Access WAN Relay via LAN: OK on Wifi, no go via Ethernet

Please can someone else help or otherwise confirm this problem?

So I have this
https://dynamic-dns-name:2345/ (resolves to routable WAN IP)

And on the router, under Firewall - Port Forwards
DNAT
tcp dpt:2345 to:192.168.19.2:2345

If I access it from ANYWHERE on the WAN, all is fine!
If I access it from 192.168.19.x on the LAN via WIFI, all is fine!
If I access it from 192.168.19.x on the LAN via Ethernet, TLS refuses to connect!

WIFI = 192.168.19.117
LAN = 192.168.19.118

Note:

I can establish a TCP connection via: https://dynamic-dns-name:2345/ from LAN WIFI/Ethernet

I can establish a TLS connection via: https://dynamic-dns-name:2345/ from LAN WIFI

I cannot establish a TLS connection via: https://dynamic-dns-name:2345/ from LAN Ethernet

Hangs via Ethernet:

openssl s_client -connect dynamic-dns-name:2345
CONNECTED(00000003)

nothing more after CONNECTED....

WIFI works, however:

openssl s_client -connect dynamic-dns-name:2345
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dynamic-dns-name
verify return:1
---
Certificate chain
 0 s:/CN=dynamic-dns-name
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...

Any hot tips? There are NO blocks or limits on the 192.168.19.2 device. Nor on OpenWRT - it forwards TCP+UDP from dynamic-dns-name:2345 to 192.168.19.2:2345

===supplementary===

when I run openssl s_client -connect dynamic-dns-name:2345 via LAN Ethernet, here are tcpdumps for port 2345 On OpenWRT (HANGS):

23:25:30.340754 IP MacBook-Pro.lan.61519 > dynamic-dns-name.2345: Flags [R.], seq 201, ack 1, win 2081, length 0
23:25:30.340838 IP openwrt.lan.61519 > 192.168.19.2.2345: Flags [R.], seq 201, ack 1, win 2081, length 0
23:25:30.956171 IP MacBook-Pro.lan.61521 > dynamic-dns-name.2345: Flags [S], seq 1944659443, win 65535, options [mss 4048,nop,wscale 6,nop,nop,TS val 1298788601 ecr 0,sackOK,eol], length 0
23:25:30.956367 IP openwrt.lan.61521 > 192.168.19.2.2345: Flags [S], seq 1944659443, win 65535, options [mss 4048,nop,wscale 6,nop,nop,TS val 1298788601 ecr 0,sackOK,eol], length 0
23:25:30.957349 IP 192.168.19.2.2345 > openwrt.lan.61521: Flags [S.], seq 2561552599, ack 1944659444, win 17896, options [mss 8960,sackOK,TS val 164411504 ecr 1298788601,nop,wscale 4], length 0
23:25:30.957500 IP dynamic-dns-name.2345 > MacBook-Pro.lan.61521: Flags [S.], seq 2561552599, ack 1944659444, win 17896, options [mss 8960,sackOK,TS val 164411504 ecr 1298788601,nop,wscale 4], length 0
23:25:30.957695 IP MacBook-Pro.lan.61521 > dynamic-dns-name.2345: Flags [.], ack 1, win 2081, options [nop,nop,TS val 1298788602 ecr 164411504], length 0
23:25:30.957820 IP openwrt.lan.61521 > 192.168.19.2.2345: Flags [.], ack 1, win 2081, options [nop,nop,TS val 1298788602 ecr 164411504], length 0
23:25:30.957855 IP MacBook-Pro.lan.61521 > dynamic-dns-name.2345: Flags [P.], seq 1:201, ack 1, win 2081, options [nop,nop,TS val 1298788602 ecr 164411504], length 200
23:25:30.957893 IP openwrt.lan.61521 > 192.168.19.2.2345: Flags [P.], seq 1:201, ack 1, win 2081, options [nop,nop,TS val 1298788602 ecr 164411504], length 200
23:25:30.958098 IP 192.168.19.2.2345 > openwrt.lan.61521: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164411504 ecr 1298788602], length 0
23:25:30.958157 IP dynamic-dns-name.2345 > MacBook-Pro.lan.61521: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164411504 ecr 1298788602], length 0
23:25:41.009258 IP 192.168.19.2.2345 > openwrt.lan.61521: Flags [F.], seq 3002, ack 201, win 1119, options [nop,nop,TS val 164412510 ecr 1298788602], length 0
23:25:41.009350 IP dynamic-dns-name.2345 > MacBook-Pro.lan.61521: Flags [F.], seq 3002, ack 201, win 1119, options [nop,nop,TS val 164412510 ecr 1298788602], length 0
23:25:41.009791 IP MacBook-Pro.lan.61521 > dynamic-dns-name.2345: Flags [.], ack 1, win 2081, options [nop,nop,TS val 1298798331 ecr 164411504,nop,nop,sack 1 {3002:3003}], length 0
23:25:41.009869 IP openwrt.lan.61521 > 192.168.19.2.2345: Flags [.], ack 1, win 2081, options [nop,nop,TS val 1298798331 ecr 164411504,nop,nop,sack 1 {3002:3003}], length 0

On my localhost via LAN Ethernet (HANGS)

23:27:56.365754 IP macbook-pro.lan.61559 > dynamic-dns-name.2345: Flags [S], seq 224691503, win 65535, options [mss 4048,nop,wscale 6,nop,nop,TS val 1298926690 ecr 0,sackOK,eol], length 0
23:27:56.366329 IP dynamic-dns-name.2345 > macbook-pro.lan.61559: Flags [S.], seq 537481701, ack 224691504, win 17896, options [mss 8960,sackOK,TS val 164426045 ecr 1298926690,nop,wscale 4], length 0
23:27:56.366348 IP macbook-pro.lan.61559 > dynamic-dns-name.2345: Flags [.], ack 1, win 2081, options [nop,nop,TS val 1298926690 ecr 164426045], length 0
23:27:56.366465 IP macbook-pro.lan.61559 > dynamic-dns-name.2345: Flags [P.], seq 1:201, ack 1, win 2081, options [nop,nop,TS val 1298926690 ecr 164426045], length 200
23:27:56.366846 IP dynamic-dns-name.2345 > macbook-pro.lan.61559: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164426045 ecr 1298926690], length 0

====

when I run openssl s_client -connect dynamic-dns-name:2345 via LAN WIFI, here are tcpdumps for port 2345 On OpenWRT (WORKING):

23:34:01.700758 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [S], seq 3721857026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1299279775 ecr 0,sackOK,eol], length 0
23:34:01.700972 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [S], seq 3721857026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1299279775 ecr 0,sackOK,eol], length 0
23:34:01.701082 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [S.], seq 1964506585, ack 3721857027, win 17896, options [mss 8960,sackOK,TS val 164462579 ecr 1299279775,nop,wscale 4], length 0
23:34:01.701205 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [S.], seq 1964506585, ack 3721857027, win 17896, options [mss 8960,sackOK,TS val 164462579 ecr 1299279775,nop,wscale 4], length 0
23:34:01.704647 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 0
23:34:01.704744 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 0
23:34:01.704800 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [P.], seq 1:201, ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 200
23:34:01.704845 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [P.], seq 1:201, ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 200
23:34:01.705027 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164462579 ecr 1299279784], length 0
23:34:01.705110 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164462579 ecr 1299279784], length 0
23:34:01.758919 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [.], seq 1:1449, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.759004 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], seq 1:1449, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.759090 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [.], seq 1449:2897, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.759149 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], seq 1449:2897, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.759202 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [P.], seq 2897:3002, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 105
23:34:01.759244 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [P.], seq 2897:3002, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 105
23:34:01.764003 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.764083 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.764140 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3002, win 2011, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.764183 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [.], ack 3002, win 2011, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.767330 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [P.], seq 201:327, ack 3002, win 2048, options [nop,nop,TS val 1299279843 ecr 164462584], length 126
23:34:01.767403 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [P.], seq 201:327, ack 3002, win 2048, options [nop,nop,TS val 1299279843 ecr 164462584], length 126
23:34:01.767470 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [.], ack 327, win 1119, options [nop,nop,TS val 164462585 ecr 1299279843], length 0
23:34:01.767514 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], ack 327, win 1119, options [nop,nop,TS val 164462585 ecr 1299279843], length 0
23:34:01.780383 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [P.], seq 3002:3053, ack 327, win 1119, options [nop,nop,TS val 164462587 ecr 1299279843], length 51
23:34:01.780453 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [P.], seq 3002:3053, ack 327, win 1119, options [nop,nop,TS val 164462587 ecr 1299279843], length 51
23:34:01.782748 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3053, win 2047, options [nop,nop,TS val 1299279856 ecr 164462587], length 0
23:34:01.782827 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [.], ack 3053, win 2047, options [nop,nop,TS val 1299279856 ecr 164462587], length 0
23:34:04.328999 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [F.], seq 327, ack 3053, win 2048, options [nop,nop,TS val 1299282386 ecr 164462587], length 0
23:34:04.329078 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [F.], seq 327, ack 3053, win 2048, options [nop,nop,TS val 1299282386 ecr 164462587], length 0
23:34:04.329475 IP 192.168.19.2.5001 > openwrt.lan.61701: Flags [F.], seq 3053, ack 328, win 1119, options [nop,nop,TS val 164462841 ecr 1299282386], length 0
23:34:04.329549 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [F.], seq 3053, ack 328, win 1119, options [nop,nop,TS val 164462841 ecr 1299282386], length 0
23:34:04.332339 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3054, win 2048, options [nop,nop,TS val 1299282388 ecr 164462841], length 0
23:34:04.332412 IP openwrt.lan.61701 > 192.168.19.2.5001: Flags [.], ack 3054, win 2048, options [nop,nop,TS val 1299282388 ecr 164462841], length 0

On my localhost via LAN WIFI (WORKING)

23:34:01.697141 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [S], seq 3721857026, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1299279775 ecr 0,sackOK,eol], length 0
23:34:01.706664 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [S.], seq 1964506585, ack 3721857027, win 17896, options [mss 8960,sackOK,TS val 164462579 ecr 1299279775,nop,wscale 4], length 0
23:34:01.706689 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 0
23:34:01.706806 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [P.], seq 1:201, ack 1, win 2058, options [nop,nop,TS val 1299279784 ecr 164462579], length 200
23:34:01.710570 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], ack 201, win 1119, options [nop,nop,TS val 164462579 ecr 1299279784], length 0
23:34:01.766015 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], seq 1:1449, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.766024 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], seq 1449:2897, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 1448
23:34:01.766026 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [P.], seq 2897:3002, ack 201, win 1119, options [nop,nop,TS val 164462584 ecr 1299279784], length 105
23:34:01.766125 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 2897, win 2013, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.766145 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3002, win 2011, options [nop,nop,TS val 1299279840 ecr 164462584], length 0
23:34:01.770515 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [P.], seq 201:327, ack 3002, win 2048, options [nop,nop,TS val 1299279843 ecr 164462584], length 126
23:34:01.773199 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [.], ack 327, win 1119, options [nop,nop,TS val 164462585 ecr 1299279843], length 0
23:34:01.785766 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [P.], seq 3002:3053, ack 327, win 1119, options [nop,nop,TS val 164462587 ecr 1299279843], length 51
23:34:01.785807 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3053, win 2047, options [nop,nop,TS val 1299279856 ecr 164462587], length 0
23:34:04.332093 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [F.], seq 327, ack 3053, win 2048, options [nop,nop,TS val 1299282386 ecr 164462587], length 0
23:34:04.334830 IP dynamic-dns-name.2345 > 192.168.19.117.61701: Flags [F.], seq 3053, ack 328, win 1119, options [nop,nop,TS val 164462841 ecr 1299282386], length 0
23:34:04.334895 IP 192.168.19.117.61701 > dynamic-dns-name.2345: Flags [.], ack 3054, win 2048, options [nop,nop,TS val 1299282388 ecr 164462841], length 0

Solution:

Firewall - Zone Settings - Zones - LAN->WAN Edit - General Settings

for LAN -> WAN

MSS clamping -> CHECK

in uci:

uci set firewall.cfg123xyz.mtu_fix='1'
``

Now everything works (with LAN Ethernet MTU > 1500)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.