Block QUIC protocol negotiation

CaptnDanLKW

Senior Member
I am looking to block outbound 443/UDP traffic from my Roku TV.

RT-AC86U, HW Accel Enabled. No Skynet, diversion, etc. (as my sig says)

My Roku TV has a DHCP lease reservation of 192.168.1.56

I am blocking traffic using this Network Services Filter with these settings.
1651527049037.png


A) Is this the correct method?

iptables shows this:
[email protected]:/tmp/home/root# iptables -L |grep -i JVC
DROP udp -- JVCRoku55. anywhere udp spt:https

B) Is there a way to log actions taken here if the rules match? Logged to /opt/var/log/firewall.log (scribe/syslog-ng location)

Background. Many different branded 4k RokuTVs have an odd issue with The Youtube app, where 2160p60 content wont keep up and keeps buffering, regardless of wired/wireless or ISP speeds.

I found a (recent) post in the roku community forums that says it has something to do with negotiation the QUIC protocol, and if you block it, it will fall back to TCP and should fix this quirk.

This has NOT fixed it for me, so I wanted to verify my setting was proper per the instructions AND get a log message that the router saw and dropped it.

1651527457952.png


Thanks all!
 

dave14305

Part of the Furniture
Shouldn’t the destination port be 443 instead of the source? Is there any IPv6 to worry about?
 

CaptnDanLKW

Senior Member
Shouldn’t the destination port be 443 instead of the source? Is there any IPv6 to worry about?
Umm, I read the interface layout as the first 'port' field as 443 out of the device, but I can see 443 as destination port also makes sense. Just tried, no change, still buffering.

I see the NSF section put the rule in the NSFW Chain.

Can you recommend an iptables command I can execute that does the same thing and adds the logging option? I'm rusty messing with the whole iptables processing order and syntax.

Thankfully Roku OS has not implemented IPv6 yet.
 

dave14305

Part of the Furniture
What does the existing rule look like?
Code:
iptables -S NSFW
 

CaptnDanLKW

Senior Member
What does the existing rule look like?
Code:
iptables -S NSFW
[email protected]:/tmp/home/root# iptables -S NSFW
-N NSFW
-A NSFW -s 192.168.1.56/32 -i br0 -o eth0 -p udp -m udp --sport 443 --dport 443 -j logdrop
-A NSFW -i br0 -o eth0 -j RETURN
 

dave14305

Part of the Furniture
[email protected]:/tmp/home/root# iptables -S NSFW
-N NSFW
-A NSFW -s 192.168.1.56/32 -i br0 -o eth0 -p udp -m udp --sport 443 --dport 443 -j logdrop
-A NSFW -i br0 -o eth0 -j RETURN
Remove the 443 in the first Port Range field and try again. Your source port will usually be random.
 

CaptnDanLKW

Senior Member
Remove the 443 in the first Port Range field and try again. Your source port will usually be random.
(Ashamed) Well, duh! I should have remembered that!

Fixed! (or at least what's considered a workaround). Thank you sir!
1651529976691.png
 

CaptnDanLKW

Senior Member
Also seeing associated entries in the firewall log (guess log is the default). Now I can disable FW logging again.

May 2 18:21:06 RTAC86U kernel: DROP IN=br0 OUT=eth0 SRC=192.168.1.56 DST=142.250.9.156 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=25827 DF PROTO=UDP SPT=49463 DPT=443 LEN=1358
May 2 18:21:06 RTAC86U kernel: DROP IN=br0 OUT=eth0 SRC=192.168.1.56 DST=142.250.9.156 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=25829 DF PROTO=UDP SPT=49463 DPT=443 LEN=1358
May 2 18:21:07 RTAC86U kernel: DROP IN=br0 OUT=eth0 SRC=192.168.1.56 DST=142.250.9.156 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=25831 DF PROTO=UDP SPT=49463 DPT=443 LEN=1358
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top