Only some websites accessible; bridge mode

Disk1313 · October 12, 2024, 8:40pm

Hi,

my goal is to have following setup and I have a really strange issue where I can only access some websites, but many not:

Fritz!Box 7520 mainly used as modem (bridge mode) with OpenWrt 23.05.5
GL.inet GL-MT6000 (Flint 2) as PPPoE endpoint and router running OpenWrt 23.05.5

Examples of accessible websites:

Not accessible:

Network file for Fritz!Box (bridge mode; it's a bit bloated due to my previous configuration):


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:56ee:6c25::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'j'
	option tone 'b'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	option multicast '1'
	option igmp_snooping '1'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'dsl0'
	option macaddr 'REDACTED'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'

config interface 'server'
	option proto 'static'
	option device 'lan2'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'tv'
	option proto 'static'
	option device 'br-tv'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-tv'

config device
	option type 'bridge'
	option name 'br-iot'
	option bridge_empty '1'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

config interface 'wireguardvpn'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	list addresses '192.168.9.1/24'

config wireguard_wireguardvpn
	option description 'REDACTED'
	option preshared_key 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	list allowed_ips '192.168.9.23/32'
	option persistent_keepalive '25'

config interface 'wg_out'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_wg_out
	option description 'Imported peer configuration'
	option public_key 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'

config interface 'printer'
	option proto 'static'
	option device 'br-printer'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-printer'
	option multicast '1'
	option igmp_snooping '1'
	list ports 'lan3'

config interface 'wg_REDACTED'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses '192.168.20.1/31'
	option listen_port '51821'

config wireguard_wg_REDACTED
	option description 'REDACTED'
	option preshared_key 'REDACTED'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	list allowed_ips '192.168.20.2/32'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option persistent_keepalive '25'
	option endpoint_port '51280'

config device
	option type 'bridge'
	option name 'br-dsl'
	option bridge_empty '1'
	list ports 'lan4'
	list ports 'dsl0.7'
	option vlan_filtering '1'

config interface 'MODEM'
	option proto 'none'
	option device 'br-dsl'
	option defaultroute '0'
	option delegate '0'

config device
	option name 'lan4'
	option ipv6 '1'

Network file for GL-MT6000 (router/PPPoE endpoint:)


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd20:1a05:a332::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'REDACTED'

config device
	option name 'lan2'
	option macaddr 'REDACTED'

config device
	option name 'lan3'
	option macaddr 'REDACTED'

config device
	option name 'lan4'
	option macaddr 'REDACTED'

config device
	option name 'lan5'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'REDACTED'

config interface 'wan'
	option device 'eth1'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option mtu '1492'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '2606:4700:4700::1111'

Does anyone know why it does not work as expected?

Bonus question: I temporarily forgot to assign a firewall zone to the Fritz!Box's MODEM interface. It took about half a day, until I realized it. Were my devices and home network at risk during this time?

psherman · October 12, 2024, 10:00pm

There's a lot happening in that... VLANs among other things. It doesn't look like it's purely bridging a modem through. Instead, it looks like it is fully routing.

If it's really "bloated due to my previous configuration" it should be reset to defaults and then configured specifically for the currently desired mode of operation.

There may be more going on than you've shown... for example, the DNS configuration was not shown, and could be very relevant.

I'd recommend that you reset both devices to defaults and then built up from there.

Hard to say... it's rather hard to figure out where things are actually happening and where the PPPoE/wan is actually terminating (again, it looks like it is happening in 2 places). I would guess that your devices were probably okay, but I certainly won't guarantee it.

Disk1313 · October 13, 2024, 6:33am

I will.

Could you lead me into the right direction, especially for the bridge mode, pls?

I could barely find any information on how to set it up in OpenWRT.

psherman · October 13, 2024, 6:36am

I actually don’t know how to create a bridge modem device in OpenWrt. I don’t have any dsl devices, so I have never attempted such a config.

Disk1313 · October 13, 2024, 6:21pm

Found a solution to get it working.

I reset both devices, did only a minimal setup and still had the same issue. Also in a very strange way. For example www.faz.net worked, but faz.net not. Some sites which worked also had noticibly slow loading times, others not. Nslookup looked fine for all site, traceroute for the non-working ones not. Problem was not misconfiguration per se, but the MTU value, which I never had to override in the past. Somehow the same negotiated MTU value of 1492 which worked on the Fritz!Box (in case of using it as modem+router) does not work for the new setup with two devices. I set "Override MTU" in the advanced options for the wan interface in the GL-MT6000 router to 1490. The MTU value of the dsl0 and dsl0.7 device on the Fritz!Box in bridge mode is still at 1500. ISP is "Deutsche Telekom". I remember reading about a similar problem and overriding the MTU value solved it.

I have no clue what this value does and why it was a problem in this case. Can anyone explain it to me?
Can overriding this value manually cause any negative side-effects?

system · October 23, 2024, 6:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.