Noob Stumped: I can't get to the DMV

[noob for life]

Sorry to bug you guys with this. But, I've hit my limit. I cant get a browser to load www.dmv.ca.gov and it wonder if the problem is in my ASUS RT-AC68U running Merlin WRT 384.10 2.

I have tried from multiple computers (all mac) using multiple browsers, wired and on wifi. I can take my laptop elsewhere or put it on my phone's personal hotspot (using the cell phone network) and get through. It is only at home that I have this issue. I can get to other ca.gov subdomains. I can ping www.dmv.ca.gov.

I had once used firewall options to manage my son's internet access: URL filters, keyword filters, network services filters. While those options are still configured, they are turned off.

Chrome delivers the error: ERR_CONNECTION_RESET
Firefox tells me that the connection was reset, too

If need be, I can bum another router from a friend. But, I'm hoping one of you guys has ideas.

Thanks!

Gary

 

[dave14305]

Love a good router mystery. The nuclear option is to reset to factory defaults and reconfigure from scratch.

What IP resolves when you nslookup www.dmv.ca.gov? I get 107.162.129.29.
What DNS servers are configured on your router?
What happens if you run this from your router ssh command line?

curl https://www.dmv.ca.gov

While you’re there, how about the output of

iptables -S -v

which might show any firewall rules still alive.
Are you using AIProtect? Any hits there?

 

[noob for life]

Thanks much. I'm happy to provide a mystery.

I'm hoping not to reset. There would be a lot to reconfigure.

IP Address for www.dmv.ca.gov:
Same as yours, 107.162.129.29

DNS Servers:
The ones for my internet provider, sonic.net: 208.201.224.11 and 208.201.224.33. But, I also tried those associated with OpenDNS. Neither worked.

What happens with curl https://www.dmv.ca.gov
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.dmv.ca.gov:443

Am I using AIProtect? Are there hits?
Yes and yes
Malicious site blocking: About 1500 since October. Most of them look like junk/phishing emails, ads on sites.
Two way IPS: 235 since October. The last was in early Feb.
Infected Device Protection: No incidents

What happens with the iptables command:
A lot
-P INPUT ACCEPT -c 0 0
-P FORWARD DROP -c 0 0
-P OUTPUT ACCEPT -c 1761 419102
-N ACCESS_RESTRICTION
-N DNSFILTER_DOT
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -c 0 0 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -c 1095 98224 -j ACCEPT
-A INPUT -m state --state INVALID -c 6 2378 -j DROP
-A INPUT ! -i br0 -c 2291 155904 -j PTCSRVWAN
-A INPUT -i br0 -c 188 20134 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -c 188 20134 -j ACCEPT
-A INPUT -i lo -m state --state NEW -c 134 27051 -j ACCEPT
-A INPUT -m state --state NEW -c 2157 128853 -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -c 1 576 -j ACCEPT
-A INPUT -p icmp -c 0 0 -j INPUT_ICMP
-A INPUT -c 2156 128277 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -c 11111 4152799 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -c 0 0 -j other2wan
-A FORWARD -m state --state INVALID -c 0 0 -j DROP
-A FORWARD -i br0 -o br0 -c 0 0 -j ACCEPT
-A FORWARD -c 357 67357 -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -c 0 0 -j ACCEPT
-A FORWARD -m state --state NEW -c 357 67357 -j OVPN
-A FORWARD -i br0 -c 357 67357 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -c 0 0 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -c 0 0 -j RETURN
-A INPUT_ICMP -p icmp -c 0 0 -j ACCEPT
-A PControls -c 0 0 -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -c 0 0 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -c 0 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -c 0 0 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -c 0 0 -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -c 0 0 -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -c 0 0 -j DROP
-A SECURITY -c 0 0 -j RETURN
-A logaccept -m state --state NEW -c 0 0 -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -c 0 0 -j ACCEPT
-A logdrop -m state --state NEW -c 0 0 -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -c 0 0 -j DROP
-A other2wan -i tun+ -c 0 0 -j RETURN
-A other2wan -c 0 0 -j DROP

 

[dave14305]

curl https://www.dmv.ca.gov -v

More details with the -v switch.

 

[noob for life]

curl https://www.dmv.ca.gov -v
* Expire in 0 ms for 6 (transfer 0x2a800)
* Trying 107.162.129.29...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x2a800)
* Connected to www.dmv.ca.gov (107.162.129.29) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.dmv.ca.gov:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.dmv.ca.gov:443

 

[noob for life]

The issue is broader than I thought. The login portion of the USPS site (https://reg.usps.com/entreg/LoginAc...L=https://cns.usps.com/labelInformation.shtml) is also unavailable to me. When I go to it in Chrome, I get an http error 400. But, if I connect through my phone's personal hotspot or connect directly to my fiber modem, the page loads just fine.

I have updated to 384.11. But, that had no effect. I tried downgrading to a release I know worked. That had no effect.

If anyone has ideas, I would love to hear them. I have had this 68U since 2015 and it is behaving flaky in other ways (like not accepting 5GHz logins). I wonder if it's time for a new router.

Thanks!

Gary

 

[L&LD]

The issue is broader than I thought. The login portion of the USPS site (https://reg.usps.com/entreg/LoginAc...L=https://cns.usps.com/labelInformation.shtml) is also unavailable to me. When I go to it in Chrome, I get an http error 400. But, if I connect through my phone's personal hotspot or connect directly to my fiber modem, the page loads just fine.

I have updated to 384.11. But, that had no effect. I tried downgrading to a release I know worked. That had no effect.

If anyone has ideas, I would love to hear them. I have had this 68U since 2015 and it is behaving flaky in other ways (like not accepting 5GHz logins). I wonder if it's time for a new router.

Thanks!

Gary

It may be time for a new router. But only a full and proper reset (I would recommend the M&M Config in my signature) and then possibly further troubleshooting, if needed, would be the minimum I would do before calling it a day.

There are many RT-AC68U's (and older Asus routers) that are still working for my customers, all upgraded by me and using the M&M Config process.

Verify that the power supply is working properly (probably easiest to do that by just buying a new one to test along with the M&M Config) and that you're also testing with a minimal and manual configuration after a full reset and a WPS NVRAM wipe. Now any remaining glitches will jump out as either a hardware failure or a setup misconfiguration past this good/known state.

 

[noob for life]

It may be time for a new router. But only a full and proper reset (I would recommend the M&M Config in my signature) and then possibly further troubleshooting, if needed, would be the minimum I would do before calling it a day.

That did it. I slowly added back features that I really felt I needed. It kept working. I suspect some setting got corrupted, possibly in an upload from my saved settings.

Thank you very much!