Cannot access a website from pc and Android (Chrome) and cannot login to Android app of the website

[thegios]

I have a two nodes XT8 mesh, wher node 1 is connected to the ISP modem and node 2 is connected to node 1 via dedicated wireless backhaul.

On the ISP modem
- wifi is off
- DNS is off
- Firewall is off
- DHCP range is fixed at 192.168.1.2
- DHCP rule to assign 192.168.1.2 to router's MAC address
- Static NAT on IP 192.168.1.2
- IP 192.168.1.2 in DMZ (redundant)

On the XT8
- Firewall is on
- IP LAN is 192.168.50.1
- DHCP range is from 192.168.50.2 to 192.168.50.254
- DNS set to Google's ones

All of a sudden (last time two weeks ago this was working) I am having two related problems:

- From PC (Windows + Chrome, both wired on node 2 or min wifi) and form Android Phone (Chrome, on wifi) I cannot access any longer to the website of my water supplier: https://www.acqualatina.it/

- From Abdroid Phone (wifi) I cannot login any longer to the app of the supplier (it gives me a generic error)

If I try from Android Phone via 4G no problems at all, if I use PC tethering on Android's Phone (so 4G is used) no problem, so it must be a home network issue.

My wife from her iPhgone Phone on office's network, has no problem (I will check later once she'll be home).

Please also note that on phone Google's DNS are set, so also in 4G Google's DNS are used.



Any idea of what the problem may be?

 

[thegios]

Any help here pls?

 

[jzchen]

It sounds like the ISP modem is a gateway? Is there no Bridge Mode or IP Passthrough feature?

I suspect the ISP modem went into router mode without you knowing?...

 

[thegios]

Yes the idea Is to use the ISP modem as a passthrough but it has no real bridge mode so I had to mimic it in the following way:

DNS is off
Firewall is off
DHCP range is fixed at 192.168.1.2
DHCP rule to assign 192.168.1.2 to router's MAC address
Static NAT on IP 192.168.1.2

Nothing has changed

 

[Tech9]

On your ISP Gateway:

DNS - Auto
Firewall - Enabled
DHCP - Enabled with XT8 reserved IP
DMZ - Enabled with XT8 IP

Don't open your ISP gateway to Internet and don't make unnecessary changes.

 

[jzchen]

There was a firmware update released 2024/09/24. Maybe related? (I'm honestly not sure). You can try manually downloading and installing the previous firmware version, (please download the correct one based on HW Ver on label on each XT8).

 

[thegios]

On your ISP Gateway:

DNS - Auto
Firewall - Enabled
DHCP - Enabled with XT8 reserved IP
DMZ - Enabled with XT8 IP

Don't open your ISP gateway to Internet and don't make unnecessary changes.

DNS and Firewall are enabled on XT8, why enable also on ISP modem?
DHCP is enabled but limited to range 192.168.1.2 only reserved for XT8, and DMZ is enabled since 192.168.1.2 is in DMZ

THis has always been like this but only recently I am having problems accessing https://www.acqualatina.it/ and logging in into the mobile app. Even my wife cannot from her iPhone. If I go 4G or on another wifi it works.

 

[thegios]

There was a firmware update released 2024/09/24. Maybe related? (I'm honestly not sure). You can try manually downloading and installing the previous firmware version, (please download the correct one based on HW Ver on label on each XT8).

Mmmmhhhh....
My main node was already on 3.0.0.4.388_24668 but secondary had to be updated manually... Probably this new firmware could be related to my problem.

I also tried playing some official government lottery games from website and this is also not working any longer.

 

[Tech9]

why enable also on ISP modem?

Because it's not a modem only, but a router and someone may be interested to hack it affecting your XT8 network behind it. What is DMZ doing when the Firewall on this Gateway is currently disabled? I'm giving you the common way to set this up. The website is working properly.

 

[thegios]

Because it's not a modem only, but a router and someone may be interested to hack it affecting your XT8 network behind it. What is DMZ doing when the Firewall on this Gateway is currently disabled? I'm giving you the common way to set this up. The website is working properly.

View attachment 62045

Ok understood, yet the problem I am having is unrelated: a few weeks ago the website was working

 

[Tech9]

I don't have Asus routers running at the moment to check this, but AiProtection is known for false positives. Perhaps Enable/Disable to test?

 

[thegios]

I don't have Asus routers running at the moment to check this, but AiProtection is known for false positives. Perhaps Enable/Disable to test?

Already tested, it's not AiProtection

 

[Tech9]

Do NS Lookup for www.acqualatina.it in Network Tools, Network Analysis and see if you get it resolved to IP 109.117.31.86.

The issue may be external, sometimes security protection of specific servers may blacklist your WAN IP. Can you access the site over VPN?

 

[thegios]

Do NS Lookup for www.acqualatina.it in Network Tools, Network Analysis and see if you get it resolved to IP 109.117.31.86.

The issue may be external, sometimes security protection of specific servers may blacklist your WAN IP. Can you access the site over VPN?

Server: 8.8.8.8
Address 1: 8.8.8.8 dns.google

Name: www.acqualatina.it
Address 1: 109.117.31.86
net-109-117-31-86.cust.vodafonedsl.it
---

Ping doesn't work though...

BTW why 109.117.31.86?

 

[Tech9]

This is the IP address of the website. I can access it on non user friendly https://109.117.31.86 instead of https://www.acqualatina.it, the same thing.

 

[thegios]

This is the IP address of the website. I can access it on non user friendly https://109.117.31.86 instead of https://www.acqualatina.it, the same thing.

Aha ok
Well as I wrote it resolves but ping doesn't work.
What's funny is that I cannot even login from the app.

If Google VPN is on it still doesn't work

 

[Tech9]

If you can't open this site even when connected to the ISP gateway with DNS obtained by ISP DHCP - perhaps your WAN IP was blacklisted.

 

[thegios]

If you can't open this site even when connected to the ISP gateway with DNS obtained by ISP DHCP - perhaps your WAN IP was blacklisted.

To test this I should widen the ISP modem from 192.168.1.2 (assigned to XT8 Mac address) to 192.168.1.2 and 192.168.1.3, then attach the laptop to ISP modem that will het 192.168.1.3 and try to reach the website.

 

[Tech9]

You have done things you didn't need to do on this ISP Gateway. Leave everything at Default, disable Wi-Fi, set Port Forwarding or DMZ to your own router and you're good to go. No need to disable Firewall, no need to change DHCP pool, if you have no services open to Internet on your Asus router no need to use Port Forwarding or DMZ either. You're just complicating your life and exposing the ISP Gateway to potential malicious activities.

 

[thegios]

You have done things you didn't need to do on this ISP Gateway. Leave everything at Default, disable Wi-Fi, set Port Forwarding or DMZ to your own router and you're good to go. No need to disable Firewall, no need to change DHCP pool, if you have no services open to Internet on your Asus router no need to use Port Forwarding or DMZ either. You're just complicating your life and exposing the ISP Gateway to potential malicious activities.

I've done what others here suggested me.
Anyhow, again I see your point and may agree, but till a few days ago this website was working and the login from the app was working, so what you are suggesting, although reasonable, are not the problem here.