Solved Strange issue: No access to some websites/servers w/o using a VPN [RT-AX3000]

gonzoforpresident

New Around Here
Edit: I've been using a beta firmware from Asus (9.0.0.4.386_47757) and Quad9's DNS server (9.9.9.9, 149.112.112.112), but those hadn't solved the issue until I changed the DNS Privacy Protocol from [none] to [DNS-over-TLS (DoT)]:

  • GUI>WAN>Internet Connection>DNS Privacy Protocol: [DNS-over-TLS (DoT)]
  • DNS-over-TLS Profile: strict

That immediately solved the issue.

*********


I've been struggling with a strange issue since I got this router.

Router: RT-AX3000 running Asuswrt-Merlin 386.3_2, although the issue exists under stock firmware, as well
Firewall: currently turned off - had been blocking sites like Redfin.com on some browsers, but not others
AiProtection: turned off - never turned on
DNS server: Currently Cloudflare, but the issue exists with others like Google and NordVPN
QoS: turned off - never turned on
IPV6: Does not seem to affect things. Current settings: Native, PPP, DHCP-PD Enabled, Accept Default Route Enabled (settings are correct per Asus website)
ISP: Centurylink DSL: PPPoE connection
Modem: Zyxel C1100Z - Set to Transparent Bridge

The issues: Affect all devices, whether wired or wireless:
  • Cannot log into some websites/servers, unless a VPN is used. This is constant. Examples:
    • Pandora - The website loads, but cannot log in. Returns "incorrect email/username or password" even with correct information. App on phones/tablets cannot stream music.
    • Yahoo.com - the website loads, but cannot log in and check mail. Mail app on cell phones cannot update.
  • Some sites will not load at all.
    • Lowes.com - only loads with a VPN
    • Homedepot.com - only loads with VPN

These have been persistent issues for weeks, but as soon as I started verifying details while typing this up, they are working

Log file - There's nothing logged when I try to access those websites. I have one phone that repeatedly disassociates, but I have removed that, since it doesn't appear relevant. The parts that might be relevant:

Jan 20 13:33:29 kernel: Init chrdev /dev/idp with major 190
Jan 20 13:33:29 kernel: tdts: tcp_conn_max = 8000
Jan 20 13:33:29 kernel: tdts: tcp_conn_timeout = 300 sec
Jan 20 13:33:33 kernel: SHN Release Version: 2.0.1 c03f6c5
Jan 20 13:33:33 kernel: UDB Core Version: 0.2.20
Jan 20 13:33:33 kernel: Init chrdev /dev/idpfw with major 191
Jan 20 13:33:33 kernel: IDPfw: flush fc
Jan 20 13:33:33 kernel: IDPfw: IDPfw is ready
Jan 20 13:33:33 kernel: sizeof forward pkt param = 192
Jan 20 13:33:33 BWDPI: fun bitmap = 3
Jan 20 13:33:45 BWDPI: force to flush flowcache entries
Jan 20 13:33:45 kernel: IDPfw: Exit IDPfw
Jan 20 13:33:45 kernel: mod epilog takes 0 jiffies
Jan 20 13:33:45 kernel: IDPfw: Exit IDPfw
Jan 20 13:33:45 kernel: Exit chrdev /dev/idpfw with major 191
Jan 20 13:33:45 kernel: Exit chrdev /dev/idp with major 190
Jan 20 13:33:45 BWDPI: rollback fc

Any ideas or suggestions? I don't even know where to go from here or what terms to search to find clues.
 
Last edited:

ColinTaylor

Part of the Furniture
Firewall: currently turned off - had been blocking sites like Redfin.com on some browsers, but not others
Sorry, I don't know the solution to your problem, but don't turn off the router's firewall. The firewall protects the router from unsolicited outside connections. It does not interfere with LAN client connections. It would not have been the cause of your browser problems. So by turning it off all you're doing is exposing your router to potential hacking for no benefit to the LAN clients.
 

eibgrad

Part of the Furniture
Failure to load (or fully load) pages on some sites is often due to MTU issues. The fact you use a VPN and things improve suggests that's causing a change (decrease) in the MTU between the browser and webserver, one that's better suited to the sites you're visiting. At least, that would be my best guess.
 

gonzoforpresident

New Around Here
Sorry, I don't know the solution to your problem, but don't turn off the router's firewall. The firewall protects the router from unsolicited outside connections. It does not interfere with LAN client connections. It would not have been the cause of your browser problems. So by turning it off all you're doing is exposing your router to potential hacking for no benefit to the LAN clients.

Thanks for the good advice.

That may be what it is supposed to do, but without a shadow of a doubt certain issues website loading issues were directly related to the firewall. I tried turning it off and on several times to access it. Certain websites matched that precisely. Now I have no idea why it's doing that, when it's not supposed to. But it absolutely is.

I am planning on turning it back on, but I'm trying to narrow down the root cause of the other issues. Turning off the firewall eliminates its complicating behaviors. Once I have the baseline working properly, I'll reactivate the firewall and deal with its issues.
 

gonzoforpresident

New Around Here
Failure to load (or fully load) pages on some sites is often due to MTU issues. The fact you use a VPN and things improve suggests that's causing a change (decrease) in the MTU between the browser and webserver, one that's better suited to the sites you're visiting. At least, that would be my best guess.

Thanks! That makes sense. I'm unfamiliar with that level of networking, so I've got some research ahead of me.
 

sfx2000

Part of the Furniture
Sounds like your IPv4 address may be blacklisted on some of those sites.

The fact that it works on VPN suggests this is the case.

Probably not your fault, but could be if you have a bad plugin or malware perhaps.
 

gonzoforpresident

New Around Here
Sounds like your IPv4 address may be blacklisted on some of those sites.

The fact that it works on VPN suggests this is the case.

Probably not your fault, but could be if you have a bad plugin or malware perhaps.

I probably should have noted it, but I do not have this issue when I used the router built into the modem. That should eliminate that possibility, right?
 

follower

Very Senior Member
I've been struggling with a strange issue since I got this router.

Router: RT-AX3000 running Asuswrt-Merlin 386.3_2, although the issue exists under stock firmware, as well
Firewall: currently turned off - had been blocking sites like Redfin.com on some browsers, but not others
AiProtection: turned off - never turned on
DNS server: Currently Cloudflare, but the issue exists with others like Google and NordVPN
QoS: turned off - never turned on
IPV6: Does not seem to affect things. Current settings: Native, PPP, DHCP-PD Enabled, Accept Default Route Enabled (settings are correct per Asus website)
ISP: Centurylink DSL: PPPoE connection
Modem: Zyxel C1100Z - Set to Transparent Bridge

The issues: Affect all devices, whether wired or wireless:
  • Cannot log into some websites/servers, unless a VPN is used. This is constant. Examples:
    • Pandora - The website loads, but cannot log in. Returns "incorrect email/username or password" even with correct information. App on phones/tablets cannot stream music.
    • Yahoo.com - the website loads, but cannot log in and check mail. Mail app on cell phones cannot update.
  • Some sites will not load at all.
    • Lowes.com - only loads with a VPN
    • Homedepot.com - only loads with VPN

These have been persistent issues for weeks, but as soon as I started verifying details while typing this up, they are working

Log file - There's nothing logged when I try to access those websites. I have one phone that repeatedly disassociates, but I have removed that, since it doesn't appear relevant. The parts that might be relevant:



Any ideas or suggestions? I don't even know where to go from here or what terms to search to find clues.

Contact your ISP.
Can you draw your network topology?
 
Last edited:

gonzoforpresident

New Around Here
Not necessarily. It's very common that your WAN IP address will change if you're changing your ISP gateway from "router mode" to "bridged mode".

You can check your public IP address by going to https://www.whatsmyip.org/

Thanks. I'll do that this weekend.

Contact your ISP.
Can you draw your network topology?

I've never drawn one, so I hope this covers what you are asking for. If it doesn't, let me know what I left out or misunderstood and I'll redo it.

This is the simplified set up I used for diagnosing:

Gonzo simplified for diagnostics.png


This is the way it normally is:

Gonzoforpresident Network map.png
 

ApK

Occasional Visitor
I'm having what seems to be a similar issue on my RT-AC86U running 386.4. Let me describe and please let me know if it's appropriate to tag on to this thread or if I should delete this post and start a new one.

For months I've been unable to reach forum.qnap.com. I could reach it on vpn, and when plugged directly into the cable modem, but not from behind router. Just now. taking the suggestion above, I changed the router's MAC and forced a new public IP from comcast. I can now reach the forum site from behind the router, so yay for that, though I'd love to know exactly what happened.

Until today that was the only site I was aware of a problem with, but this morning I couldn't access another site (a small private site of mine from a free hosting provider) which had worked fine just a few days again, and there have been no infrastructure changes on my end. Again, I could access it off the Comcast network, or from a vpn, but not behind the router. But this site didn't work from directly connected to the cable modem either, and it still does not work after changing the mac/public ip. So it appears to be a different issue. I have no idea how to begin troubleshooting.
 

coffeeaddict

New Around Here
I'm having the same problem as the OP where all devices on the network that are NOT using VPN cannot access common sites (i.e. passwords.google.com or tweetdeck.twitter.com but twitter.com and googl.com work???). I hadn't changed any settings on any device and it just started happening one day. Enormously frustrating. I'm going to call my ISP tomorrow but not even sure what I can tell them to resolve the issue? Hoping people here are able to help?

Using a RT-AC68u with firmware 3.0.0.4.386_46092
 

gonzoforpresident

New Around Here
Amazing timing. After all this time, I literally fixed this two hours ago. Everything I've tried is working properly

It's kind of weird, because the setting has reverted in the GUI, but this fixed it for me:

GUI>WAN>Internet Connection>DNS Privacy Protocol: DNS-over-TLS (DoT)

I should note that I'm now using a beta firmware from Asus (9.0.0.4.386_47757) and am using Nord's DNS server (9.9.9.9, 149.112.112.112), but those hadn't solved the issue until I changed the DNS Privacy Protocol.
 

gonzoforpresident

New Around Here
This is Quad9. Nord(VPN?) DNS servers are 103.86.96.100 and 103.86.99.100.

I double checked and you are right. I set it to Nord's DNS server, but didn't really think when I checked the modem before updating after coffeeaddict replied. It has changed to Quad9 for some reason. That is really weird, but the router is working properly now.
 

coffeeaddict

New Around Here
my bad RT-AC86U as mentioned!

It seems to have fixed the issues with google and nytimes but not with tweetdeck but this is most defintely more along the right track than anything else i've tried!

I've attached a screenshot of my settings. Is this what it should look like?
 

Attachments

  • screenshot-192.168.1.1-2022.03.15-21_10_41.png
    screenshot-192.168.1.1-2022.03.15-21_10_41.png
    84.9 KB · Views: 30

gonzoforpresident

New Around Here
I set a couple of things different than you. Try:

  • DNS-over-TLS Profile: strict
  • Preset servers: Quad9 (9.9.9.9, 149.112.112.112)

There are several Quad9 options and I'm not sure which one I ended up using. If that doesn't solve the issue, then try Quad9 w/o the DNS-over-TLS, since somehow my settings ended up different than what I input.

I should also note that the current stock firmware gave me all kinds of issues where the GUI did not accurately reflect the settings, DHCP assigned IP addresses, internet access, etc. There may be some carryover with the firmware I'm currently using.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top