No access to certain sites through the router

[gee]

Hello,

I have a router AC68U, I was on asuswrt, and switched back to merlin's latest today in case but to no avail.

There are a few sites that I'm not able to access anymore, that I used to be able to just 2 weeks ago.
One example is this webradio:
http://radio.bounceme.net:8765/starsystemfm
In chromium I get "ERR_CONNECTION_RESET"
and with mpv "Failed to open http://radio.bounceme.net:8765/starsystemfm."

This should not be a dns issue as I can access the base url http://radio.bounceme.net.

Now the interesting thing is if I remove the router and plug my computer directly into the wall outlet (I'm on fiber so no modem) it works just fine.
I've tried resetting to factory defaults but it doesn't help. I've tried disabling the firewalls but same...
Also on my android phone I can access the websites from LTE but not from my WiFi through the AC68U, so it doesn't seem to be a computer issue.

How should I debug/fix this?

Thank you!

 

[martinr]

Anything at all changed in the last 2 weeks that you can think of?

The other sites you cannot reach - are they of a similar nature? Is there a pattern to the sites you cannot reach?

And, I know you said resetting to factory default settings (RFDS) did not help, but can I just confirm with you that you still had the problem immediately after RFDS and before you altered any settings?

And just for the hell of it, what error message does a different browser eg Firefox give you either on your phone or the computer or both?

Nothing in the router log that would help?

 

[gee]

Anything at all changed in the last 2 weeks that you can think of?

None that I can think of.
To be honest, I was ripping the stream of this webradio and I noticed the following morning that during the night it froze at some point and that's when I could not access it anymore. So nothing on my end should have changed. I thought it was an ISP issue, but since it works without the router I don't see why anymore...

The other sites you cannot reach - are they of a similar nature? Is there a pattern to the sites you cannot reach?

Actually I had one other I couldn't access, but now I can.. it might be related to the reset or not. So let's just say I have the original one that doesn't work.

And, I know you said resetting to factory default settings (RFDS) did not help, but can I just confirm with you that you still had the problem immediately after RFDS and before you altered any settings?

Good question and no, I always did the initial settings first.
It seems I have to go through that initial setup, without it my computer doesn't seem to have access to the internet.

And just for the hell of it, what error message does a different browser eg Firefox give you either on your phone or the computer or both?

With firefox: "The connection was reset. The connection to the server was reset while the page was loading...."
so about the same. Since mpv has about the same issue as chromium, I doubt it's app-related.

Nothing in the router log that would help?

Hmmm, I searched for that website in the general log tab but couldn't find it. I'm not sure what to look for though.

Not sure if related or not but through my router I cannot get IPv6 to work, while plugged directly to the wall it works. Assuming that when my stream ripping died the server switched from v4 to v6 that could explain it, but I doubt it.


Thank you!

 

[RMerlin]

Most common causes are an incorrect MTU, or DNS servers pointing you at the wrong IP (could be DNS-based geolocking).

 

[gee]

The MTU of the router is set to 1500 (I believe it is default). Should I try changing it?

As for DNS, that's also what I thought but not when I could access the base url, although I suppose although as you suggested I might be bounced to another server once I connect to it.

 

[gee]

mplayer is a bit more verbose than mpv.

Not working:

Playing http://radio.bounceme.net:8765/starsystemfm.
Resolving radio.bounceme.net for AF_INET6...

Couldn't resolve name for AF_INET6: radio.bounceme.net
Resolving radio.bounceme.net for AF_INET...
Connecting to server radio.bounceme.net[90.79.103.179]: 8765...

Read failed.
STREAM_ASF, URL: http://radio.bounceme.net:8765/starsystemfm
Resolving radio.bounceme.net for AF_INET6...

Couldn't resolve name for AF_INET6: radio.bounceme.net
Resolving radio.bounceme.net for AF_INET...
Connecting to server radio.bounceme.net[90.79.103.179]: 8765...
read: Connection reset by peer

Failed, exiting.
Resolving radio.bounceme.net for AF_INET6...

Couldn't resolve name for AF_INET6: radio.bounceme.net
Resolving radio.bounceme.net for AF_INET...
Connecting to server radio.bounceme.net[90.79.103.179]: 8765...

Read failed.
No stream found to handle url http://radio.bounceme.net:8765/starsystemfm

Working:

Playing http://radio.bounceme.net:8765/starsystemfm.
Resolving radio.bounceme.net for AF_INET6...

Couldn't resolve name for AF_INET6: radio.bounceme.net
Resolving radio.bounceme.net for AF_INET...
Connecting to server radio.bounceme.net[90.79.103.179]: 8765...

<WORKING_MESSAGE>

so same IP...

I tried using the IP instead of the NS, and it only worked without the router so guessing not a DNS issue.
When I try to trace it, it always dies with too many hops: pmtu 1500, with or without the router.

 

[jegesq]

The problem you are experiencing may be entirely unrelated to your router at all. It could be a problem with the site you are trying to access not using SHA-256 certificates, especially if you're using Chrome as your browser of choice. You can read about the main issue here: https://www.digicert.com/sha-2-faq.htm and here: http://arstechnica.com/information-...rosoft-and-dropping-sha-1-certificates-early/

As noted in the latter article, Microsoft, Google and Chrome are "dropping support for the RC4 encryption algorithm when used with TLS and SSL in January or February 2016. Secure servers that only support this algorithm will be unusable from all three browsers after this support is disabled."

To answer MartinR's question above, ("Anything at all changed in the last 2 weeks that you can think of?"), is what has changed. And it may be why sites that were formerly available aren't any longer, at least not until they switch over to using stronger encryptions such as SHA-2, SHA-256, SHA-384, or SHA-512.

On the other hand, if the sites you're trying to access can be reached using the same computer but bypassing the router (i.e., connecting the computer directly to the modem), then clearly it's not a question of the website's security certificates, but must be a problem with your router's configuration, and if so, well, just disregard my ramblings, since they are irrelevant to your issue.

 

[gee]

Well the URL I'm using is HTTP not HTTPS, so wouldn't that be done without SSL/TLS anyway?
And yes, it works just fine without the router in the middle

 

[RMerlin]

1500 should be fine as MTU for fiber - it's mostly PPPoE/PPTP users who need to adjust it.

You get the same IP resolved in both cases, so that rules out a DNS issue as well.

 

[gee]

Yup, hence I have no clue

 

[RMerlin]

Do you have any of the AiProtection features enabled? Something with that site might be triggering it.

Also, are you testing over Ethernet? Recent RT-AC68U firmwares have issues on the 2.4 GHz band - you might need to revert to an older pre-380 release.

 

[gee]

No it's all off.
As for ethernet, that's what my computer use.
But I've also tried wifi with the phone.. so unlikely to be related.

 

[RMerlin]

No other idea then. You'd probably need to go through wireshark analyzing at this point to determine what's going on.

 

[gee]

Alright, I'll look into that.
Thank you!

 

[john9527]

Last time I remember something like this happeneing, it was an ISP problem (in that case, it also caused the location identification to change!). Inserting the router causes you to get a different wan ip address, and possible different routing through your ISP. You might try cloning your computer mac address to the router and see if it changes things.

 

[gee]

That's an interesting idea I didn't pay attention to my WAN IP at all.

Why would the router cause a different routing? Would it be because the WAN IP is different?

Thank you!

 

[gee]

@john9527 You were right!
I spoofed the mac (and hostname...) to the router and I got through on my computer and my phone!

Thanks so much, I would never have thought of that.
I guess the next step is to talk to my ISP.
What should I ask? They don't seem to be so technical as when I couldn't get IPv6 to work, they were of no help... I'm a bit afraid to be stuck again in this case, though that might be more common.

 

[System Error Message]

I wouldnt talk to the ISP about this, this issue is caused by incorrect forwarding and usually means your ISP is hijacking your traffic but incorrectly doing it.

Do a DNS benchmark as a test. If you see all the server speeds the same than you are being hijacked by your ISP.

 

[gee]

I'm running a test now, but it's pretty slow.
What are my options in both cases?
(I guess I could keep spoofing but I don't know if it's legal..)

 

[gee]

The results are fairly distributed, so I guess it's not that.
Though I did the test spoofed, let me redo it without the spoof.

well it was way quicker with the standard setup (or maybe because it was not the first run?) but the result is the same, so that's not the issue I guess.