Hi everyone. I have a web server running on my LAN, the web server has a static IP of 192.168.1.220 and it listens on port 20443 and 2080 on LAN, I have forwarded ports 443 and 80 on WAN to ports 20443 and 2080 at 192.168.1.220 on LAN.

I cannot access this website only on a single computer which is connected to my LAN network, I can ping the website on said computer, but trying to access it from the browser eventually results in a Connection Time-out, I am able to ping the website from said PC and the correct IP is returned from the ping results. Strangely, I am able to access this website when I connect to it on my phone or laptop (both use WIFI to connect to an AP that is on my LAN).

My network looks like this:

                       Internet
                          |
             [PPPoE over vDSL (VLAN ID 101)]
                          |
                          |
             ------[VDSL (WAN) Port]---------------------------------------------------
                                      Technicolor VDSL Bridge
             -------[LAN Port 1]-[LAN Port 2]-[LAN Port 3]-[LAN Port 4]-[Eth WAN Port]-
                          |
              [PPPoE bridged to LAN Port 1]
                          |
                          |
          -----[Port 1 (WAN PPPoE)]--------------
                  OpenWRT Dell Optiplex
          -[Port 2]-[Port 3]-[Port 4]-[Port 5]---
               |        |        |        |
          ---------------------------------------
           LAN Network Devices and Wi-Fi routers
          ---------------------------------------

I have tried multiple things in order to troubleshoot and fix this issue, this includes:

• Changing the MTU for my WAN to 1472
• Using a different network card for the PC that fails to connect
• Checking that MSS Clamping is enabled (it is)
• Changing my DNS server
• Remove static address of said PC
• Reboot everything
• Manually set IP and DNS and MTU of said PC
• Remove all DHCP leases from OpenWRT
• Reconfigure the web server from scratch

All of which did nothing and the issue is still present.

Running tcpdump on said PC shows TCP retransmission errors when trying to access the website.

Running tcpdump on the router shows:

05:43:30.344542 IP my-pc.lan.43982 > website-ip.443: Flags [S], seq 830574758, win 64240, options [mss 1460,sackOK,TS val 1965301688 ecr 0,nop,wscale 7], length 0

Running tcpdump on the PC shows:

CS0	21	2.488860113	(PC LAN IP)	(PUBLIC IP)	TCP	74	[TCP Retransmission] 38990 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1430460097 TSecr=0 WS=128

Running tcpdump on the webserver when connecting from said PC returns nothing.

I have ran out of ideas, after 1 day of trying to fix the issue I got nowhere.

Any ideas (except the ones I already tried) are welcome.

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix none

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'
	option ipv6 '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option mtu '1472'
	option ipv6 '0'
	option device 'eth4'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

/etc/config/firewall:

• Web server is 192.168.1.220, NGINX is running on port 20443 and 2080 on the web server.

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config redirect
	option name 'HTTPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.220'
	option dest_port '20443'
	option target 'DNAT'
	option enabled '1'

config redirect
	option name 'HTTP'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.220'
	option dest_port '2080'
	option target 'DNAT'
	option enabled '1'

Having read your post a second time, I have a few more questions:

• Is the WiFi AP a dumb AP?
• Are the working devices on the same subnet as the one not working?
• Are they all on the same subnet as the website?
• Are you trying to access the website via its domain name / external IP?

It could have something to do with the reflection settings of the port-forwarding rule.

Whats the deal with this one computer ? Are you using a usb adapter or something like this ? Is it connecting in a special way ? E.g by vlan interface ? Have you tried lowering the mtu on this computer ?

1: Yes, the WIFI AP is simply a dumb AP connected to my LAN, it does not have its own DHCP server and simply bridges my LAN from the Optiplex to WIFI.

2: Yes

3: Yes

4: Yes

This computer is connected to my LAN in the same subnet, there's nothing special about the way it connects to my network. It is not connected through a VLAN and I am not using any adapters for ethernet. I have tried lowering the MTU of this PC which did not fix the issue.

OK, so I tried to recreate your issue. I needed to explicitly set the "Reflection Zones" on the firewall rule since I access it from a different firewalling zone. You can nevertheless try to explicitly add that:

config redirect
	option name 'HTTPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.220'
	option dest_port '20443'
	option target 'DNAT'
	option enabled '1'
	list reflection_zone 'lan'

config redirect
	option name 'HTTP'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.220'
	option dest_port '2080'
	option target 'DNAT'
	option enabled '1'
	list reflection_zone 'lan'

And then there is another possibility: Your rules are for IPv4 only. If, for whatever reason, your browser uses IPv6, this is not going to work.

If that all doesn't work, you need to provide a bit more from the tcpdump from the PC. It only shows one line and that's a TCP Retransmission. There should have been some lines before this.

Adding list reflection_zone 'lan' to the firewall rules did not fix the problem.

More information

The website (shown as "WEBSITE DOMAIN" in the logs) has a CNAME record attached to it and that CNAME is my dynamic DNS service that runs on the OpenWRT Optiplex which updates with my public IP address every few minutes (shown as "DDNS ADDRESS" in the logs).

When connecting to the website from the PC:

09:11:44.304910 IP (PC IP).44423 > dns9.quad9.net.domain: 25396+ HTTPS? (WEBSITE DOMAIN). (35)
09:11:44.331269 IP dns9.quad9.net.domain > arch-tank.44423: 25396 1/1/0 CNAME (DDNS ADDRESS).myddns.me. (131)

09:05:37.964460 IP (PC IP).56344 > dns9.quad9.net.domain: 62702+ HTTPS? (WEBSITE DOMAIN). (35)
09:05:37.988432 IP dns9.quad9.net.domain > (PC IP).56344: 62702 NXDomain 0/1/0 (102)
09:05:40.584584 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632300593 ecr 0,nop,wscale 7], length 0
09:05:40.848478 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632300857 ecr 0,nop,wscale 7], length 0
09:05:41.626930 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632301636 ecr 0,nop,wscale 7], length 0
09:05:41.882926 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632301892 ecr 0,nop,wscale 7], length 0
09:05:42.651929 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632302661 ecr 0,nop,wscale 7], length 0
09:05:42.906927 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632302916 ecr 0,nop,wscale 7], length 0
09:05:43.675927 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632303685 ecr 0,nop,wscale 7], length 0
09:05:43.930926 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632303940 ecr 0,nop,wscale 7], length 0
09:05:44.698927 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632304708 ecr 0,nop,wscale 7], length 0
09:05:44.954926 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632304964 ecr 0,nop,wscale 7], length 0
09:05:45.722926 IP (PC IP).54660 > host-(PUBLIC IP).https: Flags [S], seq 3261672137, win 64240, options [mss 1460,sackOK,TS val 632305732 ecr 0,nop,wscale 7], length 0
09:05:45.978926 IP (PC IP).54662 > host-(PUBLIC IP).https: Flags [S], seq 1823810463, win 64240, options [mss 1460,sackOK,TS val 632305988 ecr 0,nop,wscale 7], length 0

09:18:04.223985 IP dns9.quad9.net.domain > (PC IP).52173: 19876 0/1/0 (102)
09:18:05.797934 IP (PC IP).58298 > dns9.quad9.net.domain: 47852+ HTTPS? (WEBSITE DOMAIN). (35)
09:18:05.801604 IP (PC IP).37432 > dns9.quad9.net.domain: 23701+ [1au] A? (WEBSITE DOMAIN). (46)
09:18:05.801637 IP (PC IP).55764 > dns9.quad9.net.domain: 21665+ [1au] AAAA? (WEBSITE DOMAIN). (46)
09:18:05.801667 IP (PC IP).52347 > dns9.quad9.net.domain: 16140+ [1au] A? (WEBSITE DOMAIN). (46)
09:18:05.801691 IP (PC IP).41474 > dns9.quad9.net.domain: 18695+ [1au] AAAA? (WEBSITE DOMAIN). (46)
09:18:05.825057 IP dns9.quad9.net.domain > (PC IP).37432: 23701 NXDomain 0/1/1 (113)
09:18:05.826720 IP dns9.quad9.net.domain > (PC IP).52347: 16140 2/0/1 CNAME (DDNS ADDRESS).myddns.me., A (PUBLIC IP) (98)
09:18:05.839247 IP dns9.quad9.net.domain > (PC IP).41474: 18695 1/1/1 CNAME (DDNS ADDRESS).myddns.me. (142)
09:18:05.839279 IP dns9.quad9.net.domain > (PC IP).58298: 47852 1/1/0 CNAME (DDNS ADDRESS).myddns.me. (131)
09:18:05.839380 IP (PC IP).36266 > dns9.quad9.net.domain: 58929+ [1au] AAAA? (DDNS ADDRESS).myddns.me. (51)
09:18:05.839411 IP (PC IP).55491 > dns9.quad9.net.domain: 21400+ [1au] A? (DDNS ADDRESS).myddns.me. (51)
09:18:05.839444 IP (PC IP).40857 > dns9.quad9.net.domain: 34642+ [1au] AAAA? (DDNS ADDRESS).myddns.me. (51)
09:18:05.862474 IP dns9.quad9.net.domain > (PC IP).36266: 58929 0/1/1 (111)
09:18:05.864996 IP dns9.quad9.net.domain > (PC IP).40857: 34642 0/1/1 (111)
09:18:05.865026 IP dns9.quad9.net.domain > (PC IP).55491: 21400 1/0/1 A (PUBLIC IP) (67)
09:18:05.869484 IP dns9.quad9.net.domain > (PC IP).55764: 21665 1/1/1 CNAME (DDNS ADDRESS).myddns.me. (142)

09:33:43.427872 IP (PC IP).60578 > dns9.quad9.net.domain: 41598+ [1au] A? (WEBSITE DOMAIN). (46)
09:33:43.427909 IP (PC IP).55617 > dns9.quad9.net.domain: 25745+ [1au] A? (WEBSITE DOMAIN). (46)
09:33:43.458105 IP dns9.quad9.net.domain > (PC IP).60578: 41598 2/0/1 CNAME (DDNS ADDRESS).myddns.me., A (PUBLIC IP) (98)
09:33:43.462081 IP dns9.quad9.net.domain > (PC IP).55617: 25745 2/0/1 CNAME (DDNS ADDRESS).myddns.me., A (PUBLIC IP) (98)

Disabling IPV6 on the PC both on the network interface and disabling it via the option in Firefox does not solve the issue.

Hi everyone, just a quick update. After nearly 3 days of trying to solve this issue I came across a breakthrough. IPV6 was disabled on my router, enabling IPV6 for WAN and LAN solved the issue, now the PC is able to connect to the website as normal. I just now realized that my ISP (BT) supports IPV6. I noticed that when I disabled IPV6 on my phone, it would also not connect just like the PC.

This was extremely frustrating to solve, as nothing seemed like it would fix the issue. But thankfully it is solved now.

Thank you everyone for your help and understanding.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.