USB Tethering, ping/wireguard work, complex web pages not

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

Openwrt 19.07 is installed on a FritzBox 4040. When using a wired WAN connection, everything is fine (Windows notebook connected via Wifi to the 4040).
When connecting my Android 11 phone via USB tethering (according to the manual); LTE is used), I can ping servers and downloading of "simple" html pages work (google search, http://simple-http.com etc.). When opening more complex/modern pages (like bbc.co.uk), it seems like only the html part (and sometimes small pictures or only the first and only partially) are downloaded -- but the page is never shown completely.
When I use wireguard on the Windows machine to connect to a vserver, everything seems to be fine. Also, when enabling a wifi AP on the mobile phone, everything works fine.

I tried to reduce the MTU to 1300 (just to be sure), but it didn't help at all. I also wasn't able to find similar issues in this forum. I didn't find error messages in the System/Kernel log that clearly indicate an issue to me.

Interface configuration:

image
image962×761 49.2 KB

Any idea what I can try to solve this issue? Any hint is appreciated very much!

Kind regards, fl000

2

You configured the WAN MTU correctly and MSS clamping is active for WAN as well (the later is enabled by default, but could be disabled)?

1 Like
3

This is a very good question.
When setting no MTU, I can ping up to a size of 1472 bytes (i.e. 1500 with 28 bytes header):

ping www.heise.de -f -l 1472

Pinging www.heise.de [193.99.144.85] with 1472 bytes of data:
Reply from 193.99.144.85: bytes=1472 time=51ms TTL=239
Reply from 193.99.144.85: bytes=1472 time=41ms TTL=239
Reply from 193.99.144.85: bytes=1472 time=56ms TTL=239

In the internet I've found several (possibly outdated) pages claiming that O2/Telefonica is only able to transfer packets up to 1024 bytes. Setting the MTU to 1024 or 900 did not help for me; also I think at least 1280 bytes should be possible because I can use IPv6 on the smart phone (which was introduced few weeks ago).

In case it helps, this is the content of /etc/config/network (MTU size of 938 was just one experiment):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdba:fca2:189a::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'usb0'
        option mtu '938'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'Mobilfunk'
        option ifname 'usb0'
        option proto 'dhcp'
        option mtu '938'

And /etc/config/firewall (mtu_fix is set to 1 for wan):

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'Mobilfunk'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'