Curl not working on 4G repeater but work on Ethernet

Technical Support for Routers
1

Hi

I have a curl command that returns no error and gets executed when it is run from mwan3.user in Beryl AX3000 if internet connection is via Ethernet but the same exact command return the following error:
TLSv1.3 (OUT), TLS handshake, Client hello (1):
** OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.pushover.net:443*
if I switch in repeater mode (via an Adroid device hotspot)

Here is the command:

(/bin/sleep 3;
{
curl -s -v
-F “token=xxxxxxxxxxx”
-F “user=xxxxxxxxxxxx”
-F “device=anydevice”
-F “title=FailOver”
-F “priority=2”
-F “retry=30”
-F “expire=45”
-F “sound=Persistent”
-F “message=Failoverr”
https://api.pushover.net/1/messages.json
}
logger -t “Failover” “TestFailover”)&

If I connect my windows laptop via LAN and execute the same command in Command prompt, no error messages either …

Can anyone help with this ?

2

Does this happen on your every run when using repeater?
I tested repeater works without difference with cable.
Could you tcpdump the traffic for curl port 443?

3

@hansome

yes it happens everytime i run this script when the router is in repeater mode via 4g hotspot

IMPORTANT … Remember that the error only appears when I run this script from the router itself, if I run this script on a computer wired to the router the script executes without any problems

test 1

09:34:34.764889 IP X.X.X.213.51709 > X.X.X.170.53: 54864+ A? api.pushover.net. (34)
09:34:34.766959 IP X.X.X.213.58784 > X.X.X.170.53: 36637+ AAAA? api.pushover.net. (34)
09:34:34.819481 IP X.X.X.170.53 > X.X.X.213.51709: 54864 3/0/0 A 137.220.59.207, A 45.77.212.87, A 45.63.37.132 (82)
09:34:34.829591 IP X.X.X.170.53 > X.X.X.213.58784: 36637 3/0/0 AAAA 2001:19f0:5c00:13ce::2, AAAA 2001:19f0:8001:1c49::2, AAAA 2001:19f0:8001:1c96::2 (118)
09:34:34.831743 IP X.X.X.213.46674 > api.pushover.net.443: Flags [S], seq 3312694833, win 64240, options [mss 1460,sackOK,TS val 3462937303 ecr 0,nop,wscale 4], length 0
09:34:34.884884 IP api.pushover.net.443 > X.X.X.213.46674: Flags [S.], seq 2026051831, ack 3312694834, win 16384, options [mss 1420,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 761081047 ecr 3462937303], length 0
09:34:34.885163 IP X.X.X.213.46674 > api.pushover.net.443: Flags [.], ack 1, win 4015, options [nop,nop,TS val 3462937357 ecr 761081047], length 0
09:34:35.239559 IP X.X.X.213.46674 > api.pushover.net.443: Flags [P.], seq 1:518, ack 1, win 4015, options [nop,nop,TS val 3462937711 ecr 761081047], length 517
09:34:35.285766 IP api.pushover.net.443 > X.X.X.213.46674: Flags [F.], seq 1, ack 518, win 65535, length 0
09:34:35.291014 IP X.X.X.213.46674 > api.pushover.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 3462937763 ecr 761081047], length 0
09:34:35.319100 IP api.pushover.net.443 > X.X.X.213.46674: Flags [F.], seq 2, ack 519, win 65535, length 0
09:34:35.319312 IP X.X.X.213.46674 > api.pushover.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 3462937791 ecr 761081047], length 0
09:34:35.325479 IP X.X.X.213.46674 > api.pushover.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 3462937797 ecr 761081047], length 0
09:34:35.358617 IP api.pushover.net.443 > X.X.X.213.46674: Flags [F.], seq 2, ack 520, win 65535, length 0
09:34:35.591004 IP X.X.X.213.46674 > api.pushover.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 3462938063 ecr 761081047], length 0
09:34:35.861001 IP X.X.X.213.46674 > api.pushover.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 3462938333 ecr 761081047], length 0

test 2

09:36:10.069231 IP X.X.X.213.36487 > X.X.X.170.53: 11364+ A? api.pushover.net. (34)
09:36:10.079709 IP X.X.X.213.59718 > X.X.X.170.53: 3873+ AAAA? api.pushover.net. (34)
09:36:10.122805 IP X.X.X.170.53 > X.X.X.213.36487: 11364 3/0/0 A 45.63.37.132, A 45.77.212.87, A 137.220.59.207 (82)
09:36:10.123876 IP X.X.X.170.53 > X.X.X.213.59718: 3873 3/0/0 AAAA 2001:19f0:8001:1c49::2, AAAA 2001:19f0:8001:1c96::2, AAAA 2001:19f0:5c00:13ce::2 (118)
09:36:10.125428 IP X.X.X.213.58398 > api.pushover.net.443: Flags [S], seq 1335929413, win 64240, options [mss 1460,sackOK,TS val 3463032597 ecr 0,nop,wscale 4], length 0
09:36:10.184497 IP api.pushover.net.443 > X.X.X.213.58398: Flags [S.], seq 510163761, ack 1335929414, win 16384, options [mss 1420,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 2672542240 ecr 3463032597], length 0
09:36:10.184750 IP X.X.X.213.58398 > api.pushover.net.443: Flags [.], ack 1, win 4015, options [nop,nop,TS val 3463032656 ecr 2672542240], length 0
09:36:10.352790 IP X.X.X.213.58398 > api.pushover.net.443: Flags [P.], seq 1:518, ack 1, win 4015, options [nop,nop,TS val 3463032824 ecr 2672542240], length 517
09:36:10.403464 IP api.pushover.net.443 > X.X.X.213.58398: Flags [F.], seq 1, ack 518, win 65535, length 0
09:36:10.411003 IP X.X.X.213.58398 > api.pushover.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 3463032883 ecr 2672542240], length 0
09:36:10.429958 IP X.X.X.213.58398 > api.pushover.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 3463032902 ecr 2672542240], length 0
09:36:10.537702 IP api.pushover.net.443 > X.X.X.213.58398: Flags [F.], seq 2, ack 519, win 65535, length 0

test 3

09:40:23.102328 IP X.X.X.213.44766 > X.X.X.170.53: 28015+ A? api.pushover.net. (34)
09:40:23.104447 IP X.X.X.213.46101 > X.X.X.170.53: 60748+ AAAA? api.pushover.net. (34)
09:40:23.140137 IP X.X.X.170.53 > X.X.X.213.44766: 28015 3/0/0 A 45.63.37.132, A 137.220.59.207, A 45.77.212.87 (82)
09:40:23.148313 IP X.X.X.170.53 > X.X.X.213.46101: 60748 3/0/0 AAAA 2001:19f0:8001:1c96::2, AAAA 2001:19f0:8001:1c49::2, AAAA 2001:19f0:5c00:13ce::2 (118)
09:40:23.150796 IP X.X.X.213.55062 > api.pushover.net.443: Flags [S], seq 1800536923, win 64240, options [mss 1460,sackOK,TS val 3463285622 ecr 0,nop,wscale 4], length 0
09:40:23.203012 IP api.pushover.net.443 > X.X.X.213.55062: Flags [S.], seq 2107558300, ack 1800536924, win 16384, options [mss 1420,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 1074660532 ecr 3463285622], length 0
09:40:23.203264 IP X.X.X.213.55062 > api.pushover.net.443: Flags [.], ack 1, win 4015, options [nop,nop,TS val 3463285675 ecr 1074660532], length 0
09:40:23.370327 IP X.X.X.213.55062 > api.pushover.net.443: Flags [P.], seq 1:518, ack 1, win 4015, options [nop,nop,TS val 3463285842 ecr 1074660532], length 517
09:40:23.424596 IP api.pushover.net.443 > X.X.X.213.55062: Flags [F.], seq 1, ack 518, win 65535, length 0
09:40:23.431006 IP X.X.X.213.55062 > api.pushover.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 3463285903 ecr 1074660532], length 0
09:40:23.448881 IP X.X.X.213.55062 > api.pushover.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 3463285920 ecr 1074660532], length 0
09:40:23.457844 IP api.pushover.net.443 > X.X.X.213.55062: Flags [F.], seq 2, ack 519, win 65535, length 0

4

In fact, trying any curl commant from the router prompt seems to cause the problem, just tried :slight_smile:

curl https://ui.com -v

and got the same error:

root@GL-AR750S:/etc# curl https://ui.com -v
** TLSv1.3 (OUT), TLS handshake, Client hello (1):*
** OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ui.com:443*

10:02:05.532231 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [S], seq 2034016688, win 64240, options [mss 1460,sackOK,TS val 419945492 ecr 0,nop,wscale 4], length 0
10:02:05.533826 IP X.X.X.213.47254 > 192.168.220.170.53: 55349+ PTR? 66.51.192.54.in-addr.arpa. (43)
10:02:05.584138 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [S.], seq 986314330, ack 2034016689, win 65535, options [mss 1420,sackOK,TS val 1406559468 ecr 419945492,nop,wscale 9], length 0
10:02:05.584423 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [.], ack 1, win 4015, options [nop,nop,TS val 419945544 ecr 1406559468], length 0
10:02:05.648108 IP 52.96.230.98.443 > X.X.X.213.56992: Flags [P.], seq 907508948:907508983, ack 1778201573, win 40960, length 35
10:02:05.648325 IP 52.96.230.98.443 > X.X.X.213.56992: Flags [P.], seq 35:1153, ack 1, win 40960, length 1118
10:02:05.649174 IP X.X.X.213.56992 > 52.96.230.98.443: Flags [.], ack 1153, win 1026, length 0
10:02:05.653865 IP 52.96.230.98.443 > X.X.X.213.56993: Flags [P.], seq 3544677385:3544677420, ack 208234926, win 40960, length 35
10:02:05.662121 IP 52.96.230.98.443 > X.X.X.213.56993: Flags [P.], seq 35:1153, ack 1, win 40960, length 1118
10:02:05.663186 IP X.X.X.213.56993 > 52.96.230.98.443: Flags [.], ack 1153, win 1021, length 0
10:02:05.672742 IP 192.168.220.170.53 > X.X.X.213.47254: 55349 1/0/0 PTR server-54-192-51-66.yul62.r.cloudfront.net. (99)
10:02:05.756455 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [P.], seq 1:518, ack 1, win 4015, options [nop,nop,TS val 419945716 ecr 1406559468], length 517
10:02:05.824159 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [F.], seq 1, ack 518, win 65535, length 0
10:02:05.831001 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [.], ack 2, win 4015, options [nop,nop,TS val 419945791 ecr 1406559468], length 0
10:02:05.848491 IP X.X.X.213.41116 > server-54-192-51-66.yul62.r.cloudfront.net.443: Flags [F.], seq 518, ack 2, win 4015, options [nop,nop,TS val 419945808 ecr 1406559468], length 0
10:02:05.876910 IP server-54-192-51-66.yul62.r.cloudfront.net.443 > X.X.X.213.41116: Flags [F.], seq 2, ack 519, win 65535, length 0

5

@hansome

It looks like any connection from the router to internet are failing when router is in repeater mode over my hotspot , I installed sendmail and tried sending a SSL encrypted mail and got the following:

Error: turn_on_raw_ssl: SSL connection failed
Socket Error: [0]: No error information
Error: Connection is closed unexpectedly
Could not send mail

I then tried getting a simple mailserver info with: mailsend -v -info -port 587 -smtp X.X.X.X:

Connecting to SMTP server: X.X.X.X at Port: 587
Connection timeout: 5 secs
Will detect IPv4 or IPv6 automatically
> libmsock: using getaddrinfo
> AF_INET IPv4

  • IPv4 address: 184.107.100.29*
    > EINPROGRESS=150,EWOULDBLOCK=11
    > connect(): socket=3,rc=-1, errno=150
    > Try socket 3
    > Setting read timeout to: 5 seconds
    Socket Error: [150]: Operation in progress
    Error: Connection is closed unexpectedly
    Error: Could not read greetings
6

Maybe TTL issue, try to change it.
If that doesn’t work, please capture the packet to a file

tcpdump -i apcli0 -s0 -n  port 443 -w /tmp/curl4.pcap

and send it to me by private message or email handongming#gl-inet.com

7

Thanks @hansome , I found a way to change TTL to 65 on the repeater interface and that seem to fix the problem.

For anyone looking for the answer, here is what I have done on OpenWRT 22.03

I created a file /etc/nftables.d/12-mangle-ttl-65.nft and added the following into it. (change “eth2” for your actual tehtering interface)

chain mangle_postrouting_ttl65 {

  • type filter hook postrouting priority 300; policy accept;*
  • oifname “eth2” counter ip ttl set 65*
    }

chain mangle_prerouting_ttl65 {

  • type filter hook prerouting priority 300; policy accept;*
  • iifname “eth2” counter ip ttl set 65*
    }

found this info Working Nftables Rule for TTL in 22.03 - #17 by richardhd - Network and Wireless Configuration - OpenWrt Forum?

1 Like