After a few days, devices cannot reach http but can reach https, only reboot helps

On the router, curl http://163.com,it is correct;
However, on the device connect to the network, curl http://163.com, it says couldnot connect to the host.
Only reboot helps.
If anyone have ever encountered this situation, could taught me how to solve it or how to examine where is wrong? Thanks!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Thank you for your reply, I will post it when I get back my home.
By the way, The weird problem happens on my devices on lan like my Ipad or Iphone.
There is no problem to directly execute Curl command on the OpenWrt device.

What errors does curl report when it fails? Do other sites work?

1 Like
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.133-flippy-85+o",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Phicomm N1",
        "rootfs_type": "btrfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "target": "armvirt/64",
                "revision": "R23.09.29 (2023-09-29 12:20:58 by flippy)",
                "description": "OpenWrt "
        }
}
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'auto'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option gateway '192.168.2.1'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option type 'bridge'
        option ifname 'eth0'
        option delegate '0'
        option mtu '1400'
        option dns '223.5.5.5'

config interface 'docker'
        option ifname 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wan'
        option ifname 'usb0'
        option _orig_ifname 'usb0'
        option _orig_bridge 'false'
        option proto 'dhcp'
        option delegate '0'
        option peerdns '0'
        option dns '223.5.5.5'
        option mtu '1400'
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11b'
        option path 'platform/soc/d0000000.apb/d0070000.mmc/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option country 'US'
        option legacy_rates '1'
        option mu_beamformer '0'
        option band '2g'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Phicomm_n1'
        option key '.......'
        option ieee80211k '1'
        option ieee80211v '1'
        option time_advertisement '0'
        option network 'wifi lan'
        option encryption 'psk2'
cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading_hw '0'
        option flow_offloading '0'
        option syn_flood '1'
        option fullcone '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wan1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'drop-wan-ssh'
        option src 'wan'
        option dest 'wan'
        option dest_port '22'
        option proto 'tcp'
        option target 'DROP'

config include 'zerotier'
        option type 'script'
        option path '/etc/zerotier.start'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'adbyby'
        option type 'script'
        option path '/var/etc/adbyby.include'
        option reload '1'

config include 'socat'
        option type 'script'
        option path '/var/etc/socat.include'
        option reload '1'

config include 'ssr_mudb_server'
        option type 'script'
        option path '/var/etc/ssr_mudb_server.include'
        option reload '1'

config include 'ipsecd'
        option type 'script'
        option path '/etc/ipsec.include'
        option reload '1'

config rule 'ike'
        option name 'ike'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '500'

config rule 'ipsec'
        option name 'ipsec'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '4500'

config rule 'ah'
        option name 'ah'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'ah'

config rule 'esp'
        option name 'esp'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'esp'

config include 'koolproxy'
        option type 'script'
        option path '/var/etc/koolproxy.include'
        option reload '1'

config include 'mia'
        option type 'script'
        option path '/etc/mia.include'
        option reload '1'

config include 'openclash'
        option type 'script'
        option path '/var/etc/openclash.include'
        option reload '1'

config rule 'openvpn'
        option name 'openvpn'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '1194'

config zone 'vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0'

config forwarding 'vpntowan'
        option src 'vpn'
        option dest 'wan'

config forwarding 'vpntolan'
        option src 'vpn'
        option dest 'lan'

config forwarding 'lantovpn'
        option src 'lan'
        option dest 'vpn'

config include 'passwall'
        option type 'script'
        option path '/var/etc/passwall.include'
        option reload '1'

config include 'passwall_server'
        option type 'script'
        option path '/var/etc/passwall_server.include'
        option reload '1'

config include 'passwall2'
        option type 'script'
        option path '/var/etc/passwall2.include'
        option reload '1'

config include 'passwall2_server'
        option type 'script'
        option path '/var/etc/passwall2_server.include'
        option reload '1'

config include 'pptpd'
        option type 'script'
        option path '/etc/pptpd.include'
        option reload '1'

config rule 'pptp'
        option name 'pptp'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1723'

config rule 'gre'
        option name 'gre'
        option target 'ACCEPT'
        option src 'wan'
        option proto '47'

config include 'softethervpn'
        option type 'script'
        option path '/usr/share/softethervpn/firewall.include'
        option reload '1'

config include 'shadowsocksr'
        option type 'script'
        option path '/var/etc/shadowsocksr.include'
        option reload '1'

config rule 'ssrs'
        option name 'ssrs'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '10240'

config include 'unblockmusic'
        option type 'script'
        option path '/var/etc/unblockmusic.include'
        option reload '1'

config include 'v2ray_server'
        option type 'script'
        option path '/var/etc/v2ray_server.include'
        option reload '1'

config rule 'kms'
        option name 'kms'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1688'

config include 'wrtbwmon'
        option type 'script'
        option path '/etc/wrtbwmon.include'
        option reload '1'

config rule 'alist'
        option name 'alist'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '5244'

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

On the openwrt Phicomm N1,

root@OpenWrt:~# curl http://baidu.com
<html>
<meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
</html>
root@OpenWrt:~# curl https://baidu.com
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>

On my win10 pc,

C:\Users\85068>curl http://baidu.com
curl: (7) Failed to connect to baidu.com port 80 after 4212 ms: Couldn't connect to server

C:\Users\85068>curl https://baidu.com --ssl-no-revoke
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>

It looks like I cannot access port 80,but can access port 443.Every sites is the same.

I don't have the source code for the firmware, but it was so weird, so I hope to figure it out.If you guys have any ideas to determine which part was wrong, please let me know.If it waste your time too much, you can certainly focus on your business, thanks any way!

Well, I figure it out myself.

Chain KP_HTTP (0 references)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80 redir ports 3000

KoolProxy not enable, but it automatically add a firewall rule in nat to block any http connection.

Does this mean you are not running OpenWrt on your router?

"kernel": "5.15.133-flippy-85+o"

a relative of Flipper, perhaps ?

1 Like

This device doesn't appear to be supported by the official OpenWrt project.

And this is most certainly not a version of official OpenWrt.

Please reach out to 'flippy' for help with your issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.