Undiagnosable lack of ability to connect to some of the InterNet

I think it would show with ip route if it was taken. I still don’t know why it didn’t take though. Unless it is clever enough to know that 192.168.0.1 really isn’t a IPv4 gateway. Though if that is the IPv4 address of your router, I think it should be. Unless maybe you have multiple ethernet lines or something.

29:15 – Reddit is (temporarily) operative again.
00:30 – Reddit is inoperative again.

Nope. Solely one physical connector to a switch that connects to another switch that connects to the router. I’ve tried to connect without the closest switch attached by connecting the cable directly to the port; no difference.

Maybe some firewall rules could be blocking your IPv4 traffic somewhere along the line. That would be my next guess. I guess check the output of iptables --list-rules and/or nft list ruleset (Fedora Linux is transitioning from “iptables” to “nftables” and which you are using might depend on when you last did a “fresh” install).

1 Like
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ iptables --list-rules
iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ nft list ruleset
Operation not permitted (you must be root)
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ sudo nft list ruleset
table inet firewalld {
        ct helper helper-netbios-ns-udp {
                type "netbios-ns" protocol udp
                l3proto ip
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }

        chain mangle_PREROUTING_ZONES {
                iifname "enp5s0" goto mangle_PRE_FedoraWorkstation
                goto mangle_PRE_FedoraWorkstation
        }

        chain mangle_PREROUTING_POLICIES_post {
        }

        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_POLICIES_pre {
                jump nat_PRE_policy_allow-host-ipv6
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp5s0" goto nat_PRE_FedoraWorkstation
                goto nat_PRE_FedoraWorkstation
        }

        chain nat_PREROUTING_POLICIES_post {
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_POLICIES_pre {
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp5s0" goto nat_POST_FedoraWorkstation
                goto nat_POST_FedoraWorkstation
        }

        chain nat_POSTROUTING_POLICIES_post {
        }

        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
        }

        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_FORWARD_ZONES
                ct state invalid drop
                reject with icmpx admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                ct state { established, related } accept
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_OUTPUT_POLICIES_pre
                jump filter_OUTPUT_POLICIES_post
        }

        chain filter_INPUT_POLICIES_pre {
                jump filter_IN_policy_allow-host-ipv6
        }

        chain filter_INPUT_ZONES {
                iifname "enp5s0" goto filter_IN_FedoraWorkstation
                goto filter_IN_FedoraWorkstation
        }

        chain filter_INPUT_POLICIES_post {
        }

        chain filter_FORWARD_POLICIES_pre {
        }

        chain filter_FORWARD_ZONES {
                iifname "enp5s0" goto filter_FWD_FedoraWorkstation
                goto filter_FWD_FedoraWorkstation
        }

        chain filter_FORWARD_POLICIES_post {
        }

        chain filter_OUTPUT_POLICIES_pre {
        }

        chain filter_OUTPUT_POLICIES_post {
        }

        chain filter_IN_FedoraWorkstation {
                jump filter_INPUT_POLICIES_pre
                jump filter_IN_FedoraWorkstation_pre
                jump filter_IN_FedoraWorkstation_log
                jump filter_IN_FedoraWorkstation_deny
                jump filter_IN_FedoraWorkstation_allow
                jump filter_IN_FedoraWorkstation_post
                jump filter_INPUT_POLICIES_post
                meta l4proto { icmp, ipv6-icmp } accept
                reject with icmpx admin-prohibited
        }

        chain filter_IN_FedoraWorkstation_pre {
        }

        chain filter_IN_FedoraWorkstation_log {
        }

        chain filter_IN_FedoraWorkstation_deny {
        }

        chain filter_IN_FedoraWorkstation_allow {
                ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
                tcp dport 22 ct state { new, untracked } accept
                udp dport 137 ct helper set "helper-netbios-ns-udp"
                udp dport 137 ct state { new, untracked } accept
                udp dport 138 ct state { new, untracked } accept
                ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
                ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
                udp dport 1025-65535 ct state { new, untracked } accept
                tcp dport 1025-65535 ct state { new, untracked } accept
        }

        chain filter_IN_FedoraWorkstation_post {
        }

        chain nat_POST_FedoraWorkstation {
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POST_FedoraWorkstation_pre
                jump nat_POST_FedoraWorkstation_log
                jump nat_POST_FedoraWorkstation_deny
                jump nat_POST_FedoraWorkstation_allow
                jump nat_POST_FedoraWorkstation_post
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POST_FedoraWorkstation_pre {
        }

        chain nat_POST_FedoraWorkstation_log {
        }

        chain nat_POST_FedoraWorkstation_deny {
        }

        chain nat_POST_FedoraWorkstation_allow {
        }

        chain nat_POST_FedoraWorkstation_post {
        }

        chain filter_FWD_FedoraWorkstation {
                jump filter_FORWARD_POLICIES_pre
                jump filter_FWD_FedoraWorkstation_pre
                jump filter_FWD_FedoraWorkstation_log
                jump filter_FWD_FedoraWorkstation_deny
                jump filter_FWD_FedoraWorkstation_allow
                jump filter_FWD_FedoraWorkstation_post
                jump filter_FORWARD_POLICIES_post
                reject with icmpx admin-prohibited
        }

        chain filter_FWD_FedoraWorkstation_pre {
        }

        chain filter_FWD_FedoraWorkstation_log {
        }

        chain filter_FWD_FedoraWorkstation_deny {
        }

        chain filter_FWD_FedoraWorkstation_allow {
        }

        chain filter_FWD_FedoraWorkstation_post {
        }

        chain nat_PRE_FedoraWorkstation {
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PRE_FedoraWorkstation_pre
                jump nat_PRE_FedoraWorkstation_log
                jump nat_PRE_FedoraWorkstation_deny
                jump nat_PRE_FedoraWorkstation_allow
                jump nat_PRE_FedoraWorkstation_post
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PRE_FedoraWorkstation_pre {
        }

        chain nat_PRE_FedoraWorkstation_log {
        }

        chain nat_PRE_FedoraWorkstation_deny {
        }

        chain nat_PRE_FedoraWorkstation_allow {
        }

        chain nat_PRE_FedoraWorkstation_post {
        }

        chain mangle_PRE_FedoraWorkstation {
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PRE_FedoraWorkstation_pre
                jump mangle_PRE_FedoraWorkstation_log
                jump mangle_PRE_FedoraWorkstation_deny
                jump mangle_PRE_FedoraWorkstation_allow
                jump mangle_PRE_FedoraWorkstation_post
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PRE_FedoraWorkstation_pre {
        }

        chain mangle_PRE_FedoraWorkstation_log {
        }

        chain mangle_PRE_FedoraWorkstation_deny {
        }

        chain mangle_PRE_FedoraWorkstation_allow {
        }

        chain mangle_PRE_FedoraWorkstation_post {
        }

        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }

        chain filter_IN_policy_allow-host-ipv6_pre {
        }

        chain filter_IN_policy_allow-host-ipv6_log {
        }

        chain filter_IN_policy_allow-host-ipv6_deny {
        }

        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }

        chain filter_IN_policy_allow-host-ipv6_post {
        }

        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }

        chain nat_PRE_policy_allow-host-ipv6_pre {
        }

        chain nat_PRE_policy_allow-host-ipv6_log {
        }

        chain nat_PRE_policy_allow-host-ipv6_deny {
        }

        chain nat_PRE_policy_allow-host-ipv6_allow {
        }

        chain nat_PRE_policy_allow-host-ipv6_post {
        }

        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }

        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }

        chain mangle_PRE_policy_allow-host-ipv6_log {
        }

        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }

        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }

        chain mangle_PRE_policy_allow-host-ipv6_post {
        }
}
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$

That’s a lot of output. Apologies.

Want me to disable the firewall?

Well, disabling the firewall isn’t normally a very good idea, but if you are OK with that, then that is a quick way to test if that is the problem. Unfortunately, firewalld makes very complicated rules that I cannot easily read to figure out what is going on. Personally, I stopped using firewalld and switched to writing my own nftables rules directly. :slightly_smiling_face:

1 Like

You might also need to try again at adding the IPv4 route after disabling the firewall.

Disabled via systemctl stop firewalld. Remain unable to connect via firefox to reddit.com.

sudo ip route add default via 192.168.0.1 dev enp5s0?

Yes. That command again.

1 Like
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ systemctl stop firewalld
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ systemctl status firewalld
○ firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Tue 2022-08-09 00:38:13 BST; 11s ago
       Docs: man:firewalld(1)
    Process: 1284 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 1284 (code=exited, status=0/SUCCESS)
        CPU: 481ms

Aug 08 10:38:45 1656943212 systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...
Aug 08 10:38:45 1656943212 systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.
Aug 09 00:38:13 1656943212 systemd[1]: Stopping firewalld.service - firewalld - dynamic firewall daemon...
Aug 09 00:38:13 1656943212 systemd[1]: firewalld.service: Deactivated successfully.
Aug 09 00:38:13 1656943212 systemd[1]: Stopped firewalld.service - firewalld - dynamic firewall daemon.
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ sudo ip route add default via 192.168.0.1 dev enp5s0
Error: Nexthop has invalid gateway.
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$

Identical problem, unfortunately.

Maybe check sudo nft list ruleset again to be sure the firewall rules were flushed.

1 Like

Flushed.

[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$ sudo nft list ruleset
[BEEDELLROKEJULIANLOCKHART@1656943212 ~]$

Also, is there some way that you can verify that 192.168.0.1 is the correct address for your router? Can you access your router’s configuration page via some other device?

Yes: my smartphone, via Wi-Fi and Ethernet.

Just going from the output of ip -6 route that you posted earlier, I think you might be able to access your router at https://[fe80::a2bd:cdff:fe95:dd9]/ (I’m not sure if that will work, I don’t think I’ve ever tried a direct IPv6 address in a browser, I’m sure it would complain about the cert though, but I think you could just “accept” that).

1 Like

Nothing occurs if I attempt to connect to that address via firefox, and chromium-browser states:

This site can’t be reached
The web page at https://[fe80::a2bd:cdff:fe95:dd9]/ might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_ARGUMENT

(If I attempt to connect to it without the trailing slash, the output is identical.)

Yeah, I wasn’t sure if that would work. You might also try without the square brackets.

My research has demonstrated that the square brackets are necessary to connect to IPv6 addresses. At least, if I attempt to without them, it searches for the address via “google.com”.

Well, I guess the next thing to try would be adding “192.168.0.1” as a default gateway via NetworkManager. Like I said earlier though, I don’t know how to do that. Also, is your system being configured by DHCP?