AXT1800 Blocked by ISP

Hi everyone,

I bought a new router (AXT1800) to replace my Synology router, and I have an ethernet ISP where I have to manually set the Gateway, the static IP address, and the DNS servers, which are all good.

The problem is that the ISP doesn't like routers and usually checks TTL for that. So I went to custom firewall settings, and I added:

iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 64

But didn't work. The google web page keeps loading forever and sometimes crash with DNS error. The router led keeps blinking and on the GL.iNET dashboard I see the ethernet connection is up/down consecutively.

For reference, I checked how the Synology router deals with this case. During ethernet wan configuration and after inserting all ip, Gateway, dns, .. there is a checkbox where you set activate TTL-Spoofing for this connection. When you check that box new rules are added to iptables:

Chain SPOOF_TTL_FORWARD (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
TTL        all  --  anywhere             anywhere             TTL match TTL > 30 TTL match TTL < 254 TTL set to 64
TTL        all  --  anywhere             anywhere             TTL match TTL == 254 TTL set to 255

Then, the internet works correctly without any problem.

Another information: I also copied the Synology router mac address to AXT1800 mac address to bypass any mac filtering but that didn't help.

Any input will be really helpful

Thank you everyone.

The problem here is that if the ISP doesn't like third-party routers, they will do everything possible to make the user experience the worst possible. What I would do is change companies, since it is the user himself who has the right to use the telecommunications equipment he wants.

Synology router and a 10$ TPLINK router both are working fine. So I just need to know how to use the same script/logic on those working routers in AXT1800 router.

The ISP is not that smart and they are using very simple scripts such mac address check and TTL to force users not to use routers.

Usually the iptables hack should be enough but I feel there is another step of routing before reaching ISP that decrease the TTL and cause the detection.

1 Like

Try with the iptables hack, yes. I think that Synology and TPLink routers use something to hide ISPs the TTL I guess.

Update: I upgraded the router firmware checked again the iptables:

iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 64
iptables -t mangle -I PREROUTING 1 -j TTL --ttl-set 64
iptables -t mangle -I FORWARD 1 -j TTL --ttl-set 64

I also tried different numbers 65 and 255, unfortunately nothing is working.

Are you really sure about that? Never heard of that.

What ISP is it?

2 Likes

Private residency with ethernet network across different apartments. They block routers to prevent reshare probably. But somehow Synology with TTL-Spoofing feature is bypassing that

Could you please check ping and nslookup to ensure the connection is working all in all?

Ping and nslookup are both working but with packets drop. Just by looking at the router dashboard I see the ethernet connection is connecting and disconnecting consecutively.
The same behavior was also with my synology router but when I activated the TTL-spoofing this problem went away.
So basically you can connect to the ISP for initial few seconds then you will be automatically disconnected and then reconnect again and you will be disconnected automatically. The few milliseconds while you are connected you can open google page do ping or nslookup but directly after that you will be disconnected.

Using a cheap tplink router (there is no TTL config) surprisingly works well. So I believe there is some checking somewhere (not MAC address check) that kills the connection.

Someone reported same issue 9 years ago (https://www.reddit.com/r/HomeNetworking/comments/418j4y/changing_ttl_to_bypass_isp_router_block/?show=original)

Update:

I checked the outgoing packets using tcpdump and filtering on gateway as destination, they are all with TTL 64 which means the iptables setting is working.

Given that I believe that it’s more than TTL but some kind of device profiling or DHCP fingerprinting.

Any idea will be really helpful :pray:

Tbh I doubt that there is TTL inspection. That is not common.

Can you see the MAC address of the upstream router? Which brand is it?
So we know what we deal with.

Router Prefix: 002a6a Cisco
DNS and DHCP servers are hosted on a windows server machine

Update:

Using L2 switch between AXT1800 and the provider gateway bypass the check and the router is able to connect. Connecting the router directly still doesn't work.

Still can't figure out what the ISP is checking to detect router.

I doubt it's an check, it will be just some faulty handling between the 2.5 Gbit WAN port an the Cisco. This happens often.

I can confirm that there is a check (from an insider engineer with the ISP), but I still need help figuring out how to bypass it. The same exact problem was a time ago with the Synology router, but after many test, it went through.

Power cycle the modem and the router that AXT1800 is connected to.

Cannot do that. I don't have control over the gateway

Who does??

The residence ISP has Router and DHCP/DNS server with ethernet cables across different apartments. You can only connect to the ethernet port you have in your apartment and config DHCP client. You can't access anyway the ISP router or the gateway.

In that case, ISP is not blocking the Glinet router, its the landlord that's blocking it, since he/she is the admin of the network.

Talk to your landlord, there is nothing Glinet or anyone else here can do to solve your problem.