after the installation of the current OpenWRT 18.06.2 everything works fine, except...
I'm not able to establish any connection (http or rdp) to a device in another network anymore. The other network is accessed through a (local established) VPN connection. The tunnel could be established and is stable.
A http-connection is not possible, a RDP-connection neither. The strange thing with the RDP-connection is, that the credentials are accepted and the first screen (of windows) appears, but then... Nothing happens.
I hope anyone has an idea...
Some information to my setup at the end:
Local Network: 192.168.1.0/24
Remote Network: 172.22.33.0/24
VPN: IPSec/Xauth (Fritzbox)
Router: Fritzbox 7360v1 with DSLite, no changes to the default firewall
My current guess is, that the problem is hidden anywhere inside the routing of my devices... My knowledge about this is not very good, but is it possible that route-autodetection of the tunnel is affected by the router?
Things, that make me think about:
if the tunnel is enabled, no connection to the internet is possible
the initial connection always works:
if I access a http-Website (inside the remote network), the BasicAuth works fine but nothing else
as mentioned before, the authentication of the rdp-connection works too
ssh-connections are working
ping is working
If anyone has a suggestion what to try next... This would be great
Sounds like mtu.
From the computer behind openwrt can you ping the other computer behind fritz with don't-fragment option and various payload sizes? By default the payload is 32 or 64 bytes so work your way up to see where it will stop replying.
What a shame! I changed it, but after establishing the connection the mtu has been changed again (back to the old value...). Note to myself: Always do a double check
Now it works.
Strange anyway that I need here some modifications on my client(s) which I did not need before.
Now you can try increasing the MTU value again to find the maximum that still works.
I recommend at least 1280 bytes if possible, since this is the minimum required for IPv6.
I am sorry for not proposing this value from the beginning.
Ideally, the MTU value would be determined by the Path MTU Discovery technique, which relies on an ICMP message to report an oversized packet. If a middlebox blocks these ICMP messages, Path MTU Discovery breaks. DSLite has two such middleboxes which could interfere: your own router, and the NAT gateway at your ISP.
Reducing the MTU administratively is not an ideal solution. How could you improve it?
Ask your ISP for dual-stack instead of DSLite. Your router would get a public IPv4 address and there would be no extra NAT or tunneling imposed by your ISP.
If the peer gateway has IPv6 connectivity, run the VPN tunnel over IPv6. However, this is not supported by FritzOS; it is only an option if you can replace the hardware or firmware of the remote gateway.