OpenWrt @ Raspberry Pi 4 & Vodafone(.de) Cable Provider

I'm running
german Vodafone Cable 1000max (Berlin/Germany)
provider supported fritz.box 6591
--> exposed host --> Raspberry Pi 4
(OpenWrt SNAPSHOT r16186-bf4aa0c6a2 / LuCI Master git-21.124.24916-0faf9a4)
3 x VLAN using 5-port TP-Link switch

VLAN14 = wired network
VLAN11 = wireless network
VLAN10 = additional network

Firewall settings

Bild1960×279 36.4 KB

All is running great (I don't really have big claims!)

So far I have not found any errors, neither when surfing nor when using services, well, one exception: Google!

Bild2600×508 63 KB

Recently I have had to regularly prove that I am a human and not a robot in which I have to solve a captcha: Cars, ships, traffic lights, pedestrian crossings, chimneys, buses = this is probably due to the DS-lite technology to save IPv4 -Addresses ...

So I wanted to go to the vodafone portal to inquire about real "DUAL-Stack". I can enter the site, but not log in. Neither with my large computer (wired network) nor with my smartphone (wifi). Other functions like reset password or reregistration don't want to bring me to the right page, no chance!

If I use my smartphone via LTE, I can log in. If I connect my PC to the hotspot of my smartphone, the registration also works.
Consequently, it is not due to cache data, cookies or other things on my machine, but to the technology used on the MeinVodafone site !!!
Obviously my configuration of my network prevents the use of certain authentication accesses (I think it's good that such procedures (direct access to my device ???) are prevented by my OPENWRT), but I am sad that I cannot access the Vodafone portal .
By the way, it doesn't matter which browser is used!

Can another Vodafone customer verify this?
Which setting could I have wrongly set?
Other portals (mail portals such as gmx.de ionos.de) work without problems.

I am grateful for any hints

Regards from Berlin
Martin aka -==[Schubsi]==-

google does this to ip's that service many connections ( enterprises, bulk cgnat, proxies... etc ), report it to your provider...

you need to use a browser-debugger/ssl-proxy to capture a good vs non good session..., or discuss with your provider

Hey wulfy23,

thank you for your answer!

I understood that my Google queries from the provider Vodafone along with many other queries from other vodafone customers are forwarded to Google via one single IP address, so that Google thinks I could be an attacker because of the amout of requests. This effect of "DS-lite" is now known and obviously I cannot change it.

I can't debug SSL traffic because I'm "not good enough" ...
I wanted to communicate this behavior to a technician from my provider, but he said that it is not Vodafone's problem if I use an exotic router.
His logic: If I connect to the Vodafone website without OpenWrt, the connection works fine, so the problem is with my OpenWrt.

Therefore, my question here in the forum was whether someone with the same hardware and software can check whether the problem is reproducible. Maybe there is someone who uses a Raspberry Pi 4 B and has a newer distribution of OpenWrt and doesn't have this problem, so it could be because of the snapshot version I used ...

If someone (does not have to be a vodafone customer) could test this:

Go to vodafone.de, choose right top corner "MeinVodafone", under the Login button choose "Zugangsdaten vergessen!" and on the next screen klick "Internet Passwort vergessen"

If I do that with OpenWrt between me an the internet, the website returns without any comment to the login form (where username and password have to be inserted).

Without OpenWrt there appears a new screen to choose username and to answer a captcha for starting a "password reset procedure"...

I would be happy for some help!

Regards

-==[Schubsi]==-

works for me... and i'm using openwrt on a rpi4...

are you running adblock?
are you running dual-stack?
what is your browser exact version?
have your tried other browsers?

I quote myself:

I connected my PC (with the same configuration) via wifi to the hotspot of my smartphone and used LTE-internet via D1-Telekom: No problems at all using the same browser with the same plugins and settings.

Today I will connect my PC directly to the Fritzbox to test my pure Internet service, and I already suspect that this will be important: It will confirm that the OpenWRT in between is the reason that the website is not correct is working.

The problem is my OpenWrt and not noscript, adblock, browser or anything else - perhaps the snapshot I use has a very special bug ...

which snapshot are you using?

However all of googles servers are IPv6 enabled so if you have ds-lite you should be accessing them via IPv6 and this shouldn't be the issue

When you go to icanhazip.com from behind the OpenWrt router do you see an IPv6 address? Perhaps you need to debug the IPv6 distribution to your lan.

Please look at the screenshot in my first post (Bild2), I overpainted the IP adress and i swear it was a standard v4 !!!

Sorry i know absolutely nothing about ipv6 ...
what should i do to persuade the OpenWrt to use and support ipv6?

the issue that the login website of vodafone ist not reachable?
the issue that google gives me captcha's?

At the moment I don't care about Google's captcha's, it is much more important to me to log into the Vodafone portal ...

Are these two problems related?

Please don't think I'm a professional. Yes, I managed to install a Raspberry Pi 4B with a SNAPSHOT system from OpenWrt and to supply my classic IPv4 network with the use of VLAN.
It doesn't mean I have any idea how to use IPv6 ...

PS: http://icanhazip.com/ answers with a classic IPv4 address, the same that is used all the last time...

Can you show the interfaces page on Luci? That should give us a clue about IPv6 status. You really want to get your IPv6 working properly it will fix some of these problems

Hey dlakelan

Thank you for your answer!

I still have to check to make my configuration public here. I'm confused.

I have new knowledge!
OpenWrt may be innocent of my predicament.
I have connected my PC directly to my fritz.box and have the same problem: I cannot log into the Vodafone portal.

At first I called the problem "DS-lite", this was my fault, sorry, the problem's name seems to be "cg-NAT". It may have something to do with sloppiness on the part of Vodafone: During identification, the IP address is presumably accessed, which is not exclusively available to me, but is used by many Vodafone customers. So the login seems to fail ...

Take a look at my IPv4 address:

IPv4699×354 57.6 KB

This internal IPv4 address is then converted (cg-nat seems to be the correct expression)

IPv4-2732×311 25.1 KB

and is reported to the Vodafone website when I call up the page. Access to my Internet address then does not work because this address is used by many other customers.

The vodafone website is not reachable via IPv6, I tested that last hour.

Routenverfolgung zu www.vodafone.de [139.7.147.41]

On my smartphone (Telekom-D1 - Congstar) - this is guaranteed to work with cg-NAT as well - this network address translation seems to work much better: When I go to the Vodafone website with my smartphone, everything works fine, even if I use the smartphone's internet connection by the PC!!!

So I have to argue with Vodafone customer service again, because they think everything works great, the fault must be with my system - but after my tests today it cannot be found on me.
It's very unpleasant, it won't be fun

By the way, everything only since my line was upgraded to 1 Gbits speed. Before at 100 Mbits I had my own real IPv4 in the official address range, all was fine and my system was reachable from the net by an IPv4 address ...

-==[Schubsi]==-

you've blacked out the specifics, but it clearly shows that you have ipv6 at the upstream router, but you have yet to show us the openwrt interface page. You shouldn't be accessing google via ipv4 at all, because openwrt should have an ipv6 prefix it's assigning to your LAN, and your browser should be accessing google via ipv6, hence no cg-NAT at all.

log into the openwrt luci interface, click network > interfaces and take a screenshot. People often black out their ipv6 info but for the most part it's not necessary, the firewall prevents anyone from connecting.

Well, then ask them to switch you to full dual stack or a pure dynamic publuc Ipv4... ISPs in Germany are expected by the regulator (BNetzA) to give out IPv4/DualStack to customers that need it, if the ISP can do so (i.e. not out of IPv4 addresses). So get on the hotline/forum and insist to get dualstack*, just argue that you need this because you have an IPv4 security camera you need to access over the network or similar (assuming you actual have such needs). Given that you had a public IPv4 before just let them know you "lost" this IP on the upgrade to the gigabit plan (I assume that the 100Mbps plan was with VF over cable)
Also consider switching the Fritzbox into bridge mode, so that your openwrt router becomes your main router, which I assume might fix most issues.

*) IPv6 is not the far future anymore, so try not to get public IPv4 only, that is decidedly the past

To help you understand the situation, you have ds-lite, which means you have:

1. A real public IPv6 network you can use
2. A single cg-nat private IPv4 address which is translated by your ISP to a shared public ipv4

For all ipv6 sites, which includes many of the biggest ones, google, facebook, netflix, cloudflare and other CDNs, etc, your machines should use their unique ipv6 to connect directly...

For ipv4 only sites, you'll go through the cg-nat, and the sites will see a "shared" ipv4

The problem #1 at the moment is that your LAN machines are NOT getting their ipv6 addresses so they are using cg-nat for EVERYTHING. If you fix that it'll improve your connectivity to the sites that use IPv6.

Once you solve that, problem #2 is that a lot of the web is still ipv4 only, and so you will need the cg-nat still for those sites. But this is common enough, and really shouldn't prevent most services from working right.

Problem #3 is that the vodafone portal isn't working. This could be any number of issues, and is best debugged by talking with vodafone, and making sure you can at least use the portal from just their equipment (eliminating openwrt from the equation).

It makes no sense to show my LuCi page here, because it will turn out that I only use IPv4 in my private network environment. The VLANs are set up statically, of course.

Schnittstellen776×766 81.9 KB

Please do not ask why and what I grouped it for, briefly explained: VLAN10 is a mechanically regulated (power switch) children's wifi, VLAN11 is the wifi for the parents (both were implemented using separate access points) and VLAN14 is a wired network for father's PCs (3x), the network printer, the NAS and the "vu+ duo 4k" tv media center and many more.

The interfaces have their own DHCP and GW settings; a device that logs on to the VLAN10 receives an IP in the specified network and the appropriate settings for the gateway / DHCP / DNS (x.x.x.1).
It is very clear that no automatic IPv6 settings can be displayed here: My knowledge (IPv4) has so far been sufficient for domestic use ...

VLAN198 is the uplink network to the fritz.box, here the OpenWrt is configured as "exposed host". All data packages are passed on to the Raspberry Pi unchanged. This may be equal to the bridgemode you told about...

The hardware construction is shown on the photo in my first post in this thread.
The firewall settings is shown by a screenshot there too, please scroll upwards.

I will probably have to buy some reading material (perhaps Electronics Compendium IPv6) to understand IPv6, to create IPv6 addresses myself and to adapt them to my needs to use them within my private network (these must shurely be entered manually in the network interfaces). I am currently not able to do this ...

-==[Schubsi]==-

No, "exposed host" is not the same as bridge mode, as the Fritzbox will likely still grab the IPv6 prefix delegation, and hence the openwrt device will receive an IPv6 address for itself, but without a prefix delegation it will not supply its connected machines with IPv6 addresses, because with the defaut configuration it can not. I thing IPv6 relay might be what you need if you keep the exposed host setup, but I have not tried that myself.

In all likelihood you will need to adapt/modify your network design to work well with IPv6. IPv6 is different enough from IPv4 that the "old ways" will not work out of the box (for example android devices do not support DHCPv6 and hence will always assign their IPv6 address via SLAAC IIRC). That said, I believe IPv6 will allow the same functionality as IPv4, just not the same implementation...

Hello to all interested users!

I didn't change anything!
This morning I tried to log into MeinVodafone and everything is fine !!!
The link to start a password reset procedure is running perfect now too!

There was no error in the configuration of my "Raspberry Pi 4B environment", my OpenWrt or my Fritz.box.

The technician I spoke to on the phone last week was probably not happy to have to work on a Saturday and therefore looked for the fault in all the other components but not in Vodafone. Presumably many others have reported the same problem and Vodafone has eliminated this problem after all.

I thank all writers for their posts!
Of course, I will still turn to the new IPv6 technology, but first I have to learn a lot about it before I actually start using it.

Best regards from Berlin

-== [Schubsi] ==-

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.