[Solved] Some sites being blocked after setting up Wireguard/NordLynx

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there!

I've used this link in order to set-up NordLynx/Wireguard on my Qotom box with OpenWRT on it. Everything works almost perfectly and I'm (nearly) getting Gigabit speeds, so that's great!

The only problem is that a few websites are being blocked (or not reachable) when using this configuration. At first, I thought this was the case because these websites were blocking VPN traffic themselves (or specific NordLynx servers), but that doesn't seem to be the case. I've come to this conclusion, because when I'm using the NordVPN Windows 10 app and conect via NordLynx to that same server, these websites actually do work.

So, my guess is that this issue is being caused by my configuration in OpenWRT. Does anyone have a clue what can be the cause of this specific issue? Any help is appreciated!

2

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
traceroute www.sitethatwon'twork.com ; nslookup www.sitethatwon'twork.com
1 Like
3

Hereby:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/* ; \
> traceroute www.exactsoftware.com ; nslookup www.exactsoftware.com
{
        "kernel": "4.14.221",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "x86/64",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf0:f2f4:22eb::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1 eth2 eth3 eth4 eth5'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.300'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.300'
        option proto 'dhcpv6'

config interface 'NordLynx'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.5.0.2'
        option dns '103.86.96.100 103.86.99.100 8.8.8.8 8.8.4.4'

config wireguard_NordLynx
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '134.19.185.96'
        option endpoint_port '51820'
        option description 'nl956.nordvpn.com'
        option route_allowed_ips '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 NordLynx'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: eth0.300@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 31.XXX.XXX.XX/21 brd 31.XXX.XXX.XXX scope global eth0.300
       valid_lft forever preferred_lft forever
18: NordLynx: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc cake state UNKNOWN group default qlen 1000
    inet 10.5.0.2/32 brd 255.255.255.255 scope global NordLynx
       valid_lft forever preferred_lft forever
default dev NordLynx proto static scope link
31.XXX.XXX.X/21 dev eth0.300 proto kernel scope link src 31.XXX.XXX.XX
134.19.185.96 via 31.XXX.XXX.X dev eth0.300 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.5.0.2 dev NordLynx table local proto kernel scope host src 10.5.0.2
broadcast 31.XXX.XXX.X dev eth0.300 table local proto kernel scope link src 31.XXX.XXX.XX
local 31.XXX.XXX.XX dev eth0.300 table local proto kernel scope host src 31.XXX.XXX.XX
broadcast 31.XXX.XXX.XXX dev eth0.300 table local proto kernel scope link src 31.XXX.XXX.XX
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Feb 15 16:22 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Mar 31 15:38 /tmp/resolv.conf
-rw-r--r--    1 root     root           203 Mar 31 15:38 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface NordLynx
nameserver 103.86.96.100
nameserver 103.86.99.100
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan
nameserver 37.XXX.XX.XXX
nameserver 37.XXX.XX.XXX
search ftth.glasoperator.nl
head: /tmp/resolv.*/*: No such file or directory
traceroute to www.exactsoftware.com (145.14.61.34), 30 hops max, 46 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  *  *  *
28  *  *  *
29  *  *  *
30  *  *  *
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      www.exactsoftware.com
Address 1: 145.14.61.34
*** Can't find www.exactsoftware.com: No answer

Thanks for the help!

4

Check if you have any adblock, banip, or something else blocking those IPs.
iptables-save -c

1 Like
5

I'm not blocking that website. In fact, if I remove the NordLynx interface from the wan zone (or disable the NordLynx interface), then I'm able to reach that website just fine. So it must be something in the NordLynx/Wireguard interface, I guess...

However, here's the export you requested:

root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.3 on Wed Mar 31 16:32:44 2021
*nat
:PREROUTING ACCEPT [13516:3222712]
:INPUT ACCEPT [579:86360]
:OUTPUT ACCEPT [1941:137639]
:POSTROUTING ACCEPT [28:2978]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[13516:3222712] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule                                                                                                                                                              chain" -j prerouting_rule
[13151:3196125] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_                                                                                                                                                             prerouting
[365:26587] -A PREROUTING -i eth0.300 -m comment --comment "!fw3" -j zone_wan_pr                                                                                                                                                             erouting
[0:0] -A PREROUTING -i NordLynx -m comment --comment "!fw3" -j zone_wan_prerouti                                                                                                                                                             ng
[4136:680610] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule                                                                                                                                                              chain" -j postrouting_rule
[5:1360] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postro                                                                                                                                                             uting
[10:2452] -A POSTROUTING -o eth0.300 -m comment --comment "!fw3" -j zone_wan_pos                                                                                                                                                             trouting
[4098:675180] -A POSTROUTING -o NordLynx -m comment --comment "!fw3" -j zone_wan                                                                                                                                                             _postrouting
[5:1360] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrout                                                                                                                                                             ing rule chain" -j postrouting_lan_rule
[13151:3196125] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan pr                                                                                                                                                             erouting rule chain" -j prerouting_lan_rule
[4108:677632] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan pos                                                                                                                                                             trouting rule chain" -j postrouting_wan_rule
[4108:677632] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[365:26587] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerou                                                                                                                                                             ting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Mar 31 16:32:44 2021
# Generated by iptables-save v1.8.3 on Wed Mar 31 16:32:44 2021
*raw
:PREROUTING ACCEPT [1662995:1783814019]
:OUTPUT ACCEPT [360109:57458815]
:zone_lan_helper - [0:0]
[363965:36033142] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT hel                                                                                                                                                             per assignment" -j zone_lan_helper
COMMIT
# Completed on Wed Mar 31 16:32:44 2021
# Generated by iptables-save v1.8.3 on Wed Mar 31 16:32:44 2021
*mangle
:PREROUTING ACCEPT [1662997:1783814099]
:INPUT ACCEPT [657734:895047896]
:FORWARD ACCEPT [994530:886180959]
:OUTPUT ACCEPT [360112:57459447]
:POSTROUTING ACCEPT [1354554:943635406]
[15:780] -A FORWARD -o eth0.300 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment                                                                                                                                                              --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.300 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --                                                                                                                                                             comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1014:54736] -A FORWARD -o NordLynx -p tcp -m tcp --tcp-flags SYN,RST SYN -m com                                                                                                                                                             ment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[997:53756] -A FORWARD -i NordLynx -p tcp -m tcp --tcp-flags SYN,RST SYN -m comm                                                                                                                                                             ent --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Mar 31 16:32:44 2021
# Generated by iptables-save v1.8.3 on Wed Mar 31 16:32:44 2021
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[926:175781] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[656809:894872155] -A INPUT -m comment --comment "!fw3: Custom input rule chain"                                                                                                                                                              -j input_rule
[653541:894460249] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m commen                                                                                                                                                             t --comment "!fw3" -j ACCEPT
[276:11908] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --                                                                                                                                                             comment "!fw3" -j syn_flood
[2579:357299] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[417:29991] -A INPUT -i eth0.300 -m comment --comment "!fw3" -j zone_wan_input
[272:24616] -A INPUT -i NordLynx -m comment --comment "!fw3" -j zone_wan_input
[994530:886180959] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule                                                                                                                                                              chain" -j forwarding_rule
[991901:885475343] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comm                                                                                                                                                             ent --comment "!fw3" -j ACCEPT
[2629:705616] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forwa                                                                                                                                                             rd
[0:0] -A FORWARD -i eth0.300 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i NordLynx -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[926:175781] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[359192:57285282] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain                                                                                                                                                             " -j output_rule
[356871:57030325] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m commen                                                                                                                                                             t --comment "!fw3" -j ACCEPT
[362:118456] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[7:2296] -A OUTPUT -o eth0.300 -m comment --comment "!fw3" -j zone_wan_output
[1952:134205] -A OUTPUT -o NordLynx -m comment --comment "!fw3" -j zone_wan_outp                                                                                                                                                             ut
[415:28862] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with                                                                                                                                                              tcp-reset
[267:25348] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-p                                                                                                                                                             ort-unreachable
[276:11908] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit                                                                                                                                                              --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[362:118456] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j AC                                                                                                                                                             CEPT
[2629:705616] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forward                                                                                                                                                             ing rule chain" -j forwarding_lan_rule
[2629:705616] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan fo                                                                                                                                                             rwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3                                                                                                                                                             : Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2579:357299] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rul                                                                                                                                                             e chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3:                                                                                                                                                              Accept port redirections" -j ACCEPT
[2579:357299] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCE                                                                                                                                                             PT
[362:118456] -A zone_lan_output -m comment --comment "!fw3: Custom lan output ru                                                                                                                                                             le chain" -j output_lan_rule
[362:118456] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACC                                                                                                                                                             EPT
[2578:357259] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRAC                                                                                                                                                             KED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.300 -m conntrack --ctstate INVALID -m comm                                                                                                                                                             ent --comment "!fw3: Prevent NAT leakage" -j DROP
[22:3076] -A zone_wan_dest_ACCEPT -o eth0.300 -m comment --comment "!fw3" -j ACC                                                                                                                                                             EPT
[88:5000] -A zone_wan_dest_ACCEPT -o NordLynx -m conntrack --ctstate INVALID -m                                                                                                                                                              comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4478:834041] -A zone_wan_dest_ACCEPT -o NordLynx -m comment --comment "!fw3" -j                                                                                                                                                              ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.300 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o NordLynx -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule                                                                                                                                                              chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j                                                                                                                                                              zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3:                                                                                                                                                              Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3                                                                                                                                                             : Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[689:54607] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule                                                                                                                                                              chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: All                                                                                                                                                             ow-DHCP-Renew" -j ACCEPT
[7:397] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!f                                                                                                                                                             w3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEP                                                                                                                                                             T
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3:                                                                                                                                                              Accept port redirections" -j ACCEPT
[682:54210] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1959:136501] -A zone_wan_output -m comment --comment "!fw3: Custom wan output r                                                                                                                                                             ule chain" -j output_wan_rule
[1959:136501] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_AC                                                                                                                                                             CEPT
[410:29594] -A zone_wan_src_REJECT -i eth0.300 -m comment --comment "!fw3" -j re                                                                                                                                                             ject
[272:24616] -A zone_wan_src_REJECT -i NordLynx -m comment --comment "!fw3" -j re                                                                                                                                                             ject
COMMIT
# Completed on Wed Mar 31 16:32:44 2021
6

Put a packet capture to see what is going on:
opkg update; opkg install tcpdump; tcpdump -i NordLynx -evn host 145.14.61.34
Try to ping, open a page, do a traceroute, stop with Ctrl-c and paste here the output.

1 Like
7

Ping result:

18:35:57.745619 ip: (tos 0x0, ttl 127, id 14138, offset 0, flags [none], proto ICMP (1), length 60)
    10.5.0.2 > 145.14.61.34: ICMP echo request, id 1, seq 2832, length 40
18:36:02.472692 ip: (tos 0x0, ttl 127, id 14139, offset 0, flags [none], proto ICMP (1), length 60)
    10.5.0.2 > 145.14.61.34: ICMP echo request, id 1, seq 2833, length 40
18:36:07.460332 ip: (tos 0x0, ttl 127, id 14140, offset 0, flags [none], proto ICMP (1), length 60)
    10.5.0.2 > 145.14.61.34: ICMP echo request, id 1, seq 2834, length 40
18:36:12.459366 ip: (tos 0x0, ttl 127, id 14141, offset 0, flags [none], proto ICMP (1), length 60)
    10.5.0.2 > 145.14.61.34: ICMP echo request, id 1, seq 2835, length 40

Result of opening the page (using Chrome):

18:36:57.785297 ip: (tos 0x0, ttl 127, id 14142, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53432 > 145.14.61.34.80: Flags [S], cksum 0x2303 (correct), seq 1665418472, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:36:57.785712 ip: (tos 0x0, ttl 127, id 14143, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53433 > 145.14.61.34.80: Flags [S], cksum 0xe7a5 (correct), seq 969451968, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:36:57.790971 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53432: Flags [S.], cksum 0xfe59 (correct), seq 7806737, ack 1665418473, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:36:57.791398 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53433: Flags [S.], cksum 0xc31e (correct), seq 486867553, ack 969451969, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:36:57.794270 ip: (tos 0x0, ttl 127, id 14144, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53432 > 145.14.61.34.80: Flags [.], cksum 0x3ade (correct), ack 1, win 1024, length 0
18:36:57.794313 ip: (tos 0x0, ttl 127, id 14145, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53433 > 145.14.61.34.80: Flags [.], cksum 0xffa2 (correct), ack 1, win 1024, length 0
18:36:57.794404 ip: (tos 0x0, ttl 127, id 14146, offset 0, flags [DF], proto TCP (6), length 495)
    10.5.0.2.53432 > 145.14.61.34.80: Flags [P.], cksum 0xcf1f (correct), seq 1:456, ack 1, win 1024, length 455: HTTP, length: 455
        GET / HTTP/1.1
        Host: www.exactsoftware.com
        Connection: keep-alive
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

18:36:57.800263 ip: (tos 0x0, ttl 64, id 3929, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53432: Flags [.], cksum 0x3c94 (correct), ack 456, win 131, length 0
18:37:05.783539 ip: (tos 0x0, ttl 127, id 14147, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53433 > 145.14.61.34.80: Flags [F.], cksum 0xffa1 (correct), seq 1, ack 1, win 1024, length 0
18:37:05.789234 ip: (tos 0x0, ttl 64, id 52211, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53433: Flags [F.], cksum 0x0321 (correct), seq 1, ack 2, win 128, length 0
18:37:05.789967 ip: (tos 0x0, ttl 127, id 14148, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53433 > 145.14.61.34.80: Flags [.], cksum 0xffa0 (correct), ack 2, win 1024, length 0
18:37:09.801396 ip: (tos 0x0, ttl 64, id 3930, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53432: Flags [F.], cksum 0x3c93 (correct), seq 1, ack 456, win 131, length 0
18:37:09.802876 ip: (tos 0x0, ttl 127, id 14149, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53432 > 145.14.61.34.80: Flags [.], cksum 0x3916 (correct), ack 2, win 1024, length 0
18:37:09.803330 ip: (tos 0x0, ttl 127, id 14150, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53432 > 145.14.61.34.80: Flags [F.], cksum 0x3915 (correct), seq 456, ack 2, win 1024, length 0
18:37:09.809062 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53432: Flags [.], cksum 0x3c92 (correct), ack 457, win 131, length 0
18:37:10.961833 ip: (tos 0x0, ttl 127, id 14151, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53436 > 145.14.61.34.80: Flags [S], cksum 0x3f0f (correct), seq 1480537053, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:37:10.961881 ip: (tos 0x0, ttl 127, id 14152, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53437 > 145.14.61.34.80: Flags [S], cksum 0x42be (correct), seq 1650337294, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:37:10.967497 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53436: Flags [S.], cksum 0xf47c (correct), seq 1222114457, ack 1480537054, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:37:10.967589 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53437: Flags [S.], cksum 0x3589 (correct), seq 2329115968, ack 1650337295, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:37:10.971508 ip: (tos 0x0, ttl 127, id 14153, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53436 > 145.14.61.34.80: Flags [.], cksum 0x3101 (correct), ack 1, win 1024, length 0
18:37:10.971572 ip: (tos 0x0, ttl 127, id 14154, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53437 > 145.14.61.34.80: Flags [.], cksum 0x720d (correct), ack 1, win 1024, length 0
18:37:10.971614 ip: (tos 0x0, ttl 127, id 14155, offset 0, flags [DF], proto TCP (6), length 521)
    10.5.0.2.53437 > 145.14.61.34.80: Flags [P.], cksum 0x9b37 (correct), seq 1:482, ack 1, win 1024, length 481: HTTP, length: 481
        GET / HTTP/1.1
        Host: www.exactsoftware.com
        Connection: keep-alive
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

18:37:10.977281 ip: (tos 0x0, ttl 64, id 62236, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53437: Flags [.], cksum 0x73a9 (correct), ack 482, win 131, length 0
18:37:15.789458 ip: (tos 0x0, ttl 127, id 14156, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53436 > 145.14.61.34.80: Flags [F.], cksum 0x3100 (correct), seq 1, ack 1, win 1024, length 0
18:37:15.795176 ip: (tos 0x0, ttl 64, id 15114, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53436: Flags [F.], cksum 0x347f (correct), seq 1, ack 2, win 128, length 0
18:37:15.795732 ip: (tos 0x0, ttl 127, id 14157, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53436 > 145.14.61.34.80: Flags [.], cksum 0x30ff (correct), ack 2, win 1024, length 0
18:37:22.979853 ip: (tos 0x0, ttl 64, id 62237, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53437: Flags [F.], cksum 0x73a8 (correct), seq 1, ack 482, win 131, length 0
18:37:22.980377 ip: (tos 0x0, ttl 127, id 14158, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53437 > 145.14.61.34.80: Flags [.], cksum 0x702b (correct), ack 2, win 1024, length 0
18:37:22.980798 ip: (tos 0x0, ttl 127, id 14159, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53437 > 145.14.61.34.80: Flags [F.], cksum 0x702a (correct), seq 482, ack 2, win 1024, length 0
18:37:22.986395 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53437: Flags [.], cksum 0x73a7 (correct), ack 483, win 131, length 0
18:37:28.019495 ip: (tos 0x0, ttl 127, id 14160, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53444 > 145.14.61.34.80: Flags [S], cksum 0xac85 (correct), seq 2580448463, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:37:28.019591 ip: (tos 0x0, ttl 127, id 14161, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53445 > 145.14.61.34.80: Flags [S], cksum 0x5042 (correct), seq 1193817016, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:37:28.025178 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53444: Flags [S.], cksum 0x2ce3 (correct), seq 2778584291, ack 2580448464, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:37:28.025264 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53445: Flags [S.], cksum 0x3079 (correct), seq 2943118139, ack 1193817017, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:37:28.025608 ip: (tos 0x0, ttl 127, id 14162, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53444 > 145.14.61.34.80: Flags [.], cksum 0x6967 (correct), ack 1, win 1024, length 0
18:37:28.025641 ip: (tos 0x0, ttl 127, id 14163, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53445 > 145.14.61.34.80: Flags [.], cksum 0x6cfd (correct), ack 1, win 1024, length 0
18:37:28.025789 ip: (tos 0x0, ttl 127, id 14164, offset 0, flags [DF], proto TCP (6), length 521)
    10.5.0.2.53444 > 145.14.61.34.80: Flags [P.], cksum 0x9291 (correct), seq 1:482, ack 1, win 1024, length 481: HTTP, length: 481
        GET / HTTP/1.1
        Host: www.exactsoftware.com
        Connection: keep-alive
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

18:37:28.031697 ip: (tos 0x0, ttl 64, id 38434, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53444: Flags [.], cksum 0x6b03 (correct), ack 482, win 131, length 0
18:37:35.792931 ip: (tos 0x0, ttl 127, id 14165, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53445 > 145.14.61.34.80: Flags [F.], cksum 0x6cfc (correct), seq 1, ack 1, win 1024, length 0
18:37:35.798671 ip: (tos 0x0, ttl 64, id 41739, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53445: Flags [F.], cksum 0x707b (correct), seq 1, ack 2, win 128, length 0
18:37:35.799079 ip: (tos 0x0, ttl 127, id 14166, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53445 > 145.14.61.34.80: Flags [.], cksum 0x6cfb (correct), ack 2, win 1024, length 0
18:37:40.037232 ip: (tos 0x0, ttl 64, id 38435, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53444: Flags [F.], cksum 0x6b02 (correct), seq 1, ack 482, win 131, length 0
18:37:40.037700 ip: (tos 0x0, ttl 127, id 14167, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53444 > 145.14.61.34.80: Flags [.], cksum 0x6785 (correct), ack 2, win 1024, length 0
18:37:40.038432 ip: (tos 0x0, ttl 127, id 14168, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53444 > 145.14.61.34.80: Flags [F.], cksum 0x6784 (correct), seq 482, ack 2, win 1024, length 0
18:37:40.044182 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53444: Flags [.], cksum 0x6b01 (correct), ack 483, win 131, length 0
18:38:10.083521 ip: (tos 0x0, ttl 127, id 14169, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53453 > 145.14.61.34.80: Flags [S], cksum 0xdbc9 (correct), seq 148956784, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:38:10.083580 ip: (tos 0x0, ttl 127, id 14170, offset 0, flags [DF], proto TCP (6), length 52)
    10.5.0.2.53454 > 145.14.61.34.80: Flags [S], cksum 0x8714 (correct), seq 4122299983, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
18:38:10.089145 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53453: Flags [S.], cksum 0xe363 (correct), seq 2165011001, ack 148956785, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:38:10.089242 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    145.14.61.34.80 > 10.5.0.2.53454: Flags [S.], cksum 0xebe1 (correct), seq 1085494622, ack 4122299984, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 9], length 0
18:38:10.090538 ip: (tos 0x0, ttl 127, id 14171, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53453 > 145.14.61.34.80: Flags [.], cksum 0x1fe8 (correct), ack 1, win 1024, length 0
18:38:10.090580 ip: (tos 0x0, ttl 127, id 14172, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53454 > 145.14.61.34.80: Flags [.], cksum 0x2866 (correct), ack 1, win 1024, length 0
18:38:10.090595 ip: (tos 0x0, ttl 127, id 14173, offset 0, flags [DF], proto TCP (6), length 521)
    10.5.0.2.53454 > 145.14.61.34.80: Flags [P.], cksum 0x5190 (correct), seq 1:482, ack 1, win 1024, length 481: HTTP, length: 481
        GET / HTTP/1.1
        Host: www.exactsoftware.com
        Connection: keep-alive
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

18:38:10.096198 ip: (tos 0x0, ttl 64, id 61334, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53454: Flags [.], cksum 0x2a02 (correct), ack 482, win 131, length 0
18:38:15.848421 ip: (tos 0x0, ttl 127, id 14174, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53453 > 145.14.61.34.80: Flags [F.], cksum 0x1fe7 (correct), seq 1, ack 1, win 1024, length 0
18:38:15.854131 ip: (tos 0x0, ttl 64, id 63347, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53453: Flags [F.], cksum 0x2366 (correct), seq 1, ack 2, win 128, length 0
18:38:15.855762 ip: (tos 0x0, ttl 127, id 14175, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53453 > 145.14.61.34.80: Flags [.], cksum 0x1fe6 (correct), ack 2, win 1024, length 0
18:38:22.099562 ip: (tos 0x0, ttl 64, id 61335, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53454: Flags [F.], cksum 0x2a01 (correct), seq 1, ack 482, win 131, length 0
18:38:22.100345 ip: (tos 0x0, ttl 127, id 14176, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53454 > 145.14.61.34.80: Flags [.], cksum 0x2684 (correct), ack 2, win 1024, length 0
18:38:22.101227 ip: (tos 0x0, ttl 127, id 14177, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.0.2.53454 > 145.14.61.34.80: Flags [F.], cksum 0x2683 (correct), seq 482, ack 2, win 1024, length 0
18:38:22.107036 ip: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    145.14.61.34.80 > 10.5.0.2.53454: Flags [.], cksum 0x2a00 (correct), ack 483, win 131, length 0

Result of traceroute www.exactsoftware.com:

18:40:30.912230 ip: (tos 0x0, ttl 1, id 23437, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33435: UDP, length 18
18:40:35.915320 ip: (tos 0x0, ttl 1, id 23479, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33436: UDP, length 18
18:40:40.920620 ip: (tos 0x0, ttl 1, id 23679, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33437: UDP, length 18
18:40:45.922409 ip: (tos 0x0, ttl 2, id 24090, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33438: UDP, length 18
18:40:50.926351 ip: (tos 0x0, ttl 2, id 24253, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33439: UDP, length 18
18:40:55.931665 ip: (tos 0x0, ttl 2, id 24554, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33440: UDP, length 18
18:41:00.932411 ip: (tos 0x0, ttl 3, id 24825, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33441: UDP, length 18
18:41:05.937292 ip: (tos 0x0, ttl 3, id 25245, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33442: UDP, length 18
18:41:10.942260 ip: (tos 0x0, ttl 3, id 25578, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33443: UDP, length 18
18:41:15.944318 ip: (tos 0x0, ttl 4, id 25975, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33444: UDP, length 18
18:41:20.945211 ip: (tos 0x0, ttl 4, id 26192, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33445: UDP, length 18
18:41:25.950526 ip: (tos 0x0, ttl 4, id 26217, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33446: UDP, length 18
18:41:30.952440 ip: (tos 0x0, ttl 5, id 26387, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33447: UDP, length 18
18:41:35.954315 ip: (tos 0x0, ttl 5, id 26616, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33448: UDP, length 18
18:41:40.956102 ip: (tos 0x0, ttl 5, id 26622, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33449: UDP, length 18
18:41:45.961399 ip: (tos 0x0, ttl 6, id 26947, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33450: UDP, length 18
18:41:50.962378 ip: (tos 0x0, ttl 6, id 27368, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33451: UDP, length 18
18:41:55.967664 ip: (tos 0x0, ttl 6, id 27498, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33452: UDP, length 18
18:42:00.970202 ip: (tos 0x0, ttl 7, id 27709, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33453: UDP, length 18
18:42:05.972398 ip: (tos 0x0, ttl 7, id 27888, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33454: UDP, length 18
18:42:10.973314 ip: (tos 0x0, ttl 7, id 28237, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33455: UDP, length 18
18:42:15.978633 ip: (tos 0x0, ttl 8, id 28257, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33456: UDP, length 18
18:42:20.982407 ip: (tos 0x0, ttl 8, id 28279, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33457: UDP, length 18
18:42:25.986328 ip: (tos 0x0, ttl 8, id 28398, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33458: UDP, length 18
18:42:30.988287 ip: (tos 0x0, ttl 9, id 28464, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33459: UDP, length 18
18:42:35.992407 ip: (tos 0x0, ttl 9, id 28639, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33460: UDP, length 18
18:42:40.997715 ip: (tos 0x0, ttl 9, id 28893, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33461: UDP, length 18
18:42:46.002441 ip: (tos 0x0, ttl 10, id 28945, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33462: UDP, length 18
18:42:51.007755 ip: (tos 0x0, ttl 10, id 28970, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33463: UDP, length 18
18:42:56.011329 ip: (tos 0x0, ttl 10, id 29386, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33464: UDP, length 18
18:43:01.012409 ip: (tos 0x0, ttl 11, id 29643, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33465: UDP, length 18
18:43:06.017720 ip: (tos 0x0, ttl 11, id 30111, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33466: UDP, length 18
18:43:11.022344 ip: (tos 0x0, ttl 11, id 30529, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33467: UDP, length 18
18:43:16.023339 ip: (tos 0x0, ttl 12, id 30891, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33468: UDP, length 18
18:43:21.028632 ip: (tos 0x0, ttl 12, id 31342, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33469: UDP, length 18
18:43:26.032408 ip: (tos 0x0, ttl 12, id 31828, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33470: UDP, length 18
18:43:31.037702 ip: (tos 0x0, ttl 13, id 32317, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33471: UDP, length 18
18:43:36.042305 ip: (tos 0x0, ttl 13, id 32650, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33472: UDP, length 18
18:43:41.047596 ip: (tos 0x0, ttl 13, id 32836, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33473: UDP, length 18
18:43:46.052315 ip: (tos 0x0, ttl 14, id 33100, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33474: UDP, length 18
18:43:51.057597 ip: (tos 0x0, ttl 14, id 33181, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33475: UDP, length 18
18:43:56.060297 ip: (tos 0x0, ttl 14, id 33460, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33476: UDP, length 18
18:44:01.062294 ip: (tos 0x0, ttl 15, id 33511, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33477: UDP, length 18
18:44:06.067607 ip: (tos 0x0, ttl 15, id 33568, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33478: UDP, length 18
18:44:11.072412 ip: (tos 0x0, ttl 15, id 34068, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33479: UDP, length 18
18:44:16.076237 ip: (tos 0x0, ttl 16, id 34371, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33480: UDP, length 18
18:44:21.079357 ip: (tos 0x0, ttl 16, id 34765, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33481: UDP, length 18
18:44:26.081345 ip: (tos 0x0, ttl 16, id 34799, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33482: UDP, length 18
18:44:31.082427 ip: (tos 0x0, ttl 17, id 35141, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33483: UDP, length 18
18:44:36.086273 ip: (tos 0x0, ttl 17, id 35423, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33484: UDP, length 18
18:44:41.089222 ip: (tos 0x0, ttl 17, id 35821, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33485: UDP, length 18
18:44:46.092439 ip: (tos 0x0, ttl 18, id 36012, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33486: UDP, length 18
18:44:51.097260 ip: (tos 0x0, ttl 18, id 36510, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33487: UDP, length 18
18:44:56.098410 ip: (tos 0x0, ttl 18, id 36606, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33488: UDP, length 18
18:45:01.102425 ip: (tos 0x0, ttl 19, id 36942, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33489: UDP, length 18
18:45:06.105359 ip: (tos 0x0, ttl 19, id 37294, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33490: UDP, length 18
18:45:11.110655 ip: (tos 0x0, ttl 19, id 37534, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33491: UDP, length 18
18:45:16.112409 ip: (tos 0x0, ttl 20, id 37672, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33492: UDP, length 18
18:45:21.117708 ip: (tos 0x0, ttl 20, id 38033, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33493: UDP, length 18
18:45:26.122399 ip: (tos 0x0, ttl 20, id 38287, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33494: UDP, length 18
18:45:31.127332 ip: (tos 0x0, ttl 21, id 38429, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33495: UDP, length 18
18:45:36.129342 ip: (tos 0x0, ttl 21, id 38488, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33496: UDP, length 18
18:45:41.132403 ip: (tos 0x0, ttl 21, id 38576, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33497: UDP, length 18
18:45:46.137721 ip: (tos 0x0, ttl 22, id 38928, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33498: UDP, length 18
18:45:51.141357 ip: (tos 0x0, ttl 22, id 39189, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33499: UDP, length 18
18:45:56.142423 ip: (tos 0x0, ttl 22, id 39265, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33500: UDP, length 18
18:46:01.144354 ip: (tos 0x0, ttl 23, id 39654, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33501: UDP, length 18
18:46:06.149656 ip: (tos 0x0, ttl 23, id 39702, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33502: UDP, length 18
18:46:11.152406 ip: (tos 0x0, ttl 23, id 39775, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33503: UDP, length 18
18:46:16.157700 ip: (tos 0x0, ttl 24, id 39938, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33504: UDP, length 18
18:46:21.159265 ip: (tos 0x0, ttl 24, id 39955, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33505: UDP, length 18
18:46:26.162412 ip: (tos 0x0, ttl 24, id 40074, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33506: UDP, length 18
18:46:31.167609 ip: (tos 0x0, ttl 25, id 40553, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33507: UDP, length 18
18:46:36.172291 ip: (tos 0x0, ttl 25, id 40769, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33508: UDP, length 18
18:46:41.177570 ip: (tos 0x0, ttl 25, id 41001, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33509: UDP, length 18
18:46:46.179205 ip: (tos 0x0, ttl 26, id 41350, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33510: UDP, length 18
18:46:51.182409 ip: (tos 0x0, ttl 26, id 41512, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33511: UDP, length 18
18:46:56.187695 ip: (tos 0x0, ttl 26, id 41728, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33512: UDP, length 18
18:47:01.190120 ip: (tos 0x0, ttl 27, id 41979, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33513: UDP, length 18
18:47:06.192401 ip: (tos 0x0, ttl 27, id 42150, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33514: UDP, length 18
18:47:11.194248 ip: (tos 0x0, ttl 27, id 42544, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33515: UDP, length 18
18:47:16.195222 ip: (tos 0x0, ttl 28, id 42622, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33516: UDP, length 18
18:47:21.200519 ip: (tos 0x0, ttl 28, id 42988, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33517: UDP, length 18
18:47:26.202398 ip: (tos 0x0, ttl 28, id 43289, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33518: UDP, length 18
18:47:31.207549 ip: (tos 0x0, ttl 29, id 43336, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33519: UDP, length 18
18:47:36.212253 ip: (tos 0x0, ttl 29, id 43435, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33520: UDP, length 18
18:47:41.212409 ip: (tos 0x0, ttl 29, id 43620, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33521: UDP, length 18
18:47:46.215124 ip: (tos 0x0, ttl 30, id 43653, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33522: UDP, length 18
18:47:51.220403 ip: (tos 0x0, ttl 30, id 43763, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33523: UDP, length 18
18:47:56.222247 ip: (tos 0x0, ttl 30, id 44142, offset 0, flags [DF], proto UDP (17), length 46)
    10.5.0.2.33585 > 145.14.61.34.33524: UDP, length 18
8

In all cases it is evident that you are sending the packets correctly.
In first and third case, it is not obvious why you are not receiving any reply back.
In the second case you are getting the responses back. However your client opens 2 flows. The second is torn down as soon as the tcp 3 way handshake is finished by your side. The first flow makes an HTTP/GET, gets the acknowledge and then the server tears down the connection. All these things happen gracefully, which means that the server doesn't like something. In any case it doesn't seem to be something wrong with the tunnel or OpenWrt. Are you able to troubleshoot with the server owner?

2 Likes
9

No, unfortunately I'm not. And it happens not only with this site, but with more sites as well.

So, basically what you're saying is that the remote website/server is blocking my traffic? Probably because the Wireguard/NordLynx IPs are blacklisted somewhere, I guess?

But what I'm asking myself is how it can be that with the Windows 10 NordVPN app (connecting to that same Wireguard server) I'm able to visit these sites, but when doing it in my OpenWrt device I'm not... Can it be something with an MTU or MSS value (I've read about it somewhere, that's why I'm asking)?

10

It doesn't look like completely blocking, as you are getting some replies in http, but still nothing important.
I thought about the MTU, but the payload you are exchanging is too small to be affected by mtu mismatch.
Can you verify your external IP when you connect from OpenWrt and Win10? Is it the same? A few sites to check icanhazip.com , whatismyipaddress.com , whatismyip.com , moanmyip.com (NSFW)

1 Like
11

Yes, it is the same IP (134.19.185.98). However, I found out that the NordVPN app on my PC was connecting to another server all the time, so the fault was at my end.

If I use exactly the same server as on my OpenWrt device (nl956.nordvpn.com), that website is not accessible using the NordVPN app as well... After switching to another server (nl828.nordvpn.com; which is also using the Wireguard protocol), I can reach that website perfectly fine.

So, my conclusion is that the problem exists only for some NordLynx/Wireguard servers, but not all. I'm not sure why, but connecting to another server solves my problem. I guess there shouldn't be any difference between them, but there definitely is...

1 Like
12

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

13

I will, thanks for all the help!

1 Like
14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.