Did something change with ipfire.org DNS recently?

hvacguy · 13 August 2024 14:41

I have a similar problem with my cell service. My guess is forum is slow or my cell provider service sucks. Which is a known problem with service in America.
Tried Chrome no difference.
Cell coverage can be spotty.

povoq · 13 August 2024 15:19

Happens on land line and not on mobile data here though.

But it gets stranger and stranger. Now I can connect here on mobile connected to the same network via WiFi, which wasn’t the case before, but it still times out on my desktop PC.

And just to add: every other website I tried works fine.

raffe · 13 August 2024 15:26

On my phone I can connect to the sites with the mobile 5G, if I first connect my phone Openvpn client to my Ipfire Openvpn server

hvacguy · 13 August 2024 15:43

I have noticed in the past similar service improves if I use VPN to my IPfire.
Phone company QoS must not effect The VPN traffic as much.

dark0ipfire · 13 August 2024 17:51

At free WiFi of Amsterdam Airport connect to IP fire.org and subdomains fails, too.

Update: this works now, but slow (maybe due to DNS resolution). Cannot test the failed connections in Airbnb homes in France anymore.

zapata · 15 August 2024 19:40

I still cannot reach (www|community|blog).ipfire.org over IPv6 from multiple locations. Ping works, nmap shows that port 80 and 443 is open, but https is not working. To write this I have to set “network.dns.disableIPv6” to true in Firefox.

jon · 15 August 2024 20:01

At this time (www|community|blog).ipfire.org work fine for me via cellular and IPv6 and Safari on an iPhone SE3. I am in the US.

zapata · 15 August 2024 21:36

I’ve tested some IPv6 enabled VPN tunnel locations, over some I can reach ipfire.org. Other IPv6 sites are available on all tunnels.

And I can open the website on my iPhone, but I have no idea if the page is loaded over IPv4 or IPv6. My mobile network operator supports both.

Anyway, something is broken.

ms · 16 August 2024 12:49

Could you provide me with some more debug information? Are you getting a simple timeout? Can you trace the TLS handshake maybe?

So we are running a load balancer in front of all the web services which is why everything should resolve to the same IP address. Some people have confirmed that everything works for them, our monitoring is not showing any signs of trouble either.

So it might depend on where you are coming from. IPv6 is hosted on our own Autonomous System and we peer with Kyberio and Hurricane Electric. Maybe one of these routes is broken? Maybe there is an MTU problem?

zapata · 16 August 2024 14:42

Most of the time the server is not returning much (SYN, ACK) and later (RST):

    1 0.000000000 myIPv6 → 2001:678:b28:: TCP 94 16208 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1440 WS=64 SACK_PERM TSval=2891581018 TSecr=0
    2 0.053000633 2001:678:b28:: → myIPv6 TCP 94 443 → 16208 [SYN, ACK] Seq=0 Ack=1 Win=21060 Len=0 MSS=1416 SACK_PERM TSval=2372486085 TSecr=2891581018 WS=512
    3 0.053069112 myIPv6 → 2001:678:b28:: TCP 86 16208 → 443 [ACK] Seq=1 Ack=1 Win=66560 Len=0 TSval=2891581071 TSecr=2372486085
    4 0.056221827 myIPv6 → 2001:678:b28:: TLSv1 603 Client Hello (SNI=community.ipfire.org)
    5 0.440324877 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891581458 TSecr=2372486085
    6 0.996447884 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891582014 TSecr=2372486085
    7 1.854992354 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891582873 TSecr=2372486085
    8 3.424199938 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891584442 TSecr=2372486085
    9 6.309024882 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891587327 TSecr=2372486085
   10 11.701250092 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891592719 TSecr=2372486085
   11 22.285207145 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891603303 TSecr=2372486085
   12 43.260974445 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891624279 TSecr=2372486085
   13 60.098951930 myIPv6 → 2001:678:b28:: TCP 86 16208 → 443 [ACK] Seq=0 Ack=1 Win=66496 Len=0 TSval=2891641117 TSecr=2372486085
   14 84.980198479 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891665998 TSecr=2372486085
   15 120.160997263 myIPv6 → 2001:678:b28:: TCP 86 16208 → 443 [ACK] Seq=0 Ack=1 Win=66496 Len=0 TSval=2891701179 TSecr=2372486085
   16 149.088184299 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 16208 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=2891730106 TSecr=2372486085
   17 180.191174204 myIPv6 → 2001:678:b28:: TCP 86 16208 → 443 [ACK] Seq=0 Ack=1 Win=66496 Len=0 TSval=2891761209 TSecr=2372486085
   18 180.213692248 2001:678:b28:: → myIPv6 TCP 74 443 → 16208 [RST] Seq=1 Win=0 Len=0

But occasionally I get:

    1 0.000000000 myIPv6 → 2001:678:b28:: TCP 94 58021 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1440 WS=64 SACK_PERM TSval=3810690634 TSecr=0
    2 0.062639384 2001:678:b28:: → myIPv6 TCP 94 443 → 58021 [SYN, ACK] Seq=0 Ack=1 Win=21060 Len=0 MSS=1416 SACK_PERM TSval=2373176512 TSecr=3810690634 WS=512
    3 0.062710264 myIPv6 → 2001:678:b28:: TCP 86 58021 → 443 [ACK] Seq=1 Ack=1 Win=66560 Len=0 TSval=3810690697 TSecr=2373176512
    4 0.066070298 myIPv6 → 2001:678:b28:: TLSv1 603 Client Hello (SNI=community.ipfire.org)
    5 0.482536541 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810691117 TSecr=2373176512
    6 1.102520951 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810691737 TSecr=2373176512
    7 2.108571570 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810692743 TSecr=2373176512
    8 3.897311990 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810694532 TSecr=2373176512
    9 7.179522043 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810697814 TSecr=2373176512
   10 13.720541662 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810704355 TSecr=2373176512
   11 26.220733339 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810716855 TSecr=2373176512
   12 51.014530179 myIPv6 → 2001:678:b28:: TCP 603 [TCP Retransmission] 58021 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=517 TSval=3810741649 TSecr=2373176512
   13 60.086079917 2001:678:b28:: → myIPv6 TCP 86 [TCP Previous segment not captured] 443 → 58021 [FIN, ACK] Seq=2495 Ack=518 Win=20992 Len=0 TSval=2373236576 TSecr=3810741649
   14 60.086140637 myIPv6 → 2001:678:b28:: TCP 86 [TCP Dup ACK 3#1] 58021 → 443 [ACK] Seq=518 Ack=1 Win=66560 Len=0 TSval=3810750721 TSecr=2373176512
   15 84.313286679 2001:678:b28:: → myIPv6 TCP 1490 [TCP Retransmission] 443 → 58021 [ACK] Seq=1 Ack=518 Win=20992 Len=1404 TSval=2373260803 TSecr=3810750721
   16 84.313358920 myIPv6 → 2001:678:b28:: TCP 86 58021 → 443 [ACK] Seq=518 Ack=1405 Win=65216 Len=0 TSval=3810774948 TSecr=2373260803
   17 84.335687856 2001:678:b28:: → myIPv6 TCP 1176 [TCP Retransmission] 443 → 58021 [FIN, PSH, ACK] Seq=1405 Ack=518 Win=20992 Len=1090 TSval=2373260825 TSecr=3810774948
   18 84.335768057 myIPv6 → 2001:678:b28:: TCP 86 58021 → 443 [ACK] Seq=518 Ack=2496 Win=65472 Len=0 TSval=3810774970 TSecr=2373260825
   19 84.343987831 myIPv6 → 2001:678:b28:: TLSv1.2 166 Change Cipher Spec, Application Data
   20 84.344544517 myIPv6 → 2001:678:b28:: TLSv1.2 172 Application Data
   21 84.344655799 myIPv6 → 2001:678:b28:: TLSv1.2 152 Application Data
   22 84.344842961 myIPv6 → 2001:678:b28:: TLSv1.2 110 Application Data
   23 84.345021043 myIPv6 → 2001:678:b28:: TCP 86 58021 → 443 [FIN, ACK] Seq=774 Ack=2496 Win=66560 Len=0 TSval=3810774980 TSecr=2373260825
   24 84.366114445 2001:678:b28:: → myIPv6 TCP 74 443 → 58021 [RST] Seq=2496 Win=0 Len=0
   25 84.366619970 2001:678:b28:: → myIPv6 TCP 74 443 → 58021 [RST] Seq=2496 Win=0 Len=0
   26 84.366697771 2001:678:b28:: → myIPv6 TCP 74 443 → 58021 [RST] Seq=2496 Win=0 Len=0
   27 84.366991455 2001:678:b28:: → myIPv6 TCP 74 443 → 58021 [RST] Seq=2496 Win=0 Len=0
   28 84.367111096 2001:678:b28:: → myIPv6 TCP 74 443 → 58021 [RST] Seq=2496 Win=0 Len=0

but curl returns: curl: (16) Error in the HTTP2 framing layer

ms · 16 August 2024 15:42

It is a difficult question whether the packet is never making it to the server, or whether it doesn’t want to reply.

Occasionally is never good.

I have made a change, could you please check again?

zapata · 16 August 2024 15:58

Yes, now it’s working. Thanks.

ms · 16 August 2024 16:08

Then it is the IPS and not IPv6.

povoq · 18 August 2024 17:45

Seems to be working here again now on my home ISP.

Thanks!

raffe · 18 August 2024 19:42

Now working for me also (via mobile phone 5G).

ms · 19 August 2024 10:41

I disabled the IPS for the time being until I have time to investigate what is actually going wrong. I assume it is a bug in Suricata

hvacguy · 20 August 2024 00:46

Could this be related?

ms · 20 August 2024 08:30

Possible, yes.