Some websites are inaccessible

Hi, Im using an ASUS RT-AX53U with openwrt 23.05.03 (previously using 22.03.06 with same problem). There are some websites that I can't access, namely, https://xda-developers.com and https://gamerant.com. My configuration is the openwrt device is acting as both modem (PPPoE through an ISP bridge) and router. Since a fresh install all I did was setting up a password for root and change the default 'wan' interface to PPPoE.
Firefox returns "Secure connection failed" with no other error code:

And when I try to cURL the 2 websites, they return:
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

1 Like

This is likely one of two things:

  1. DNS

or

  1. Issues with the site or your browser, but not OpenWrt.

OpenWrt does not touch the data in any way that would cause a secure connection to fail. The errors you are seeing are related to certificate/encryption issues, which happen at a much higher level than the routing that OpenWrt does. Therefore, the problem cannot be in the routing of OpenWrt, but it could be a DNS problem -- if the DNS resolution isn't working properly (or a redirect for a man-in-the-middle attack), that would cause these types of problems.

Let's take a look at your configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hey, thanks for the reply!
So, the thing is, using the same device on the same browser but on a different network, I can access them just fine (one through WiFi, one through mobile data), which leads me to believe there's something wrong with my configuration.

I'll post my configuration:

  1. ubus call system board:
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

2.cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd71:ec74:4901::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'ISP_username'
	option password 'ISP_password'
	option ipv6 'auto'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

3.cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID'
	option encryption 'psk2'
	option key 'PASS'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID'
	option encryption 'psk2'
	option key 'PASS'
	option disabled '1'
  1. cat /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
  1. cat /etc/config/firewall
config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Looks like a nearly default configuration.

Try doing a DNS lookup from your computer and from OpenWrt on those sites -- see if they match.

nslookup xda-developers.com

When I do the test (and I am able to access the site without any errors). I get 15.197.168.237 -- do you see the same?

Seems the same to me too.
Full response from nslookup:

  1. from PC
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	xda-developers.com
Address: 15.197.168.237
  1. From openwrt router:
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	xda-developers.com
Address: 15.197.168.237

Non-authoritative answer:

What happens if you use a different browser?

Chromium on PC and Chrome on my phone return error code: ERR_HTTP2_PROTOCOL_ERROR

And if you use your phone on cellular, the site loads properly?

Yes, using both Chrome and Firefox on mobile.

Do you happen to have another router you can use? There is a chance there is something happening with your upstream (ISP) connection -- it would be a good thing to rule that out.

That is pretty much my only one. My ISP router/modem unit must be configured by the company if I want to turn it back to a modem. I could try to reset the openwrt router to default firmware but that probs needs to be tomorrow since I need the connection now.

Resetting to defaults may be a good place to start. There really isn't much that OpenWrt can do under normal circumstances that would disrupt https connections.

Given that this is PPPoE, it's a possibility that reducing the MTU of the wan interface by a small amount could help.

Ensure also that all the possible offloads are turned off, then add them bit by bit. The failure mode smells a bit like out-of-order, fragmented or truncated TCP packets to me.

4 Likes

Thanks, i'll give those both a try tmr and tell you guys how it goes.
@greem: is there any pointers in determining these offloads? Or actually MTU in general because I'm totally new to this concept.

Try 1452, that is the usual PPPoE MTU size.

2 Likes

MSS, perhaps? The pppoe header is 8 bytes and sits inside the ethernet payload for an apparent MTU of 1500-8=1492. The IPv4 TCP maximum segment size then is 1500-8-20-20=1452

1 Like

Do you think the OP understands any of that?

Explain traceroute -f -l and have them work it out.

Maybe, maybe not, yet conflating MTU and MSS is not a good idea...

Ok good news. It seems like @greem was correct, the problem was MTU. I followed @LilRedDog's advice and tried 1452 MTU size and all websites worked (afaik). Thanks everyone for your input.

1 Like

1492 MTU should be possible too, as @moeller0 has indicated. This will lower the overhead and get you very slightly better speeds.

For even lower diminishing returns, some ISPs with PPPoE also support baby jumboframes, allowing you to use the normal 1500 MTU over PPPoE by setting an MTU of 1508 on your bridged WAN interface.