Hi all,
I'm using openwrt in the latest version with update.
The internet works fine.
But some websites are blocked.
For example, www.focus.de.
The settings in the firewall are default.
What can I do?
Greeting
fanifeey

• How to determine the proper MTU size with ICMP pings
• Down for Everyone or Just Me

Hi...

PING focus.de (88.221.217.122) 1472(1500) bytes of data.
Von p4fd8b0ea.dip0.t-ipconnect.de (79.216.176.234) icmp_seq=1 Frag needed and DF set (mtu = 1492)
ping: lokaler Fehler: Nachricht zu lang, MTU=1492

PING focus.de (88.221.217.200) 1462(1490) bytes of data.
1470 Bytes von a88-221-217-200.deploy.static.akamaitechnologies.com (88.221.217.200): icmp_seq=1 ttl=59 Zeit=17.9 ms

PING focus.de (88.221.217.200) 1452(1480) bytes of data.
1460 Bytes von a88-221-217-200.deploy.static.akamaitechnologies.com (88.221.217.200): icmp_seq=1 ttl=59 Zeit=17.8 ms

Focus.de Status

Is focus.de down right now?###

### It's just you. focus.de is up.

The whole point of pinging is to find which size gets a reply, when the +1 is dropped. In your case 1472 doesn't work and 1462 works, so try 1468. If it works go up one byte, if it doesn't go down one byte.

Just to be clear, the required MTU size should be documented by your ISP, so 'guessing' and approximating the correct setting shouldn't be necessary. MSS clamping also needs to be enabled (it is by default).

I found the cause. I turned on the FRITZBOX DoT.
When I turn off DoT, everything works normally.
Thank you and greetings

DoT is "encrypted DNS" and uses a different DNS than the one provided by the ISP (because the DNS provider must support encryption), if you can't reach sites with DoT on and you still want to use that feature, you probably need to change the DNS in the DoT options to a different provider.

In fact, DoT usually works well enough, while DNSSEC is known to have performance and other issues.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.