Problem with Zoom / Meet

Networking
1

I have an issue with my new ipfire setup. It seems like a NAT or STUN issue. Zoom meetings seem to work with audio, but the remote side cannot see my video. Google meet is much the same. Remote participants can hear my voice, but my video doesn’t display for them. I can see them just fine.

General web browsing and other things work fine.

Before, I was using a common Netgear wireless router and I didn’t have this issue. Any ideas? My hardware is an Acer desktop w/ a dual Intel PCIe NIC.

IPFire version	IPFire 2.27 (x86_64) - core173
Pakfire version	2.27-x86_64
Kernel version	Linux tubes.moorenet.local 6.1.11-ipfire #1 SMP PREEMPT_DYNAMIC Wed Feb 22 17:07:36 GMT 2023 x86_64 Intel(R) Celeron(R) J4125 CPU @ 2.00GHz GenuineIntel GNU/Linux
Summary 
*raw
:PREROUTING ACCEPT [288478229:185031905133]
:OUTPUT ACCEPT [1186058:621842440]
COMMIT
# Completed on Tue Apr 18 20:31:09 2023
*mangle
:PREROUTING ACCEPT [715470:471888981]
:INPUT ACCEPT [32883:2350287]
:FORWARD ACCEPT [682564:469509926]
:OUTPUT ACCEPT [32118:46501213]
:POSTROUTING ACCEPT [714380:515976928]
:NAT_DESTINATION - [0:0]
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -j NAT_DESTINATION
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j MARK --set-xmark 0x1000000/0xf000000
-A NAT_DESTINATION -s 192.168.X.X/24 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -j MARK --set-xmark 0x1000000/0xf000000
COMMIT
*nat
:PREROUTING ACCEPT [2318:203563]
:INPUT ACCEPT [127:15434]
:OUTPUT ACCEPT [40:3099]
:POSTROUTING ACCEPT [37:2911]
:CAPTIVE_PORTAL - [0:0]
:CUSTOMPOSTROUTING - [0:0]
:CUSTOMPREROUTING - [0:0]
:IPSECNAT - [0:0]
:NAT_DESTINATION - [0:0]
:NAT_DESTINATION_FIX - [0:0]
:NAT_SOURCE - [0:0]
:OVPNNAT - [0:0]
:REDNAT - [0:0]
:SQUID - [0:0]
-A PREROUTING -j CUSTOMPREROUTING
-A PREROUTING -j CAPTIVE_PORTAL
-A PREROUTING -j SQUID
-A PREROUTING -j NAT_DESTINATION
-A OUTPUT -j NAT_DESTINATION
-A POSTROUTING -j CUSTOMPOSTROUTING
-A POSTROUTING -j OVPNNAT
-A POSTROUTING -j IPSECNAT
-A POSTROUTING -j NAT_SOURCE
-A POSTROUTING -j NAT_DESTINATION_FIX
-A POSTROUTING -j REDNAT
-A NAT_DESTINATION -s 38.X.X.X/32 -d 24.X.X.X/32 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -s 38.X.X.X/32 -d 24.X.X.X/32 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -d 24.X.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION -s 208.X.X.X/32 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNAT "
-A NAT_DESTINATION -s 208.X.X.X/32 -d 24.X.X.X/32 -p udp -m udp --sport 5060 -j DNAT --to-destination 192.168.X.X
-A NAT_DESTINATION_FIX -m mark --mark 0x1000000/0xf000000 -j SNAT --to-source 192.168.X.X
-A REDNAT -o red0 -m policy --dir out --pol ipsec -j RETURN
-A REDNAT -o red0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.8.9 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BADTCP - [0:0]
:BLOCKLISTIN - [0:0]
:BLOCKLISTOUT - [0:0]
:CAPTIVE_PORTAL - [0:0]
:CAPTIVE_PORTAL_CLIENTS - [0:0]
:CONNTRACK - [0:0]
:CTINVALID - [0:0]
:CUSTOMFORWARD - [0:0]
:CUSTOMINPUT - [0:0]
:CUSTOMOUTPUT - [0:0]
:DHCPBLUEINPUT - [0:0]
:DHCPBLUEOUTPUT - [0:0]
:DHCPGREENINPUT - [0:0]
:DHCPGREENOUTPUT - [0:0]
:DHCPINPUT - [0:0]
:DHCPOUTPUT - [0:0]
:FORWARDFW - [0:0]
:GUARDIAN - [0:0]
:GUIINPUT - [0:0]
:HOSTILE - [0:0]
:HOSTILE_DROP - [0:0]
:ICMPINPUT - [0:0]
:INPUTFW - [0:0]
:IPSBYPASS - [0:0]
:IPSECBLOCK - [0:0]
:IPSECFORWARD - [0:0]
:IPSECINPUT - [0:0]
:IPSECOUTPUT - [0:0]
:IPS_FORWARD - [0:0]
:IPS_INPUT - [0:0]
:IPS_OUTPUT - [0:0]
:IPTVFORWARD - [0:0]
:IPTVINPUT - [0:0]
:LOCATIONBLOCK - [0:0]
:LOG_DROP - [0:0]
:LOG_REJECT - [0:0]
:LOOPBACK - [0:0]
:NEWNOTSYN - [0:0]
:OUTGOINGFW - [0:0]
:OVPNBLOCK - [0:0]
:OVPNINPUT - [0:0]
:POLICYFWD - [0:0]
:POLICYIN - [0:0]
:POLICYOUT - [0:0]
:PSCAN - [0:0]
:REDFORWARD - [0:0]
:REDINPUT - [0:0]
:SPOOFED_MARTIAN - [0:0]
:TOR_INPUT - [0:0]
:TOR_OUTPUT - [0:0]
:WIRELESSFORWARD - [0:0]
:WIRELESSINPUT - [0:0]
-A INPUT -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A INPUT -p tcp -j BADTCP
-A INPUT -j CUSTOMINPUT
-A INPUT -j HOSTILE
-A INPUT ! -p icmp -j BLOCKLISTIN
-A INPUT -j GUARDIAN
-A INPUT -i tun+ -j OVPNBLOCK
-A INPUT -m mark --mark 0x0/0xc0000000 -j IPS_INPUT
-A INPUT -j IPTVINPUT
-A INPUT -j ICMPINPUT
-A INPUT -j LOOPBACK
-A INPUT -j CAPTIVE_PORTAL
-A INPUT -j CONNTRACK
-A INPUT -i green0 -j DHCPGREENINPUT
-A INPUT -j TOR_INPUT
-A INPUT -j LOCATIONBLOCK
-A INPUT -j IPSECINPUT
-A INPUT -j GUIINPUT
-A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
-A INPUT -j OVPNINPUT
-A INPUT -j INPUTFW
-A INPUT -j REDINPUT
-A INPUT -j POLICYIN
-A FORWARD -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A FORWARD -p tcp -j BADTCP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j CUSTOMFORWARD
-A FORWARD -j HOSTILE
-A FORWARD ! -p icmp -j BLOCKLISTIN
-A FORWARD ! -p icmp -j BLOCKLISTOUT
-A FORWARD -j GUARDIAN
-A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
-A FORWARD -i tun+ -j OVPNBLOCK
-A FORWARD -o tun+ -j OVPNBLOCK
-A FORWARD -m mark --mark 0x0/0xc0000000 -j IPS_FORWARD
-A FORWARD -j IPTVFORWARD
-A FORWARD -j LOOPBACK
-A FORWARD -j CAPTIVE_PORTAL
-A FORWARD -j CONNTRACK
-A FORWARD -j LOCATIONBLOCK
-A FORWARD -j IPSECFORWARD
-A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
-A FORWARD -j FORWARDFW
-A FORWARD -j REDFORWARD
-A FORWARD -j POLICYFWD
-A OUTPUT -m mark --mark 0xc0000000/0xc0000000 -j IPSBYPASS
-A OUTPUT -j CUSTOMOUTPUT
-A OUTPUT -j HOSTILE
-A OUTPUT ! -p icmp -j BLOCKLISTOUT
-A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK
-A OUTPUT -m mark --mark 0x0/0xc0000000 -j IPS_OUTPUT
-A OUTPUT -j LOOPBACK
-A OUTPUT -j CONNTRACK
-A OUTPUT -o green0 -j DHCPGREENOUTPUT
-A OUTPUT -j IPSECOUTPUT
-A OUTPUT -j TOR_OUTPUT
-A OUTPUT -j OUTGOINGFW
-A OUTPUT -j POLICYOUT
-A BADTCP -i lo -j RETURN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j PSCAN
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j PSCAN
-A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j NEWNOTSYN
-A CAPTIVE_PORTAL_CLIENTS -p udp -m udp --dport 53 -m hashlimit --hashlimit-upto 3kb/s --hashlimit-burst 1mb --hashlimit-mode srcip --hashlimit-name dns-filter -j RETURN
-A CAPTIVE_PORTAL_CLIENTS -p tcp -m tcp --dport 53 -m hashlimit --hashlimit-upto 3kb/s --hashlimit-burst 1mb --hashlimit-mode srcip --hashlimit-name dns-filter -j RETURN
-A CAPTIVE_PORTAL_CLIENTS -j DROP
-A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
-A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A CTINVALID -m comment --comment DROP_CTINVALID -j DROP
-A DHCPGREENINPUT -i green0 -j DHCPINPUT
-A DHCPGREENOUTPUT -o green0 -j DHCPOUTPUT
-A DHCPINPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A DHCPINPUT -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A DHCPOUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A DHCPOUTPUT -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A FORWARDFW -s 38.X.X.X/32 -d 192.168.X.X/32 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -s 38.X.X.X/32 -d 192.168.X.X/32 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p udp -m udp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT1 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -d 192.168.X.X/32 -p tcp -m tcp --dport DPORT2 -m time --timestart 18:00:00 --timestop 03:15:00 --weekdays Fri,Sat,Sun --datestop 2038-01-19T03:14:07 -j ACCEPT
-A FORWARDFW -s 208.X.X.X/32 -d 192.168.X.X/32 -p udp -m udp --sport 5060 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -s 208.X.X.X/32 -d 192.168.X.X/32 -p udp -m udp --sport 5060 -j ACCEPT
-A GUIINPUT -i green0 -p tcp -m tcp --dport 444 -j ACCEPT
-A HOSTILE_DROP -m limit --limit 10/sec -j LOG --log-prefix "DROP_HOSTILE "
-A HOSTILE_DROP -m comment --comment DROP_HOSTILE -j DROP
-A ICMPINPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A IPSBYPASS -j CONNMARK --save-mark --nfmask 0x7fffffff --ctmask 0x7fffffff
-A LOCATIONBLOCK ! -i red0 -j RETURN
-A LOCATIONBLOCK -s 10.0.0.0/8 -j RETURN
-A LOCATIONBLOCK -s 172.16.0.0/12 -j RETURN
-A LOCATIONBLOCK -s 192.168.0.0/16 -j RETURN
-A LOCATIONBLOCK -s 100.64.0.0/10 -j RETURN
-A LOG_DROP -m limit --limit 10/sec -j LOG
-A LOG_DROP -j DROP
-A LOG_REJECT -m limit --limit 10/sec -j LOG
-A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable
-A LOOPBACK -i lo -j ACCEPT
-A LOOPBACK -o lo -j ACCEPT
-A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
-A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
-A NEWNOTSYN -m limit --limit 10/sec -j LOG --log-prefix "DROP_NEWNOTSYN "
-A NEWNOTSYN -m comment --comment DROP_NEWNOTSYN -j DROP
-A OVPNBLOCK -p icmp -m conntrack --ctstate RELATED -j RETURN
-A OVPNINPUT -i red0 -p udp -m udp --dport 1194 -j ACCEPT
-A POLICYFWD -s 192.168.X.X/24 -i green0 -j ACCEPT
-A POLICYFWD -m policy --dir in --pol ipsec -j ACCEPT
-A POLICYFWD -i tun+ -j ACCEPT
-A POLICYFWD -m limit --limit 10/sec -j LOG --log-prefix "DROP_FORWARD "
-A POLICYFWD -m comment --comment DROP_FORWARD -j DROP
-A POLICYIN -p udp -m udp --dport 514 -j DROP
-A POLICYIN -i green0 -j ACCEPT
-A POLICYIN -m policy --dir in --pol ipsec -j ACCEPT
-A POLICYIN -i tun+ -j ACCEPT
-A POLICYIN -m limit --limit 10/sec -j LOG --log-prefix "DROP_INPUT "
-A POLICYIN -m comment --comment DROP_INPUT -j DROP
-A POLICYOUT -j ACCEPT
-A POLICYOUT -m comment --comment DROP_OUTPUT -j DROP
-A PSCAN -p tcp -m limit --limit 10/sec -m comment --comment "DROP_TCP PScan" -j LOG --log-prefix "DROP_TCP Scan "
-A PSCAN -p udp -m limit --limit 10/sec -m comment --comment "DROP_UDP PScan" -j LOG --log-prefix "DROP_UDP Scan "
-A PSCAN -p icmp -m limit --limit 10/sec -m comment --comment "DROP_ICMP PScan" -j LOG --log-prefix "DROP_ICMP Scan "
-A PSCAN -f -m limit --limit 10/sec -m comment --comment "DROP_FRAG PScan" -j LOG --log-prefix "DROP_FRAG Scan "
-A PSCAN -m comment --comment DROP_PScan -j DROP
-A REDINPUT -s 24.X.X.X/32 -i red0 -j SPOOFED_MARTIAN
-A REDINPUT -i red0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A REDINPUT -i red0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A SPOOFED_MARTIAN -m limit --limit 10/sec -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
-A SPOOFED_MARTIAN -m comment --comment DROP_SPOOFED_MARTIAN -j DROP
COMMIT
2

Very strange. I have very limited Internet, having a practical upload of only about 1 Mb/s, yet recent Zoom sessions have transmitted video fine, from either a 720p webcam or the laptop’s inbuilt 1080p.
I have QoS enabled on IPFire, with upload capability identified as 1000 kb/s.

Zoom defaults to mirroring your own video. Can you see your video in your own “thumbnail” ? That would indicate that the camera is working plus video is being transmitted.

3

Hi @jaime

Welcome to the IPFire community.

Your problem sounds similar to a bug that was present a couple of years ago. It took a while to find a solution but was eventually fixed in Core Update 165. However if it is the same then you need to do some manual intervention, using setup, on the red interface settings.

Some ISP’s have cable modems which return an unusually small MTU of only 576 bytes which will cause that IPFire will fragment every packet larger than this before it can be sent out on the RED interface.

See the first item in the Misc section in this release announcement for CU165
https://blog.ipfire.org/post/ipfire-2-27-core-update-165-released#misc

The original thread on this bug topic was
https://community.ipfire.org/t/google-meet-stopped-working-after-core-update-152-153/4272

3 Likes
4

That did solve my issue. Commenting out
interface_mtu
in /var/ipfire/dhcpc/dhcpcd.conf .

Then a quick red0 down and red0 up and everything works.

Thanks!

2 Likes