LAN devices can ping a website, but broswer can not access that website

Kztpia · September 4, 2020, 6:25pm

after I setup my openwrt, both my device in LAN and openwrt itself can ping a website address, like openwrt.org
but cannot not access openwrt.org in broswer (failed in both chrom and edge).
opkg update also failed with "*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.3/packages/x86_64/luci/Packages.gz"

I manage to use a proxy in internet to access website for now.

what configuration should I set to access internet with my broswers directly, not through proxy

my devies connected like below:

internet<-> modem <-> switch <->openwrt( in a vm running in windows)
                              ->my PC

my network settings

config interface 'loopback'                                                                                                                                                                                                           
        option ifname 'lo'                                                                                                                                                                                                            
        option proto 'static'                                                                                                                                                                                                         
        option ipaddr '127.0.0.1'                                                                                                                                                                                                     
        option netmask '255.0.0.0'                                                                                                                                                                                                    
                                                                                                                                                                                                                                      
config globals 'globals'                                                                                                                                                                                                              
        option ula_prefix 'fddf:aef7:323b::/48'                                                                                                                                                                                       
                                                                                                                                                                                                                                      
config interface 'lan'                                                                                                                                                                                                                
        option type 'bridge'                                                                                                                                                                                                          
        option proto 'static'                                                                                                                                                                                                         
        option ipaddr '192.168.61.1'                                                                                                                                                                                                  
        option netmask '255.255.255.0'                                                                                                                                                                                                
        option ip6assign '60'                                                                                                                                                                                                         
        option ifname 'eth0 eth1.525'                                                                                                                                                                                                 
                                                                                                                                                                                                                                      
config interface 'wan'                                                                                                                                                                                                                
        option ifname 'eth1.524'                                                                                                                                                                                                      
        option ipv6 'auto'                                                                                                                                                                                                            
        option proto 'pppoe'                                                                                                                                                                                          
                                                                                                                                                                                                                                      
config interface 'wan6'                                                                                                                                                                                                               
        option ifname 'eth1'                                                                                                                                                                                                          
        option proto 'dhcpv6'

my firewall settings, just default settings

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option flow_offloading '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        list device 'br-lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

balabala, default settings

rpmoomin · September 4, 2020, 7:06pm

I guess that the windows host has no issue accessing the web, if ping is working with names then I think it could be something with host side firewall settings, try to use tcpdump or similar to check the flow.
Other idea is try to disable flow_offloading.

trendy · September 5, 2020, 6:03pm

Are you pinging the IP or the fqdn of the server?
Try these:

traceroute 1.1.1.1
traceroute one.one.one.one

Kztpia · September 5, 2020, 6:32pm

dump 3 traffic
client PC
openwrt
vm host PC

some packets goes to vm host PC did not get to openwrt, gonna check what packet were done before goes from host PC to openwrt

clien pc

192.168.61.142	139.59.209.225	TCP	66	9909  >  443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
139.59.209.225	192.168.61.142	TCP	62	443  >  9909 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 WS=128
192.168.61.142	139.59.209.225	TCP	54	9909  >  443 [ACK] Seq=1 Ack=1 Win=262144 Len=0
192.168.61.142	139.59.209.225	TLSv1.2	254	Client Hello
139.59.209.225	192.168.61.142	TCP	60	443  >  9909 [ACK] Seq=1 Ack=201 Win=30336 Len=0
139.59.209.225	192.168.61.142	SSL	749	[TCP Previous segment not captured] , Continuation Data
192.168.61.142	139.59.209.225	TCP	54	[TCP Dup ACK 344#1] 9909  >  443 [ACK] Seq=201 Ack=1 Win=262144 Len=0
139.59.209.225	192.168.61.142	TCP	60	443  >  9909 [FIN, ACK] Seq=3600 Ack=201 Win=30336 Len=0
192.168.61.142	139.59.209.225	TCP	54	[TCP Dup ACK 344#2] 9909  >  443 [ACK] Seq=201 Ack=1 Win=262144 Len=0

openwrt

    59.38.45.34.9909 > 139.59.209.225.443: Flags [S], cksum 0xa342 (correct), seq 4248494277, win 65535, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
    139.59.209.225.443 > 59.38.45.34.9909: Flags [S.], cksum 0x86b7 (correct), seq 4113812021, ack 4248494278, win 29200, options [mss 1460,nop,wscale 7], length 0
    59.38.45.34.9909 > 139.59.209.225.443: Flags [.], cksum 0x2093 (correct), ack 1, win 1024, length 0
    59.38.45.34.9909 > 139.59.209.225.443: Flags [P.], cksum 0x10ec (correct), seq 1:201, ack 1, win 1024, length 200
    139.59.209.225.443 > 59.38.45.34.9909: Flags [.], cksum 0x22de (correct), ack 201, win 237, length 0
    139.59.209.225.443 > 59.38.45.34.9909: Flags [P.], cksum 0x2177 (correct), seq 2905:3600, ack 201, win 237, length 695
    59.38.45.34.9909 > 139.59.209.225.443: Flags [.], cksum 0x1fcb (correct), ack 1, win 1024, length 0
    139.59.209.225.443 > 59.38.45.34.9909: Flags [F.], cksum 0x14ce (correct), seq 3600, ack 201, win 237, length 0
    59.38.45.34.9909 > 139.59.209.225.443: Flags [.], cksum 0x1fcb (correct), ack 1, win 1024, length 0

vm host pc

59.38.45.34	139.59.209.225	TCP	78	9909  >  443 [SYN] Seq=0 Win=65535 Len=0 MSS=1452 WS=256 SACK_PERM=1
59.38.45.34	139.59.209.225	TCP	78	[TCP Out-Of-Order] 9909  >  443 [SYN] Seq=0 Win=65535 Len=0 MSS=1452 WS=256 SACK_PERM=1
139.59.209.225	59.38.45.34	TCP	74	443  >  9909 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 WS=128
59.38.45.34	139.59.209.225	TCP	66	9909  >  443 [ACK] Seq=1 Ack=1 Win=262144 Len=0
59.38.45.34	139.59.209.225	TCP	66	[TCP Dup ACK 2667#1] 9909  >  443 [ACK] Seq=1 Ack=1 Win=262144 Len=0
59.38.45.34	139.59.209.225	TLSv1.2	266	Client Hello
59.38.45.34	139.59.209.225	TCP	266	[TCP Retransmission] 9909  >  443 [PSH, ACK] Seq=1 Ack=1 Win=262144 Len=200
139.59.209.225	59.38.45.34	TCP	72	443  >  9909 [ACK] Seq=1 Ack=201 Win=30336 Len=0
139.59.209.225	59.38.45.34	TLSv1.2	1518	Server Hello
139.59.209.225	59.38.45.34	TLSv1.2	761	[TCP Previous segment not captured] , Ignored Unknown Record
139.59.209.225	59.38.45.34	TCP	1518	[TCP Out-Of-Order] 443  >  9909 [ACK] Seq=1453 Ack=201 Win=30336 Len=1452
59.38.45.34	139.59.209.225	TCP	72	[TCP Dup ACK 2667#2] 9909  >  443 [ACK] Seq=201 Ack=1 Win=262144 Len=0
59.38.45.34	139.59.209.225	TCP	72	[TCP Dup ACK 2667#3] 9909  >  443 [ACK] Seq=201 Ack=1 Win=262144 Len=0
139.59.209.225	59.38.45.34	TCP	1518	[TCP Retransmission] 443  >  9909 [ACK] Seq=1 Ack=201 Win=30336 Len=1452
139.59.209.225	59.38.45.34	TCP	1518	[TCP Retransmission] 443  >  9909 [ACK] Seq=1 Ack=201 Win=30336 Len=1452
139.59.209.225	59.38.45.34	TCP	1518	[TCP Retransmission] 443  >  9909 [ACK] Seq=1 Ack=201 Win=30336 Len=1452

Kztpia · September 5, 2020, 6:38pm

i got this at the end of this command

one.one.one.one (1.1.1.1)  175.379 ms  174.078 ms  *

what output should i expect from this command?

Kztpia · September 5, 2020, 6:43pm

windows host cannot access internet either. but I have vlan settings in my enviorment, windows host cannot access internet anyway.
gonna try a no-vlan-involded setting later

trendy · September 5, 2020, 6:45pm

You were supposed to paste the output of both commands here.
Test also the MTU. It can explain being able to ping but not download.

vgaetera · September 5, 2020, 6:46pm

See also: https://en.wikipedia.org/wiki/Traceroute

Kztpia · September 6, 2020, 3:53am

output i got:

root@OpenWrt:~# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 46 byte packets
 1  1.44.38.59.broad.zh.gd.dynamic.163data.com.cn (59.38.44.1)  3.524 ms  3.350 ms  15.495 ms
 2  183.58.37.13 (183.58.37.13)  8.774 ms  183.58.36.105 (183.58.36.105)  6.174 ms  183.58.37.13 (183.58.37.13)  6.021 ms
 3  117.176.37.59.broad.dg.gd.dynamic.163data.com.cn (59.37.176.117)  6.285 ms  5.648 ms  183.58.10.165 (183.58.10.165)  16.006 ms
 4  202.97.66.162 (202.97.66.162)  8.405 ms  9.377 ms  183.58.10.202 (183.58.10.202)  10.054 ms
 5  202.97.91.22 (202.97.91.22)  13.567 ms  202.97.91.145 (202.97.91.145)  9.893 ms  10.404 ms
 6  *  202.97.18.170 (202.97.18.170)  175.033 ms  174.597 ms
 7  202.97.18.170 (202.97.18.170)  175.518 ms  202.97.49.106 (202.97.49.106)  181.380 ms  180.123 ms
 8  202.97.49.106 (202.97.49.106)  182.155 ms  *  218.30.54.214 (218.30.54.214)  174.454 ms
 9  one.one.one.one (1.1.1.1)  175.379 ms  174.078 ms  *
root@OpenWrt:~# traceroute one.one.one.one
traceroute to one.one.one.one (1.0.0.1), 30 hops max, 46 byte packets
 1  1.44.38.59.broad.zh.gd.dynamic.163data.com.cn (59.38.44.1)  3.771 ms  3.281 ms  15.765 ms
 2  59.38.17.33 (59.38.17.33)  10.528 ms  183.58.36.105 (183.58.36.105)  6.223 ms  183.58.37.9 (183.58.37.9)  5.464 ms
 3  183.58.10.202 (183.58.10.202)  11.066 ms  183.58.10.194 (183.58.10.194)  8.568 ms  183.58.10.202 (183.58.10.202)  10.300 ms
 4  202.97.94.134 (202.97.94.134)  11.499 ms  202.97.94.122 (202.97.94.122)  7.925 ms  202.97.94.134 (202.97.94.134)  12.009 ms
 5  202.97.94.94 (202.97.94.94)  22.725 ms  202.97.12.37 (202.97.12.37)  13.376 ms  202.97.12.1 (202.97.12.1)  10.379 ms
 6  202.97.86.138 (202.97.86.138)  171.291 ms  202.97.51.106 (202.97.51.106)  165.136 ms  202.97.72.102 (202.97.72.102)  176.968 ms
 7  202.97.90.118 (202.97.90.118)  170.293 ms  169.297 ms  175.413 ms
 8  218.30.54.214 (218.30.54.214)  182.782 ms  173.063 ms  168.323 ms
 9  one.one.one.one (1.0.0.1)  166.678 ms  *  168.914 ms

lan site MTU 1500
wan is using pppoe, MTU seem been automatically override to 1492 after dial
i remember my old router usings MTU 1492, so i override my lan site MTU to 1492 too. But it did not work

Kztpia · September 6, 2020, 4:02am

being able to ping but not download is not exactlly my situation now.
all apps in my networks works fine.
my pc is using a proxy outside mynetwor to acces internet , it works fine too
but all URL based activity failed.

Kztpia · September 6, 2020, 4:11am

MTU it is， i check my connection with the proxy i'm using, it is using a 600 MTU.
so i set MTU to a small number 1400, every thing works fine now

maybe it is vlan realted? the attached vlan tag make some packets exceed th MTU limit?

Kztpia · September 6, 2020, 4:22am

thank you all for the helps!

Kztpia · September 6, 2020, 4:33am

when i try find out the biggest available MTU, 1492 works again. I'm kind of confused.
maybe MTU is cached is somewhere.

anyway, everythings works fine now. the MTU value is the story for another day.

trendy · September 6, 2020, 5:16pm

LAN should be 1500, so don't change it.
WAN is automatically reduced to 1492, which is a default setting for pppoe connections.
Regarding the tunnel interface, this is something you should discuss with the administrator of the other end of the tunnel.

system · September 16, 2020, 5:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.