android adb rules firing inconsistently

[wfx3]

my first time working with android adb and i can't figure out why the LAN firewall rule to port 5555 is firing inconsistently.  the 2.220 host (tinkerboard) is behind a gateway (ddwrt).  any ideas why the second and third packets below would skip the rule entirely?

Code Select Expand


$ ifconfig | grep inet
inet 192.168.1.232 netmask 0xffffff00 broadcast 192.168.1.255
$ adb connect 192.168.2.220         
failed to connect to 192.168.2.220:5555
$ ping 192.168.2.220
PING 192.168.2.220 (192.168.2.220): 56 data bytes
64 bytes from 192.168.2.220: icmp_seq=0 ttl=63 time=10.513 ms
64 bytes from 192.168.2.220: icmp_seq=1 ttl=63 time=8.080 ms




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

__timestamp__	11/18/18 17:55:54	11/18/18 17:55:54	11/18/18 17:55:53
ack		190817746	190817746
action	[pass]	[block]	[block]
anchorname
datalen	0	0	0
dir	[in]	[in]	[in]
dst	192.168.2.220	192.168.2.220	192.168.2.220
dstport	5555	5555	5555
ecn
id	0	0	5636
interface	igb2	igb2	igb2
ipflags	DF	DF	none
label	USER_RULE: allow LAN to tinkerboard	USER_RULE: default block IPv4 LAN	USER_RULE: default block IPv4 LAN
length	64	40	40
offset	0	0	0
proto	6	6	6
protoname	tcp	tcp	tcp
reason	match	match	match
ridentifier	0	0	0
rulenr	122	124	124
seq	3901304184	3330648330
src	192.168.1.232	192.168.1.232	192.168.1.232
srcport	49965	49910	49910
subrulenr
tcpflags	S	RA	A
tcpopts
tos	0x0	0x0	0x0
ttl	64	64	64
urp	65535	2058	2058
version	4	4	4

[wfx3]

i am thinking this is an asymmetric routing issue, because the gateway (ddwrt) is on the internal LAN interface. 

there is this article https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html under "gateway set when it should not be set" which talks about the ill effects of pfsense. 

i am not sure how the adb protocol works though.  the DF flag in some of the blocked packets makes me think there is some fragmentation/MTU issue.