"You don't have permission to access http://www.XXXXX.com on this server

I had an issue the other day with an older router, so I updated to a TP-Link Archer C2600 running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685), firmware version 4.4.92. I have not monkeyed with the standard firewall settings other than to open a few port forwardings.
Since upgrading to the new router, I have encountered a few sites that are giving me fits (aa.com, spirit.com, staples.com to name a few). Here is the error I get in Chrome on Windows 10 (same issue on other routers and devices as well):
Access Denied
You don't have permission to access "http://www.spirit.com/" on this server.
Reference #18.7641f648.1529177144.f5ec59f

I have tried plugging my laptop directly into the modem and I am able to access the aforementioned sites. I have tried rebooting the modem, router, and reinstalling the lede firmware on the router.

This version of lede is a little quirky (shuts down instead of rebooting) so I wonder if it is the version of the firmware I have installed? I am really stuck and it doesn't help that we are trying to book an airline ticket :wink:

thanks for any advice or suggestions you may have

The reboot issue of the TP-Link Archer C2600 hardware revision v1.1 is a known issue with 17.01.x and has been fixed meanwhile (as in 18.06-snapshot and master snapshots), but that is exclusively an issue with the reboot code - it doesn't affect runtime functionality at all. In general a lot has changed since 17.01.x, especially for newer SOCs like ipq806x, so upgrading makes sense in general (in particular wlan improvements), but I don't really see a reason for your particular problem (unless you've set some overeager adblock settings; adblock isn't installed by default).

As a sidenote, my ipq8065 based nbg6817 running a recent master snapshot seems to open all of your example websites just fine.

thanks for the information. What is the best (easiest?) way for me to upgrade to 18.06? I am hoping to not have to compile, but if that will fix my issues, I'm game.

https://downloads.lede-project.org/releases/18.06-SNAPSHOT/targets/ipq806x/generic/ (includes luci).

1 Like

I've been here before, but not sure where to go next...nevermind... I've downloaded it

Just sysupgrade as normal, keeping settings between 17.01.4 and 18.06~ should be fine.

I was able to upgrade to 18.06 and restore my settings (rebooting is now working properly :slight_smile: ) but I am still having problems with accessing the websites I mentioned.
http://ipv6-test.com says that I don't support ipv6 (none of the IPV6 tests worked.)
My status page shows that IPv6 WAN Status is Not connected (IPv4 is fine)
I wonder if this is my problem?

Possibly, but that's mostly a question if your ISP supports IPv6 (and properly) - OpenWrt does (I have full IPv6 connectivity). Disabling the WAN6 interface for testing might be worth it though, at least big(ger) websites don't require IPv6 yet.

We have Spectrum (used to be Brighthouse). I have tried disabling IPv6 by blanking out Network->Interfaces->IPv6 ULA-Prefix (which I read will disable IPv6). This did not help my original problem, so I put the value back.
The funny thing is that if I connect directly to the modem, I can access the sites(!)

Arrgggh!!! virginatlantic.com and delta.com are also "access denied"

My wan and wan6 are both red (but most sites are accessible)
my uptime on my wan6 is 0hms but the wan uptime is something reasonable.
I have tx and rx packets on both wan and wan6

I tried to ping6 ipv6.google.com and I got:
ping6: sendto: Permission denied
any suggestions?

I don't have a good answer for your issues, but have you tried simply resetting your router to the default OpenWRT configuration. Might be worth a shot -- I wonder if some odd configuration issue is causing the problem.

Resetting to default is a good idea - I'll try it when I can.
I know there was some wierdness with the previous version and I may have corrupted something with the settings backup (I certainly reset the previous version enough times!)
Nope :frowning: I did this:
umount /overlay && jffs2reset && reboot
and tried to access aa.com with the same problem
Its interesting to note that both wan or wan6 are red and only wan has a valid uptime. Both show the same number of packets for tx and rx

The error message in the initial post is from the CDN that the site is using.
I think it's akamai that generates this error message.

The problem is not your router or your system but rather that your IP is blacklisted.

1 Like

Considering that you apparently don't have a problem when connecting directly to the modem, I assume that you're connected to a cable modem (with almost persistent IP addresses). Changing the WAN MAC address of your router might encourage your ISP to hand out a different -non-blacklisted- IP address.

Wow! I unplugged the modem overnight, assigned a different MAC address to the WAN port of the router, and presto! Everything is working!!!
I didn't check the before/after address of the WAN, but I'm assuming it has changed.

thanks very much for everyone's help

If your problem is solved, please consider marking this topic as [Solved].

This has reared it ugly head again. Today (nearly a week after powering off my modem and obtaining a new IP address) I am having the same issue again.
I checked with spamhaus and sure enough, my IP address is blocked:

Outbound Email Policy of Time Warner Cable/Road Runner for this IP range:

It is the policy of Time Warner Cable/Road Runner to share with other entities lists of our dynamic IP address space. While Time Warner Cable/Road Runner does not currently forbid customers from sending out mail directly from such space, it recognizes that others may wish to refuse mail from such space, and so Time Warner Cable/Road Runner makes that space known to others to facilitate their enforcement of their policies. Customers finding their mail refused by others due to a PBL listing should send their outbound mail through the outbound mail server designated for them; see http://help.rr.com/HMSFaqs/e_emailserveraddys.aspx for more information on the servers' names.

(To my knowledge!) I am not running any mail server from my house. I have a few scripts running on a raspberry pi that use Gmail to send (only) me information every 24 hours.
Any suggestions on how to find out if one of my IOT devices has decided to start spamming?
Also, how can I use my router to prevent this from happening?

Install tcpdump and:

tcpdump -i eth0.2 tcp and dst port 25

This will show you traffic destined for a SMTP server.

lleachii, thanks for your suggestion. I'm not a networking guy and I'm not familiar with what eth0.2 refers to. I was able to run

tcpdump -i eth0 tcp and dst port 25

I was looking at my "switch" view on LUCI and it shows eth0 and eth1. I was expecting one for each RJ45 connection so I have no idea what they are referring to. Here is my switch layout from LUCI:


After running it on both eth0 and eth1, I see nothing weird going on...

Not much you can do.

You got a new IP address from the ISP's DHCP pool. Probably the previous holder of that IP has used it for suspected spamming (it does not even need to be actual spamming, just something that gets spamhaus suspicious), and got that address blocked by spamhaus. Now you have got that IP address, but there is no way for spamhaus to know that you are a new guy, so the address stays at the blocklist.

you might google spamhaus site for advice.

Or you might try staying off a week again, and get a new address from ISP.

1 Like