Wi-Fi devices can access HTTP, but not HTTPS resources

arseni.mourzenko · November 2, 2024, 11:45pm

Hi.

I tried to use OpenWrt on the D-Link DAP-2695 Wi-Fi access point.

After a bit of configuration, which was mostly straightforward, the Wi-Fi devices connect successfully to the access point. However, they cannot access HTTPS resources—but they do access HTTP ones. So, essentially, if I try to access http://example.com/, it works, but https://openwrt.org/ doesn't: it would wait a bit, then show a “The connection to openwrt.com is not secure” error, which looks a bit like a blocked port.

I would imagine that it has something to do with the firewall, but I don't see anything in the rules that would look like “allow traffic through port 80, but not port 443.”

What should I check?

psherman · November 2, 2024, 11:51pm

This would not normally be a function of OpenWrt, but let's see your config to understand if there is anything going on...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

brada4 · November 3, 2024, 12:04am

Ssl visibility box.

frollic · November 3, 2024, 12:06am

was https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap followed ?

arseni.mourzenko · November 3, 2024, 12:24am

`/etc/config/network`

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option ipv6 '0'
	option delegate '0'

config interface 'wan'
	option device 'eth1.2'
	option proto 'dhcp'
	option ipv6 '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 6t'

config interface 'wan1'
	option proto 'dhcp'
	option device 'eth0.1'

`/etc/config/wireless`

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '44'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'FR'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '<name of Wi-Fi access point redacted>'
	option encryption 'psk2'
	option key '4qKpZ7BIxzcmhaEqnKwyT30kJ'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist '<redacted>'
	list maclist '<redacted>'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '8'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'FR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '<name of Wi-Fi access point redacted>'
	option encryption 'psk2'
	option key '802.11w Management Frame Protection'
	option macfilter 'allow'
	list maclist '<redacted>'
	list maclist '<redacted>'

`/etc/config/dhcp`

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

`cat /etc/config/firewall`

This one is problematic: as soon as I try to read it, SSH blocks and I can't even open new SSH sessions, unless I reboot the access point. I'm trying to cut it first into smaller parts in order to display it piece by piece, but it seems that SSH blocks as soon as I type a bit “too much”—it is yet unclear what exactly is “too much” here, as it seems to be quite random: sometimes it blocks as soon as I try to connect, and sometimes it lets me to type a few commands.

Are the two problems linked? Maybe, actually, it's not HTTPS itself that is causing problems, but rather something blocking the traffic (which would make it possible to get a relatively small HTTP response such as http://example.com/, but would block HTTPS negotiation?)

arseni.mourzenko · November 3, 2024, 12:26am

Where can I find this option?

frollic · November 3, 2024, 12:27am

why is there a wan and wan1 ?
are they used ?

not really, judging from your config.

brada4 · November 3, 2024, 12:27am

Either you have bern hacked or your device is badly broken.
Try to dump rootfs_data in failsafe mode and reset the device

brada4 · November 3, 2024, 12:28am

In google search.

psherman · November 3, 2024, 12:42am

Nothing I see in your config should specifically block https here, but I would recommend cleaning a bunch of things up and maybe that will resolve the issue:.

Delete this... it doesn't belong:

I recommend removing the macfilter stuff (last 3 lines) as well as the line about wpa_disable_eapol_key_retires:

arseni.mourzenko:

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '<name of Wi-Fi access point redacted>'
	option encryption 'psk2'
	option key '4qKpZ7BIxzcmhaEqnKwyT30kJ'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist '<redacted>'
	list maclist '<redacted>'

Don't use channel 8. Instead, use 1, 6, or 11:

arseni.mourzenko:

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '8'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'FR'

Same comment here about the macfilter:

arseni.mourzenko:

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '<name of Wi-Fi access point redacted>'
	option encryption 'psk2'
	option key '802.11w Management Frame Protection'
	option macfilter 'allow'
	list maclist '<redacted>'
	list maclist '<redacted>'

Also, that key line is odd -- you do not want or need 802.11w, so unless that is actually your key, if there is something involving 802.11w, you should remove it.

You must disable the DHCP server on the lan. Edit the lan DHCP server like this:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

reboot and test again.

arseni.mourzenko · November 4, 2024, 2:14pm

Thanks for everyone for your help. Unfortunately, after two painful days, I still couldn't figure out the issue. With 30 to 50% dropped packets, SSH was unusable, and most documentation (and comments above) were assuming a working SSH connection. Never mind; I'll try OpenWrt once it becomes a bit more mature.

A very nice thing, however, that I wasn't expecting, is that it is very simple to get back to the official firmware; not only that, but I got all the original configuration as well—it appears that it wasn't erased when OpenWrt was installed, which is very convenient. So kudos for that.

brada4 · December 16, 2024, 9:20pm

Please first diagnose the device programming via failsafe mode.
Flop on accessing simple file is either a hardware failure or some sort of rootkit.