Xbox one 100% packet loss

[sadoneli]

When configured udp proxy through TPROXY as described in wiki. everything works fine，PS4 get nat2 in -u mode. but X1 have an issue of 100% packet loss. I am not sure weather this problem comes from ss-redir

If the problem comes from ss-redir, Is there any test I can do to help?

[smartepsh]

Hi, Can you share your configuration with iptables? When configured udp relay with TPROXY in wiki, My Dns will not work...100% timeout...

[madeye]

It'd be a compatibility issue of ss-redir. You can run ss-redir with -v option and post the logs when X1 running the speed test.

[madeye]

Also try to enlarge the timeout of ss-redir, e.g. -t 600

[sadoneli]

@smartepsh you can not redirect all udp traffic，it will cause problem,blow is my setting for udp part

# create ip rules
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
# creat mangle chain
iptables -t mangle -N SHADOWSOCKS2
# return these ip
iptables -t mangle -N SHADOWSOCKS2
iptables -t mangle -A SHADOWSOCKS2 -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d $ss_server -j RETURN
# redirect udp traffic to tpoxy
iptables -t mangle -A SHADOWSOCKS2 -p udp -m set ! --match-set chnroute dst -j TPROXY --on-port 3333 --tproxy-mark 0x01/0x01
# apply rule for udp redirect
iptables -t mangle -A PREROUTING -p udp -j SHADOWSOCKS2

[sadoneli]

@madeye when x1 test failed

Is this any help？ test three ss servers，all my own vps，with shadowsocks 2.6.11 on it

[madeye]

Try to redirect all logs to a plain text file and upload somewhere.

According to the screenshot, I cannot find anything useful.

On Thu, Jul 30, 2015, 10:23 PM sadoneli notifications@github.com wrote:

@madeye https://github.com/madeye [image: qq 20150730220346] https://cloud.githubusercontent.com/assets/10495520/8985324/5f159042-3709-11e5-8b51-102b1121b54b.jpg when x1 test failed [image: qq 20150730215220] https://cloud.githubusercontent.com/assets/10495520/8985341/797bcf1e-3709-11e5-8026-8aa4730e834c.gif

Is this any help？ test three ss servers，all my own vps，with shadowsocks 2.6.11 on it

— Reply to this email directly or view it on GitHub https://github.com/shadowsocks/shadowsocks-libev/issues/361#issuecomment-126346869 .

[smartepsh]

@sadoneli Thanks, But it still not work...Can u post all your iptables rules and /etc/dnsmasq.conf ? Only 5 kinds of ss-redir logs I can get: server receive a packet cache miss connection timeout one connection freed server recv: Connection reset by peer...

So sad...

[madeye]

@sadoneli Could you change MAX_UDP_PACKET_SIZE to 576 and try again:

https://github.com/shadowsocks/shadowsocks-libev/blob/master/src/udprelay.h#L40

[madeye]

@sadoneli Also, could you try set LAN's MTU to 1397?

[sadoneli]

@madeye

1 ok，i will try it

2 However, Xbox1 is not capable of define mtu

[madeye]

To set MTU, add this line dhcp-option-force=26,1397 to dnsmasq.conf.

[sadoneli]

@smartepsh Below is my nat rules setting, I am currently using ASUS Merlin, not openwrt, though I think things could works the same

#!/bin/sh
source /jffs/configs/ss.sh
chnroute="/jffs/ss/redchn/chnroute.txt"
ipset -F >/dev/null 2>&1
ipset -X >/dev/null 2>&1
# load chnroute to ipset
sed -e "s/^/-A chnroute &/g" -e "1 i\-N chnroute nethash --hashsize 4096" $chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -R
# for router itself
ipset -N router iphash
# create nat chain
iptables -t nat -N SHADOWSOCKS
# not redirect these
iptables -t nat -A SHADOWSOCKS -d $ss_server -j RETURN
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# others should be redirected
iptables -t nat -A SHADOWSOCKS -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-ports 3333
#iptables -t nat -A SHADOWSOCKS -p icmp -j REDIRECT --to-ports 3333
#iptables -t nat -A SHADOWSOCKS -p sctp -j REDIRECT --to-ports 3333
# create ip rules
ip rule add fwmark 0x01/0x01 table 100
ip route add local 0.0.0.0/0 dev lo table 100
# creat mangle chain
iptables -t mangle -N SHADOWSOCKS2
# return these ip
iptables -t mangle -N SHADOWSOCKS2
iptables -t mangle -A SHADOWSOCKS2 -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 240.0.0.0/4 -j RETURN
# redirect udp traffic to tpoxy
iptables -t mangle -A SHADOWSOCKS2 -d $ss_server -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -d 208.67.220.220 -j RETURN
iptables -t mangle -A SHADOWSOCKS2 -p udp -m set ! --match-set chnroute dst -j TPROXY --on-port 3333 --tproxy-mark 0x01/0x01
# apply rule for udp redirect
iptables -t mangle -A PREROUTING -p udp -j SHADOWSOCKS2
iptables -t nat -A PREROUTING -i br0 -p tcp -j SHADOWSOCKS
# for router itself
iptables -t nat -A OUTPUT -p tcp -m set --match-set router dst -j REDIRECT --to-ports 3333

[sadoneli]

@madeye got it, I will try it out~

[sadoneli]

@madeye

#define MAX_UDP_PACKET_SIZE (576)

is this right?

[madeye]

I think you can use the latest commit directly: https://github.com/shadowsocks/shadowsocks-libev/commit/a9f8b2bdfab8dc2ec155000477a6562a89f610ed

[sadoneli]

I have conpiled the latest shadowsocks

the test guy said he still get 100% packet loss and the nat type on x1 is restricted

btw, by force setting dhcp-option-force=26,1397 the mtu of x1 still get 1500 I don't hnow where is wrong

[madeye]

Try to tune the interface's MTU on router, like ifconfig eth0 mtu 1400.

With shadowsocks and TPROXY, I don't think Path MTU discovery could work properly. Then with a wrong MTU (typically larger than the allowed one), DF (don't fragment) UDP packets got 100% loss. I guess it's the major problem.

[sadoneli]

I have compiled the lasted shadowsocks-libev today. By command below

ifconfig eth0 down
ifconfig eth0 mtu 1400
ifconfig eth0 up

I was able to change the mtu dispalyed on X1

result bleow:

default eth0 mtu=1500，shadowsocks disabled, X1 mtu is 1480，enable shadowsocks，X1 mtu is 1500
setting eth0 mtu=1488，shadowsocks disabled, X1 mtu is 1480，enable shadowsocks，X1 mtu is 1488
setting eth0 mtu=1400，shadowsocks disabled, X1 mtu is 1392，enable shadowsocks，X1 mtu is 1400
setting eth0 mtu=1397，shadowsocks disabled, X1 mtu is 1389，enable shadowsocks，X1 mtu is 1397

1.package still get 100% loss, in any mtu test circumstance. 2.when MTU is1500, XboxOne will decrease 20 to 1480, in other situation, the decrease value is 8. 3.when enabled shadowsocks, the MTU on Xboxone changed the same as eth0, TCP mode only still get this reselut

4. MTU 1397 is a weird value, when setting to this value, the X1 shows 1397 when ss enabled no matter what MTU of eth0 I changed. I have to reboot X1 and my router, to get it chang

[madeye]

Could you run tcpdump on your router when test the speed?

sudo tcpdump udp dst port YOUR_REMOTE_SERVER_PORT

[madeye]

Also, could you run the following command on your server in the same time?

sudo tcpdump udp dst port YOUR_REMOTE_SERVER_PORT

[sadoneli]

I am currently using ASUS RT-AC87U, with merlin firmware no available packet grab software I can try on my server

[Liqianyu]

This is my monitors record

x1_s.cap is Server x1_r.cap is Router

filter is ip.addr==65.55.42.21

114.241.15.189 is my wan ip 157.7.108.38 is ShadowSocks ip 192.168.1.11 is XboxOne lan ip 192.168.1.60 is my pc x1ds.xboxlive.com is 65.55.42.20\65.55.42.21 Delay test for XboxOne

cap download http://1drv.ms/1EfxzQA

Close ShaowSocks , the correct result should be like

[Liqianyu]

In addition, it has been determined game mode (UDP forwarding) will cause CODAW, The Last Of Us and other games people search difficult

[madeye]

@Liqianyu According to your cap, it seems that every echo packet arrives normally.

[Liqianyu]

@madeye Under normal circumstances, there is a return packet length 105, as described above in FIG. But gaming mode router and server I did not see this package

[madeye]

@Liqianyu Could you run tcpdump on your server, I want to make sure the ping packet is properly sent to XBOX's server.

[Liqianyu]

@madeye Servers and routers are equipped with tcpdump. The above x1_s.cap is server listens.

[madeye]

@Liqianyu in x1_s.cap, I saw many echo test packets sent to 65.55.42.21:3074, but no packets received from that server. Is it possible that XBOX's server blocked your server IP? Could you try set a VPN on that server and run XBOX's test again?

[madeye]

BTW, which encryption are your using?

[Liqianyu]

@madeye Yes, I also have the same discovery and ideas, but not only me, my All vps is the same result. encryption is AES-256-CFB I do not think the problem is the server. If use pptp vpn, you will not have this problem.

[Liqianyu]

BTW,My server is shadowsocks python

[madeye]

@Liqianyu Here is the same packet on the router and the server. You can see the data is exactly the same, The different lengths are because of the additional 4 bytes for VLAN (802.1q). It means shadowsocks does its job.

I think it's possible that XBOX blocks echo packets from VPS providers, which can avoid DDOS attacks on their server. Or XBOX takes your router's IP as your real IP and drops all packets from your VPS's IP.

[sadoneli]

I am wondering why VPN on the same vps works fine?

2015-08-09 10:53 GMT+08:00 Max Lv notifications@github.com:

@Liqianyu https://github.com/Liqianyu Here is the same packet on the router and the server. You can see the data is exactly the same, The different lengths are because of the additional 4 bytes for VLAN (802.1q). It means shadowsocks does its job.

[image: image] https://cloud.githubusercontent.com/assets/627917/9153356/7585b7b8-3e83-11e5-8cbd-2e9a5930237d.png

I think it's possible that XBOX blocks echo packets from VPS providers, which can avoid DDOS attacks on their server. Or XBOX takes your router's IP as your real IP and drops all packets from your VPS's IP.

— Reply to this email directly or view it on GitHub https://github.com/shadowsocks/shadowsocks-libev/issues/361#issuecomment-129097176 .

[Liqianyu]

@madeye but，if you use pptp vpn is work On the same server, so I think Microsoft did not prevent the vps ip

[madeye]

Then I think XBOX may recognize the router's IP as your real IP.

Considering the incorrect MTU for shadowsocks, it's possible that XBOX use something like ICMP to do both path MTU discovery and IP address detection (traceroute like).

[Liqianyu]

@madeye However, I did not see icmp packets.

[Liqianyu]

https://www.v2ex.com/t/114234 http://nga.178.com/read.php?tid=8022395

这个时候还需要 kyonli 编译的 shadowsocks_win32_taskbar_addon.zip (这是一个 ) 以及 ss-libev (目前最新版 libev 是 ss-libev_2.2.1_win32_215c063.zip, 在 https://dl.kyonli.com/shadowsocks/ 可以下载到)

配合 ProxyCap 一起使用, 但是实际使用中, 只发现 QQ 的 UDP 连接最好, 有收有发 (这可能是因为这个程序它本身支持 s5 代理模式有关)

之后我测试 GTA 5 和 Battlefield 4, 这两个游戏走 TCP 也走 UDP, 需要 UDP 连接的, 通过 ProxyCap 看只有 sent 无 recv, 然后各种连不上, 或者断线

我以为是兼容性不好, 就拿来测试 STEAM, STEAM 通过 ProxyCap 时若不强制添加走 tcp 的参数就直接连都连不上, 此时看分析, 一样是 UDP 有发送无接收

对于本来就不支持的程序, 用 ProxyCap 也不一定能兼容, 表现为连不上, 就算连上了也会断线 (主要还是 Socks5 不支持 P2P 打洞) 对于这种情况, 要么关闭 UDP 转发, 要么还是换 ShadowVPN 或 VPN 吧

PS: 对于楼主那个问题, 其实你把 Proxifier 里那个远程服务器解析 DNS 的取消就应该可以连上了

我在用 proxycap 之前也是用 proxifier 的, 成功的运行了 D3, GTA V, 不过就像我说的, 通通只能对 TCP 的连接有效, udp 的全都是不 handle 的

换了 proxycap 之后, udp 能转发了, 却问题更多了, 后面我还是放弃了

[madeye]

By digging into this issue further, I noticed that the DF flag is set for XBOX echo test. However, shadowsocks drop that flag when sending UDP packets to the remote server.

[madeye]

@Liqianyu Could you try the latest server code on the frag branch? No need to update the client on the router.

https://github.com/shadowsocks/shadowsocks-libev/tree/frag

[sadoneli]

initial test showed some ip fragment error

still get 100% packet loss

[madeye]

Then, could you also try to update the router's shadowsocks-libev with the branch frag?

[sadoneli]

test is undertaking ...

btw, I invite you join our game test qq group only 11 members in it, will not take you much time goup Nu. 466278219

[madeye]

Sorry, I do not use IMs like QQ...

[sadoneli]

By update the ss-redir in router to branch frag still get 100% packet loss

[smartepsh]

I have a same issue on my xbox one. But even though 100% loss, The xbox still can play online very well as normal....

[madeye]

@sadoneli @Liqianyu Could you test the latest version on the master branch? A bug of connection cache is fixed recently.

[jiangfengming]

Still has the problem on 2.4.0.

[houzi-]

@sadoneli The merlin asus firmware supports TPROXY module? Feeling merlin and tomato-arm-shibby loaded kernel modules are the same! Or you compile time to add? But I was always looking for the compiler does not add TPROXY module options!

[sadoneli]

@houzi- yes, we have enabled the Tproxy support in the kernel, and compiled the corresponding fimware

[houzi-]

@sadoneli

I ask whether the guidance about how do you at compile kernel menuconfig open the TPROXY support!