Openwrt is blocking some websites

Hi!

I have just installed openwrt on my xiaomi 3000t and I'm having some issues. I didn't make any changes, I've just let it as it came.

I'm trying to understand why openwrt is blocking websites, for example: raspberrypi.com, vimeo.com and some others.

Thank you :slight_smile:

1 Like

Openwrt shouldn't block anything. What error message or problem occurs when trying to access those websites?

3 Likes

Let's see your configuration -- we'll start there.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you for looking into this for me! Let me know if I missed anything and I'll edit my post.

ubus call system board

        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "23.05.3 240325"

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8d:5a3d:17c6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'cc:d8:43:16:c5:82'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel 'auto'
        option band '2g'
        option htmode 'HE20'
        option disabled '0'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'iRouter 2.4G'
        option encryption 'psk2'
        option key '-'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option disabled '0'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'iRouter 5G'
        option encryption 'psk2'
        option key '-'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'WORKSTATION33'
        option ip '192.168.1.244'
        option mac '54:BF:64:79:E0:CE'

config host
        option name 'raspberrypi'
        option ip '192.168.1.174'
        option mac 'B8:27:EB:85:C3:58'

config host
        option name 'iVanuPC'
        option ip '192.168.1.162'
        option mac '74:56:3C:3E:AE:40'

cat /etc/config/firewall

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'WORKSTATION33'
        option ip '192.168.1.244'
        option mac '54:BF:64:79:E0:CE'

config host
        option name 'raspberrypi'
        option ip '192.168.1.174'
        option mac 'B8:27:EB:85:C3:58'

config host
        option name 'iVanuPC'
        option ip '192.168.1.162'
        option mac '74:56:3C:3E:AE:40'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

It's just a timeout, every single time. I've added some info in my reply to psherman

You probably got the IP of some site abuser or victim of router hacking.

This is not a standard line in your dnsmasq config:

Did you add this? Have you been experimenting with any DNS related techniques such as adblock/adguard, DoH/DoS? or making any other config changes related to DNS?

Looks clean

@psherman nope, the only thing I done is to enable software flow offloading. Anything I could do to take it out?

I specifically posted for help here because I was so overwhelmed by the multitude of buttons and functions in the beautiful openwrt interface maze.

I'm hoping to set up my raspberry pi as an adblocker in the future but I wanted to see how it works without anything added for a couple of weeks before I set it up.

@psherman thinking about this... when I set it up, I didn't go for the official image, I went for remittor's builds. I guess that was set up by him.

I get this with some of my pi-hole block lists too.

Might want to check how your DNS is setup up, and which upstream DNS resolvers are used.

1 Like

It would probably make sense to try an official image, and then see what happens.

3 Likes

remittor has adblocks etc included.

1 Like

Thank you. I've used the latest snapshot, the systemupgrade image through Luci.
Wired connection seems to be ok, wireless is off and I cannot connect through 192.168.1.1.


I guess I need to go the ssh way to set it up

wireless is disabled by default, and yes, LuCI is not pre-installed in the snapshot.

You have installed a snapshot image. Read the link for instructions how to install Luci, which is not installed by default in snapshots.

https://openwrt.org/faq/can_not_connect_via_webbrowser

1 Like

You need to add luci-mod-admin-full and luci-ssl to match releases. There is a box in firmware selector or you can install them via command line.

1 Like

Sweet! Thank you so much! It all works now :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.