can get:
server receive a packet
cache miss
connection timeout
one connection freed
server recv: Connection reset by peer...

So sad...

[madeye]

@sadoneli Could you change MAX_UDP_PACKET_SIZE to 576 and try again:

https://github.com/shadowsocks/shadowsocks-libev/blob/master/src/udprelay.h#L40

[madeye]

@sadoneli Also, could you try set LAN's MTU to 1397?

[sadoneli]

@madeye

1 ok，i will try it

2 However, Xbox1 is not capable of define mtu

[madeye]

To set MTU, add this line dhcp-option-force=26,1397 to dnsmasq.conf.

[sadoneli]

@smartepsh
Below is my nat rules setting, I am currently using ASUS Merlin, not openwrt, though I think things could works the same

#!/bin/sh
source /jffs/configs/ss.sh
chnroute="/jffs/ss/redchn/chnroute.txt"
ipset -F >/dev/null 2>&1
ipset -X >/dev/null 2>&1
# load chnroute to ipset
sed -e "s/^/-A chnroute &/g" -e "1 i\-N chnroute nethash --hashsize 4096" $chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -R
# for router itself
ipset -N router iphash
# create nat chain
iptables -t nat -N SHADOWSOCKS
# not redirect these
iptables -t nat -A SHADOWSOCKS -d $ss_server -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# others should be redirected
iptables -t nat -A SHADOWSOCKS -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-ports 3333
#iptables -t nat -A SHADOWSOCKS -p icmp -j REDIRECT --to-ports 3333
#iptables -t nat -A SHADOWSOCKS -p sctp -j REDIRECT --to-ports 3333
# create ip rules
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
# creat mangle chain
iptables -t mangle -N SHADOWSOCKS2
# return these ip
iptables -t mangle -N SHADOWSOCKS2
iptables -t mangle -A SHADOWSOCKS2 -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 240.0.0.0/4 -j RETURN
# redirect udp traffic to tpoxy
iptables -t mangle -A SHADOWSOCKS2 -d $ss_server -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 208.67.220.220 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -p udp -m set ! --match-set chnroute dst -j TPROXY --on-port 3333 --tproxy-mark 0x01/0x01
# apply rule for udp redirect
iptables -t mangle -A PREROUTING -p udp -j SHADOWSOCKS2
iptables -t nat -A PREROUTING -i br0 -p tcp -j SHADOWSOCKS
# for router itself
iptables -t nat -A OUTPUT -p tcp -m set --match-set router dst -j REDIRECT --to-ports 3333

[sadoneli]

@madeye
got it, I will try it out~

[sadoneli]

@madeye

#define MAX_UDP_PACKET_SIZE (576)

is this right?

[madeye]

I think you can use the latest commit directly: a9f8b2b

[sadoneli]

I have conpiled the latest shadowsocks

the test guy said he still get 100% packet loss
and the nat type on x1 is restricted

btw, by force setting dhcp-option-force=26,1397
the mtu of x1 still get 1500
I don't hnow where is wrong

[madeye]

Try to tune the interface's MTU on router, like ifconfig eth0 mtu 1400.

With shadowsocks and TPROXY, I don't think Path MTU discovery could work properly. Then with a wrong MTU (typically larger than the allowed one), DF (don't fragment) UDP packets got 100% loss. I guess it's the major problem.

[sadoneli]

I have compiled the lasted shadowsocks-libev today.
By command below

ifconfig eth0 down
ifconfig eth0 mtu 1400
ifconfig eth0 up

I was able to change the mtu dispalyed on X1

result bleow:

default eth0 mtu=1500，shadowsocks disabled, X1 mtu is 1480，enable shadowsocks，X1 mtu is 1500
setting eth0 mtu=1488，shadowsocks disabled, X1 mtu is 1480，enable shadowsocks，X1 mtu is 1488
setting eth0 mtu=1400，shadowsocks disabled, X1 mtu is 1392，enable shadowsocks，X1 mtu is 1400
setting eth0 mtu=1397，shadowsocks disabled, X1 mtu is 1389，enable shadowsocks，X1 mtu is 1397

1.package still get 100% loss, in any mtu test circumstance.
2.when MTU is1500, XboxOne will decrease 20 to 1480, in other situation, the decrease value is 8.
3.when enabled shadowsocks, the MTU on Xboxone changed the same as eth0, TCP mode only still get this reselut
4. MTU 1397 is a weird value, when setting to this value, the X1 shows 1397 when ss enabled no matter what MTU of eth0 I changed. I have to reboot X1 and my router, to get it chang

[madeye]

Could you run tcpdump on your router when test the speed?

sudo tcpdump udp dst port YOUR_REMOTE_SERVER_PORT

[madeye]

Also, could you run the following command on your server in the same time?

sudo tcpdump udp dst port YOUR_REMOTE_SERVER_PORT

[sadoneli]

I am currently using ASUS RT-AC87U, with merlin firmware
no available packet grab software
I can try on my server

[Liqianyu]

This is my monitors record

x1_s.cap is Server
x1_r.cap is Router

filter is ip.addr==65.55.42.21

114.241.15.189 is my wan ip
157.7.108.38 is ShadowSocks ip
192.168.1.11 is XboxOne lan ip
192.168.1.60 is my pc
x1ds.xboxlive.com is 65.55.42.20\65.55.42.21
Delay test for XboxOne

cap download
http://1drv.ms/1EfxzQA

Close ShaowSocks , the correct result should be like

[Liqianyu]

In addition, it has been determined game mode (UDP forwarding) will cause CODAW, The Last Of Us and other games people search difficult

[madeye]

@Liqianyu According to your cap, it seems that every echo packet arrives normally.

[Liqianyu]

@madeye Under normal circumstances, there is a return packet length 105, as described above in FIG. But gaming mode router and server I did not see this package

[madeye]

@Liqianyu Could you run tcpdump on your server, I want to make sure the ping packet is properly sent to XBOX's server.

[Liqianyu]

@madeye Servers and routers are equipped with tcpdump. The above x1_s.cap is server listens.

[madeye]

@Liqianyu in x1_s.cap, I saw many echo test packets sent to 65.55.42.21:3074, but no packets received from that server.
Is it possible that XBOX's server blocked your server IP?
Could you try set a VPN on that server and run XBOX's test again?

[madeye]

BTW, which encryption are your using?

[Jerome-lara]

@Paull 你给我的这几个命令是什么作用？我输入你这4个命令是不是相当于给150这个IP设了一个dmz，就不用输入下面一堆转发端口命令了吧？

另外我之前评论发的两条端口转发输完是错的…
然后我又搜了一下完整的命令应该是这样的
iptables -t nat -A PREROUTING -d 公网地址 -p tcp --dport 80 -j DNAT --to 固定VPN地址:81
iptables -t nat -A POSTROUTING -d 固定VPN地址 -p tcp --dport 81 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 固定VPN地址 --dport 81 -j ACCEPT
转发一个端口要打3条命令…Xbox一共7个端口，还分TCP和udp，一共21条输入死我了…
也不知道转发成功没…

[crzidea]

Any update? I have the exactly same issue and still can't be solved. I'm playing Diablo 3 on xbox one connecting with raspberry pi.

[Jerome-lara]

@Paull 有一个问题，GOOGLE了一圈无解，输入你给的那4个，搬瓦工狂给我发邮件，说有漏洞强制给我添加一个条规则关闭53端口。。。邮件内容：
KiwiVM has detected an insecure recursive DNS resolver on IP 45...**, which may result in your server getting involved in DNS Amplification DoS attacks.
To prevent this from happening, KiwiVM has blocked port 53 in your server by adding the following iptables rules:

iptables -I INPUT -p udp --destination-port 53 -j DROP
iptables -I FORWARD -p udp --destination-port 53 -j DROP

You can fix this vulnerability by securing your DNS daemon (or by removing it from your server).

Once this vulnerability is fixed, you may remove these iptables rules.

[sadoneli]

我觉得还是关了这个issue吧

[crzidea]

@sadoneli 不要关啊，问题还没解决。。。

[sadoneli]

@madeye 最近版本反映这事儿的人又多起来了，能不能有解决方案，希望作者能回复下喽~

[madeye]

It'd be a compatibility issue between transparent proxy and XBox. I think it's almost impossible to fix the issue from my side only.

Also, you may try this: http://lartc.org/howto/lartc.cookbook.mtu-mss.html. For example:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

[sadoneli]

@madeye is 1320 a random number or suggest one?

[madeye]

Just a random number, which should be small enough for common links.

[madeye]

Please try the latest commit to see if it would help.

[Paull]

I'll try the latest this weekend.

[Paull]

上周末在自家的树莓派路由器上试了一下新版本，并没有解决该issue的感觉，也许是我姿势不对，可以指导后再测。

此图是老版本ss-redir，3.1.2。

此图是新版本ss-redir，3.1.3。

两个版本所有环境都一样，只有可执行文件不一样。
也用TCPDUMP抓了包，太大了不知道怎么发上来。。。
TCPDUMP显示3.1.3并没有完成整个测试流程，中间就断了，但是我看不懂包的具体内容@_@

[Jerome-lara]

@Paull 这么难搞，我还是用网易的uu主机加速吧，最近网易uu在内测主机版加速

[wangyu-]

@sadoneli @Liqianyu

Could you plz run this command at both sides(router and vps), and test again ?

echo 1 >  /proc/sys/net/ipv4/ip_no_pmtu_disc

I suspect PMTUD is broken for your path (router<---->vps).

[imwsy]

I can confirm the packet loss rate in the xbox test will not show 100% after the server side (client does not need) shut down the Path MTU Discovery feature
server and client (openwrt use luci-app-shadowsocks to enable udp relay) version are both 85a64ae

disbale pmtu means echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
enable pmtu means echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc

By default, client enable pmtu / server enable pmtu --> 100% loss

client disbale pmtu / server disbale pmtu --> 0% loss
client enable pmtu / server disbale pmtu --> 0% loss

[Stoptimerag]

@madeye
The latest version still does not work, perhaps the UDP broadcast packets do not support the cause?

大佬你的这个问题解决了吗？就是这个65.55.42.21 没有response的问题

[enihcam]

I can confirm the packet loss rate in the xbox test will not show 100% after the server side (client does not need) shut down the Path MTU Discovery feature server and client (openwrt use luci-app-shadowsocks to enable udp relay) version are both 85a64ae

disbale pmtu means echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc enable pmtu means echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc

By default, client enable pmtu / server enable pmtu --> 100% loss

client disbale pmtu / server disbale pmtu --> 0% loss client enable pmtu / server disbale pmtu --> 0% loss

you sure you want to set this value to 1?

ip_no_pmtu_disc - INTEGER
	Disable Path MTU Discovery. If enabled in mode 1 and a
	fragmentation-required ICMP is received, the PMTU to this
	destination will be set to min_pmtu (see below). You will need
	to raise min_pmtu to the smallest interface MTU on your system
	manually if you want to avoid locally generated fragments.

	In mode 2 incoming Path MTU Discovery messages will be
	discarded. Outgoing frames are handled the same as in mode 1,
	implicitly setting IP_PMTUDISC_DONT on every created socket.

	Mode 3 is a hardened pmtu discover mode. The kernel will only
	accept fragmentation-needed errors if the underlying protocol
	can verify them besides a plain socket lookup. Current
	protocols for which pmtu events will be honored are TCP, SCTP
	and DCCP as they verify e.g. the sequence number or the
	association. This mode should not be enabled globally but is
	only intended to secure e.g. name servers in namespaces where
	TCP path mtu must still work but path MTU information of other
	protocols should be discarded. If enabled globally this mode
	could break other protocols.

	Possible values: 0-3
	Default: FALSE

[RebelliousWhiz]

For whoever searches for a xbox proxy solution:

I gave up trying xbox with shadowsocks a long time ago. I think the time I put in was not quite worthy since my major need was to play xbox games in China and have more fun. You can purchase something like UU Game Booster (by NetEase). You will find your life will be way easier and better.

But if you are "because I can" type, don't mind me. It's fun trying, for sure.

[madeye]

Try 46382c2

[pexcn]

Try 46382c2

I tested, still have this problem. (ss-libev version: 5fdb662)

[jiaxiaogang]

我的nat是开放,但多人测试是100%丢包,找谁说理去,upnp开了不行,然后试了下DMZ也不行,已崩溃

[RebelliousWhiz]

我的nat是开放,但多人测试是100%丢包,找谁说理去,upnp开了不行,然后试了下DMZ也不行,已崩溃

别折腾了，用 uu 加速器吧，openwrt 也支持的，真的...

[jiaxiaogang]

为啥用加速器,我用软路由用着也挺好的,我又不天天打网游,