Don't trust the router (was: Can't reach Internet, but Internet can reach me)

yelvington · April 5, 2023, 12:46am

My YunoHost server

Hardware: Raspberry Pi 4 at home
YunoHost version: 11.1.6.2 (stable).
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I run a Mastodon server on Yunohost. It is reachable from the outside, but some functionality seemed to be failing. I returned today from an extended trip to discover DNS lookups were failing – no servers were reachable. I reconfigured dnsmasq manually and fixed that problem, but that revealed what appears to be a routing issue.

Although my Mastodon server appears to the outside world (I can use it to read and post), no connections that are initiated from my server work. This affects not only Mastodon, but all system functionality. I can’t update packages. I can’t ping outside hosts by address OR domain name.

Pinging my router’s public IP works:

$ ping s.yelvington.com
PING s.yelvington.com (134.22.79.193) 56(84) bytes of data.
64 bytes from 134.22.79.193 (134.22.79.193): icmp_seq=1 ttl=64 time=0.524 ms

Pinging google does not:

 $ ping google.com
PING google.com (172.253.124.113) 56(84) bytes of data.
^C
--- google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3074ms

and …

 $ sudo apt-get update
Err:1 http://deb.debian.org/debian bullseye InRelease                             
  Cannot initiate the connection to debian.map.fastlydns.net:80 (2a04:4e42:45::644). - connect (101: Network is unreachable) Could not connect to debian.map.fastlydns.net:80 (199.232.34.132), connection timed out Cannot initiate the connection to deb.debian.org:80 (2a04:4e42:45::644). - connect (101: Network is unreachable)
Err:2 http://deb.debian.org/debian bullseye-updates InRelease

et cetera.

Again, web functionality as presented to the world seems to be working. But my server can’t initiate any connections.

 $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.155  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::13e9:e353:c6ac:a0b1  prefixlen 64  scopeid 0x20<link>
        ether dc:a6:32:9a:d6:2b  txqueuelen 1000  (Ethernet)
        RX packets 15768  bytes 3168824 (3.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20090  bytes 14028689 (13.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 191766  bytes 63712540 (60.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 191766  bytes 63712540 (60.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

yelvington · April 5, 2023, 1:18am

Solved. The TP-Link router/access point was at fault. I finally pulled its plug after wasting a couple of hours focusing on the Raspberry Pi. Plugged it back in, and everything started working as designed.

jwqos · April 5, 2023, 3:43am

Just out of curiosity are you using the stock firmware or openWRT on the TPlink router?

yelvington · April 8, 2023, 1:56pm

It’s the stock firmware.

Upon further investigation it appears that the DDOS defense “feature” was turned on, and it regards my Yunohost server as a troublemaker. The router was actively blocking the server from reaching out.

system · May 8, 2023, 1:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.