Raspberry pi zero unable to access many websites

adhossain · December 6, 2022, 8:56pm

Hi, I am facing a strange problem.

I am using Openwrt on a TPlink router which is working fine.

Now I am experimenting Openwrt on Raspberry Pi Zero using a usb LAN adapter and a managed switch through VLAN.

I have properly configured Raspberry pi and switch which has internet. But the problem is, I can access some websites while there are many websites which I cannot access if I use RPi as router. Strangely openwrt.org and forum.openwrt.org are some of the websites which I cannot access. Also, I cannot update the software package list.

I used the built in Ping, treceroute, nslookup tool to diagnose the problem but all tools give success.

Below are the configurations.

DHCP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd83:b021:0f46::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'eth0'
        option mut '1500'
        option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'
        option macaddr 'XX:XX:XX:XX:XX:XX'

config device
        option name 'eth0.10'
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option macaddr 'XX:XX:XX:XX:XX:XX'

FIrewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

psherman · December 6, 2022, 9:05pm

What is the subnet of your main (upstream) router? If it is 192.168.0.0/24, you need to change the LAN on your OpenWrt Pi zero.

Try changing the LAN address to something else like 10.9.1.1 and see if that works. Be sure to force clients to get a new DHCP lease after doing this.

If that doesn't fix the problem, run the following tests from both an ssh session into the Pi zero, as well as on a computer that is connected via the Pi zero:

ping 8.8.8.8
ping google.com

Pico · December 6, 2022, 9:50pm

very typical result, if IPv6 works, but IPv4 does not

adhossain · December 7, 2022, 4:08am

Thanks for the suggestions but changing LAN does not have any impact.

Also I can ping to 8.8.8.8 and google from both my router and client.

psherman · December 7, 2022, 4:10am

so can you elaborate on which sites are not working properly?

adhossain · December 7, 2022, 4:10am

I have not configured IPv6 on my router. Also, the websites I cannot access are independent to IPv4 or IPv6.

adhossain · December 7, 2022, 4:20am

for example,

These two I have discovered so far.

faser · December 7, 2022, 4:25am

General Troubleshooting:

Ping the URL to see if name resolution works
If name resolution works try to ping the IP address (if it is an IP that is known to answer ICMP)
Have tcdump -n -i any host IP-ADDRESS running on the router (replace IP-ADDRESS with the IP you try to ping.

This will show you if the package reaches the router and if it goes to the internet

adhossain · December 7, 2022, 4:51am

I can ping and have working name resolution from router ssh consol to the websites.

I could not tcpdump because it has to be installed using opkg from download.openwrt.org which is not also working.

Another thing I observed that, I can ping to my router from my laptop, but cannot ping back from router to laptop. However I can ping to my switch from router.

PS. My laptop is connected to the wifi access point of RPi

faser · December 7, 2022, 5:04am

So you are saying that download.openwrt.org is also not working on the router itself?

adhossain · December 7, 2022, 5:08am

Yes. Exactly

psherman · December 7, 2022, 5:26am

what about if you specify a public DNS server.

Let's see the output from these two commands:

nslookup downloads.openwrt.org
nslookup downloads.openwrt.org 8.8.8.8

adhossain · December 7, 2022, 5:39am

These are the results

root@OpenWrt:~# nslookup downloads.openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

root@OpenWrt:~# nslookup downloads.openwrt.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

Kindly note, I seem to have no problem to ping, nslookup the problematic sites.

Also, I cannot ping back to my client laptop from router. But I can ping to router from client laptop. Could this be a reason too?

psherman · December 7, 2022, 5:42am

so the problem is only on the client computer? Please run the same test on the computer directly and let's see the results.

Please elaborate here -- from your main router, or from the Pi zero? The computer is connected to the Pi, correct?

faser · December 7, 2022, 6:17am

Well here @adhossain indicated it also is not working on the router

So it sounds like that maybe HTTP/HTTPS is blocked to this URLs.

@adhossain
So on the router
ping downloads.openwrt.org - works
but
wget downloads.openwrt.org - doesn't work?

psherman · December 7, 2022, 6:20am

yeah, that's what I thought. But they also said that the diagnostics come back fine when run from OpenWrt (obviously the main site is different than the download server, but still). This thread has been a bit confusing, so hopefully the OP can show specific results to clarify.

faser · December 7, 2022, 6:21am

Yeah did an edit to my post to ask for clarity

adhossain · December 7, 2022, 6:22am

The problem is basically if I want to browse those websites. Since I cannot browse from router, so cannot tell if it also happens there. But as I mentioned, opkg install does not work on router since the router cannot connect to downloads.openwrt.org.

below test results

On client side

C:\Users\hossa>nslookup downloads.openwrt.org
Server:  UnKnown
Address:  fd83:b021:f46::1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\hossa>nslookup downloads.openwrt.org 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    mirror-02.infra.openwrt.org
Addresses:  2a01:4f8:251:321::2
          168.119.138.211
Aliases:  downloads.openwrt.org

On router

root@OpenWrt:~# nslookup downloads.openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

root@OpenWrt:~# nslookup downloads.openwrt.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

I have this kind of setup. Where my RPi has a Public IP using the VLAN from switch. Yes, cannot ping from My router which is Rpi to client

psherman · December 7, 2022, 6:24am

well, this looks like an IPv6 issue after all.

Turn off the IPv6 entries.

adhossain · December 7, 2022, 6:25am

I am happy to give anyone of you access to my computer using Teamviewer to have a look.