Cannot access some websites

Netcob · July 30, 2021, 7:29pm

Problem:

I sometimes cannot access specific websites for days at a time and ping returns "destination port unreachable".

What I've investigated so far:

This occurs sometimes, and I don't know what triggers it. The most frequently affected website is reddit.com, but it also happens to docs.google.com sometimes. Right now reddit does not work and google docs does.

On my phone, when I switch from wifi to mobile data, everything works, so the websites themselves are still up.

I tried multiple devices in my network, both wired and wifi.

When I try to ping the website, I get this:

ping www.reddit.com
PING reddit.map.fastly.net (199.232.189.140) 56(84) bytes of data.
From OpenWrt.lan (192.168.4.1) icmp_seq=1 Destination Port Unreachable

I also tried getting an IP over mobile (in case it was a DNS issue, maybe a stale IP?) and ping that from within my network, but same thing - works over mobile, but not through the router.

However, when I try the built-in ping tool in OpenWRT (Network Utility), it works! So it's not my ISP.

I have not found out a reliable method of fixing this. Restarting my router sometimes works.

Researching online I only found that maybe it has something to do with iptables.

I don't think I changed anything in my firewall other than creating a port forward for port 34197 and I added some custom rules for Pi-Hole:

POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.4.4:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.4.4:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.4.4 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.4.4 --dport 53 -j ACCEPT

Since DNS seems to work though, I don't think that's it.

Pinging reddit a few times gave me IPs of the pattern 199.232.xxx.140. I didn't write down any IPs while it did work.
Update: When it resolves to something like 151.101.13.140, it works.

My hardware/software:

Router: Netgear R7800
Software: OpenWrt 21.02-SNAPSHOT r16249-55d9c020a1 (build from this month)

Pico · July 30, 2021, 7:41pm

Snapshot images can have beta quality and as such are sometimes broken and may show weird errors in everyday life, while e.g. another snapshot from 24h earlier or later might work flawlessly (or have other errors).

Does the error also occur on the rc3 image or did you already try a newer snapshot?

trendy · July 30, 2021, 9:06pm

I would reverse the order of the rules. First accept the packets from pihole, then redirect anything else coming from the lan toward pihole.
Or you could combine them in one rule, with a negative match on the mac or ip of pihole on the redirect rule.

Netcob · July 31, 2021, 8:41am

Does the error also occur on the rc3 image or did you already try a newer snapshot?

I use the hnyman builds (since I installed OpenWRT a few months ago) with a few updates once in a while - I thought the previous build didn't have the problem until it happened again. Would the rc3 image be a downgrade, and would that be safe to do?

Netcob · July 31, 2021, 8:45am

Update: when reddit resolved to 151.101.13.140, it worked! And I can still ping that IP. It's just those 199.232.xxx.140 IPs that don't seem to work.

Netcob · July 31, 2021, 8:53am

I tried that - now something weirder is happening, I get "temporary failure in name resolution", and pi-hole reports that I tried to access "www.reddit.com.lan" (lan being my local domain). On the other hand I think I've seen that error yesterday at some point too, I just didn't notice the weird ".lan" addition.

It's probably a different issue though.

trendy · July 31, 2021, 8:59pm

The .lan extension might have to do with dnsmasq forwarding the query.
You'll need to provide all the configs to get a better picture: uci export dhcp; uci export firewall; iptables-save -c

Netcob · August 1, 2021, 3:52pm

Exact output, minus my list of static leases (config host...)

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'
        list dhcp_option '6,192.168.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'Factorio'
        option src 'wan'
        option src_dport '34197'
        option dest 'lan'
        option dest_ip '192.168.4.90'
        option dest_port '34197'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

# Generated by iptables-save v1.8.7 on Sun Aug  1 14:14:14 2021
*raw
:PREROUTING ACCEPT [9473862:8391729363]
:OUTPUT ACCEPT [249177:91397741]
:zone_lan_helper - [0:0]
[4208988:802651365] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sun Aug  1 14:14:14 2021
# Generated by iptables-save v1.8.7 on Sun Aug  1 14:14:14 2021
*nat
:PREROUTING ACCEPT [537730:72785463]
:INPUT ACCEPT [23154:2691051]
:OUTPUT ACCEPT [29386:4515132]
:POSTROUTING ACCEPT [9232:3114477]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[31453:2589402] -A PREROUTING -s 192.168.4.4/32 -i br-lan -p udp -m udp --dport 53 -j ACCEPT
[55:3300] -A PREROUTING -s 192.168.4.4/32 -i br-lan -p tcp -m tcp --dport 53 -j ACCEPT
[1480:98111] -A PREROUTING -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.4.4:53
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.4.4:53
[537735:72786355] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[502310:55044534] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[35425:17741821] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[424082:34290740] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[9074:3095755] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[414849:31176223] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[9074:3095755] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.4.90/32 -p tcp -m tcp --dport 34197 -m comment --comment "!fw3: Factorio (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.4.90/32 -p udp -m udp --dport 34197 -m comment --comment "!fw3: Factorio (reflection)" -j SNAT --to-source 192.168.4.1
[502310:55044534] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.0.66/32 -p tcp -m tcp --dport 34197 -m comment --comment "!fw3: Factorio (reflection)" -j DNAT --to-destination 192.168.4.90:34197
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.0.66/32 -p udp -m udp --dport 34197 -m comment --comment "!fw3: Factorio (reflection)" -j DNAT --to-destination 192.168.4.90:34197
[414849:31176223] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[414847:31176058] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[414847:31176058] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[414849:31176223] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[35425:17741821] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 34197 -m comment --comment "!fw3: Factorio" -j DNAT --to-destination 192.168.4.90:34197
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 34197 -m comment --comment "!fw3: Factorio" -j DNAT --to-destination 192.168.4.90:34197
[35424:17741769] -A zone_wan_prerouting -j MINIUPNPD
[35424:17741769] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Aug  1 14:14:14 2021
# Generated by iptables-save v1.8.7 on Sun Aug  1 14:14:14 2021
*mangle
:PREROUTING ACCEPT [9473889:8391730443]
:INPUT ACCEPT [170010:29837435]
:FORWARD ACCEPT [9151465:8318911683]
:OUTPUT ACCEPT [249230:91406693]
:POSTROUTING ACCEPT [9394845:8409816525]
[36383:1989052] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[31116:1674768] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Aug  1 14:14:14 2021
# Generated by iptables-save v1.8.7 on Sun Aug  1 14:14:14 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:banIP - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[19700:2112950] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[150315:27724685] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[59590:5786424] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7593:394844] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[89538:21888290] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1187:49971] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[9151465:8318911683] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[8730969:8286318517] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[420496:32593166] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[19700:2112950] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[224949:88852436] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[68105:33831455] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[135162:53520295] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[21682:1500686] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[12012:6898299] -A banIP -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[1137:49026] -A banIP -m conntrack ! --ctstate NEW -j RETURN
[773:27828] -A banIP -i eth0.2 -m set --match-set whitelist_4 src -j RETURN
[3214:269976] -A banIP -o eth0.2 -m set --match-set whitelist_4 dst -j RETURN
[0:0] -A banIP -i eth0.2 -m set --match-set darklist_4 src -j DROP
[130:6760] -A banIP -o eth0.2 -m set --match-set darklist_4 dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i eth0.2 -m set --match-set sslbl_4 src -j DROP
[0:0] -A banIP -o eth0.2 -m set --match-set sslbl_4 dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i eth0.2 -m set --match-set threat_4 src -j DROP
[2:120] -A banIP -o eth0.2 -m set --match-set threat_4 dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i eth0.2 -m set --match-set iblockads_4 src -j DROP
[315:18152] -A banIP -o eth0.2 -m set --match-set iblockads_4 dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i eth0.2 -m set --match-set debl_4 src -j DROP
[11:732] -A banIP -o eth0.2 -m set --match-set debl_4 dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i eth0.2 -m set --match-set yoyo_4 src -j DROP
[0:0] -A banIP -o eth0.2 -m set --match-set yoyo_4 dst -j REJECT --reject-with icmp-port-unreachable
[420312:32579871] -A forwarding_lan_rule -j banIP
[0:0] -A forwarding_wan_rule -j banIP
[89536:21887959] -A input_lan_rule -j banIP
[1186:49919] -A input_wan_rule -j banIP
[414:22143] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[7593:394844] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[135162:53520295] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[420496:32593166] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[420038:32567402] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[12347:850005] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[89538:21888290] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[89538:21888290] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[135162:53520295] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[135162:53520295] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[89538:21888290] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[800:33092] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[428573:33184991] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1187:49971] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[773:27828] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[413:22091] -A zone_wan_input -j MINIUPNPD
[413:22091] -A zone_wan_input -j MINIUPNPD
[414:22143] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[21682:1500686] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[21682:1500686] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[414:22143] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Aug  1 14:14:14 2021

trendy · August 1, 2021, 9:40pm

You are missing a postrouting masquerade rule, otherwise the pihole will respond directly to the lan host and the latter will ignore it due to answer from different server.
Other than that I don't see any other issue. You should do some extensive packet capturing to verify that packets follow the proper path and that pihole is returning to the lan host the correct answer.