21 Sep
2023
21 Sep
'23
6:52 a.m.
Thanks, TCP MSS was the answer!
On my router ( Mikrotik ):
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu
passthrough=yes protocol=tcp
tcp-flags=syn
On Sun, Sep 17, 2023 at 4:02 PM Jonathan Lassoff <jof(a)thejof.com> wrote:
That DNS resolution seems ok, 20.201.28.151 is one of
the web frontend
IPs. (Confirmed with their API's /meta endpoint:
https://api.github.com/meta)
However, an operation timing out implies that something along the path
is filtering your TCP connection.
Maybe use `tcptraceroute` to try and tell how far your initial TCP SYN
packet is making it (to try and tell whom is filtering).
The other thought that comes in mind in the context of TCP breaking
while traversing VPNs (where small packets like ICMP pings are
working) is that maybe something along the path is not clamping TCP
MSS? Maybe try adding a `mssfix` option into the OpenVPN config (maybe
sized 1420 bytes).
--j
On Sat, 16 Sept 2023 at 11:19, Henrique Brancher Gravina
<henrique(a)gravina.com.br> wrote:
gnutls-cli cannot connect to the host, it give me a timeout:
$gnutls-cli github.com:443
Processed 137 CA certificate(s).
Resolving 'github.com:443'...
Connecting to '20.201.28.151:443'...
*** Fatal error: The operation timed out
But I cant ping the host:
$ping www.github.com
PING github.com (20.201.28.151) 56(84) bytes of data.
64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=1 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=2 ttl=111
time=19.5 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=3 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=4 ttl=111
time=19.8 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=5 ttl=111
time=19.7 ms
On Sat, Sep 16, 2023 at 3:33 AM Jonathan Lassoff <jof(a)thejof.com> wrote:
>
> For what it's worth, I am able to successfully do git clones from IPv4
> Github from 44net BGP island space, and even that repo you list.
>
> That error suggests that something happened with GNUTLS while
> establishing a TLS connection. Maybe test just that with GNUTLS and
> run "gnutls-cli github.com:443"?
>
> On Fri, 15 Sept 2023 at 23:08, Henrique Brancher Gravina via 44net
> <44net(a)mailman.ampr.org> wrote:
> >
> > Hello,
> >
> > I am running a 44 network with bgp announces on Vultr ( mikrotik )
and a
VPN to my home ( mikrotik ) . Everything is working fine inbound and
outbound traffic are being routed ok.
> >
> > The problem is that I can use github on the server on my 44 hosts.
> >
> > For example:
> >
> > # git clone https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> > # root@odc1:/home/henrique/tmp# git
clone
https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> >
> > Thanks for any help.
> > PU3IKE
> >
> >
> > _______________________________________________
> > 44net mailing list -- 44net(a)mailman.ampr.org
> > To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
21 Sep
21 Sep
7:43 a.m.
New subject: Problems accessing guthub
I’ve been struggling with a similar problem, using a Mikrotik running WireGuard. Same
symptoms. Your commands fixed my problem as well. Thanks!
—
Dave K9DC, K9IP
On Sep 21, 2023, at 07:52, Henrique Brancher Gravina
via 44net <44net(a)mailman.ampr.org> wrote:
Thanks, TCP MSS was the answer!
On my router ( Mikrotik ):
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp
tcp-flags=syn
On Sun, Sep 17, 2023 at 4:02 PM Jonathan Lassoff <jof(a)thejof.com
<mailto:jof@thejof.com>> wrote:
That DNS resolution seems ok, 20.201.28.151 is
one of the web frontend
IPs. (Confirmed with their API's /meta endpoint:
https://api.github.com/meta)
However, an operation timing out implies that something along the path
is filtering your TCP connection.
Maybe use `tcptraceroute` to try and tell how far your initial TCP SYN
packet is making it (to try and tell whom is filtering).
The other thought that comes in mind in the context of TCP breaking
while traversing VPNs (where small packets like ICMP pings are
working) is that maybe something along the path is not clamping TCP
MSS? Maybe try adding a `mssfix` option into the OpenVPN config (maybe
sized 1420 bytes).
--j
On Sat, 16 Sept 2023 at 11:19, Henrique Brancher Gravina
<henrique(a)gravina.com.br <mailto:henrique@gravina.com.br>> wrote:
>
> gnutls-cli cannot connect to the host, it give me a timeout:
>
> $gnutls-cli github.com:443 <http://github.com:443/>
> Processed 137 CA certificate(s).
> Resolving 'github.com:443'...
> Connecting to '20.201.28.151:443'...
> *** Fatal error: The operation timed out
>
>
> But I cant ping the host:
>
> $ping www.github.com <http://www.github.com/>
> PING github.com <http://github.com/> (20.201.28.151) 56(84) bytes of data.
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=1 ttl=111 time=22.3 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=2 ttl=111 time=19.5 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=3 ttl=111 time=22.3 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=4 ttl=111 time=19.8 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=5 ttl=111 time=19.7 ms
>
>
>
>
> On Sat, Sep 16, 2023 at 3:33 AM Jonathan Lassoff <jof(a)thejof.com
<mailto:jof@thejof.com>> wrote:
>>
>> For what it's worth, I am able to successfully do git clones from IPv4
>> Github from 44net BGP island space, and even that repo you list.
>>
>> That error suggests that something happened with GNUTLS while
>> establishing a TLS connection. Maybe test just that with GNUTLS and
>> run "gnutls-cli github.com:443 <http://github.com:443/>"?
>>
>> On Fri, 15 Sept 2023 at 23:08, Henrique Brancher Gravina via 44net
>> <44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
>> >
>> > Hello,
>> >
>> > I am running a 44 network with bgp announces on Vultr ( mikrotik ) and a
VPN to my home ( mikrotik ) . Everything is working fine inbound and outbound traffic are
being routed ok.
>> >
>> > The problem is that I can use github on the server on my 44 hosts.
>> >
>> > For example:
>> >
>> > # git clone https://github.com/Henriquegravina/DxccResolver
>> > Cloning into 'DxccResolver'...
>> > fatal: unable to access
'https://github.com/Henriquegravina/DxccResolver/': gnutls_handshake() failed:
Error in the pull function.
>> > # root@odc1:/home/henrique/tmp# git clone
https://github.com/Henriquegravina/DxccResolver
>> > Cloning into 'DxccResolver'...
>> > fatal: unable to access
'https://github.com/Henriquegravina/DxccResolver/': gnutls_handshake() failed:
Error in the pull function.
>> >
>> > Thanks for any help.
>> > PU3IKE
>> >
>> >
>> > _______________________________________________
>> > 44net mailing list -- 44net(a)mailman.ampr.org
<mailto:44net@mailman.ampr.org>
>> > To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
7:46 a.m.
New subject: Problems accessing guthub
Glad to hear it!
I am using wireguard too;
On Thu, Sep 21, 2023 at 9:43 AM Dave Gingrich <dave(a)dcg.us> wrote:
I’ve been struggling with a similar problem, using a Mikrotik running
WireGuard. Same symptoms. Your commands fixed my problem as well. Thanks!
—
Dave K9DC, K9IP
On Sep 21, 2023, at 07:52, Henrique Brancher Gravina via 44net <
44net(a)mailman.ampr.org> wrote:
Thanks, TCP MSS was the answer!
On my router ( Mikrotik ):
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp
tcp-flags=syn
On Sun, Sep 17, 2023 at 4:02 PM Jonathan Lassoff <jof(a)thejof.com> wrote:
That DNS resolution seems ok, 20.201.28.151 is
one of the web frontend
IPs. (Confirmed with their API's /meta endpoint:
https://api.github.com/meta)
However, an operation timing out implies that something along the path
is filtering your TCP connection.
Maybe use `tcptraceroute` to try and tell how far your initial TCP SYN
packet is making it (to try and tell whom is filtering).
The other thought that comes in mind in the context of TCP breaking
while traversing VPNs (where small packets like ICMP pings are
working) is that maybe something along the path is not clamping TCP
MSS? Maybe try adding a `mssfix` option into the OpenVPN config (maybe
sized 1420 bytes).
--j
On Sat, 16 Sept 2023 at 11:19, Henrique Brancher Gravina
<henrique(a)gravina.com.br> wrote:
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
gnutls-cli cannot connect to the host, it give me a timeout:
$gnutls-cli github.com:443
Processed 137 CA certificate(s).
Resolving 'github.com:443'...
Connecting to '20.201.28.151:443'...
*** Fatal error: The operation timed out
But I cant ping the host:
$ping www.github.com
PING github.com (20.201.28.151) 56(84) bytes of data.
64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=1 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=2 ttl=111
time=19.5 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=3 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=4 ttl=111
time=19.8 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=5 ttl=111
time=19.7 ms
On Sat, Sep 16, 2023 at 3:33 AM Jonathan Lassoff <jof(a)thejof.com>
wrote:
>
> For what it's worth, I am able to successfully do git clones from IPv4
> Github from 44net BGP island space, and even that repo you list.
>
> That error suggests that something happened with GNUTLS while
> establishing a TLS connection. Maybe test just that with GNUTLS and
> run "gnutls-cli github.com:443"?
>
> On Fri, 15 Sept 2023 at 23:08, Henrique Brancher Gravina via 44net
> <44net(a)mailman.ampr.org> wrote:
> >
> > Hello,
> >
> > I am running a 44 network with bgp announces on Vultr ( mikrotik )
and a
VPN to my home ( mikrotik ) . Everything is working fine inbound and
outbound traffic are being routed ok.
> >
> > The problem is that I can use github on the server on my 44 hosts.
> >
> > For example:
> >
> > # git clone https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> > # root@odc1:/home/henrique/tmp# git
clone
https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> >
> > Thanks for any help.
> > PU3IKE
> >
> >
> > _______________________________________________
> > 44net mailing list -- 44net(a)mailman.ampr.org
> > To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
4:42 p.m.
New subject: Problems accessing guthub
Do you happen to have any idea where that command or parms might go in the RouterOS GUI?
It seems like there ought to be a place to put it, for those that prefer the GUI. Also I
wonder why it is not a default?
—
Dave K9DC, K9IP
On Sep 21, 2023, at 08:46, Henrique Brancher Gravina
via 44net <44net(a)mailman.ampr.org> wrote:
Glad to hear it!
I am using wireguard too;
On Thu, Sep 21, 2023 at 9:43 AM Dave Gingrich <dave(a)dcg.us
<mailto:dave@dcg.us>> wrote:
I’ve been struggling with a similar problem, using a Mikrotik running WireGuard. Same
symptoms. Your commands fixed my problem as well. Thanks!
—
Dave K9DC, K9IP
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org On Sep 21, 2023, at 07:52, Henrique Brancher
Gravina via 44net <44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>>
wrote:
Thanks, TCP MSS was the answer!
On my router ( Mikrotik ):
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp
tcp-flags=syn
On Sun, Sep 17, 2023 at 4:02 PM Jonathan Lassoff <jof(a)thejof.com
<mailto:jof@thejof.com>> wrote:
That DNS resolution seems ok, 20.201.28.151 is
one of the web frontend
IPs. (Confirmed with their API's /meta endpoint:
https://api.github.com/meta)
However, an operation timing out implies that something along the path
is filtering your TCP connection.
Maybe use `tcptraceroute` to try and tell how far your initial TCP SYN
packet is making it (to try and tell whom is filtering).
The other thought that comes in mind in the context of TCP breaking
while traversing VPNs (where small packets like ICMP pings are
working) is that maybe something along the path is not clamping TCP
MSS? Maybe try adding a `mssfix` option into the OpenVPN config (maybe
sized 1420 bytes).
--j
On Sat, 16 Sept 2023 at 11:19, Henrique Brancher Gravina
<henrique(a)gravina.com.br <mailto:henrique@gravina.com.br>> wrote:
>
> gnutls-cli cannot connect to the host, it give me a timeout:
>
> $gnutls-cli github.com:443 <http://github.com:443/>
> Processed 137 CA certificate(s).
> Resolving 'github.com:443'...
> Connecting to '20.201.28.151:443'...
> *** Fatal error: The operation timed out
>
>
> But I cant ping the host:
>
> $ping www.github.com <http://www.github.com/>
> PING github.com <http://github.com/> (20.201.28.151) 56(84) bytes of data.
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=1 ttl=111 time=22.3 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=2 ttl=111 time=19.5 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=3 ttl=111 time=22.3 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=4 ttl=111 time=19.8 ms
> 64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=5 ttl=111 time=19.7 ms
>
>
>
>
> On Sat, Sep 16, 2023 at 3:33 AM Jonathan Lassoff <jof(a)thejof.com
<mailto:jof@thejof.com>> wrote:
>>
>> For what it's worth, I am able to successfully do git clones from IPv4
>> Github from 44net BGP island space, and even that repo you list.
>>
>> That error suggests that something happened with GNUTLS while
>> establishing a TLS connection. Maybe test just that with GNUTLS and
>> run "gnutls-cli github.com:443 <http://github.com:443/>"?
>>
>> On Fri, 15 Sept 2023 at 23:08, Henrique Brancher Gravina via 44net
>> <44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
>> >
>> > Hello,
>> >
>> > I am running a 44 network with bgp announces on Vultr ( mikrotik ) and a
VPN to my home ( mikrotik ) . Everything is working fine inbound and outbound traffic are
being routed ok.
>> >
>> > The problem is that I can use github on the server on my 44 hosts.
>> >
>> > For example:
>> >
>> > # git clone https://github.com/Henriquegravina/DxccResolver
>> > Cloning into 'DxccResolver'...
>> > fatal: unable to access
'https://github.com/Henriquegravina/DxccResolver/': gnutls_handshake() failed:
Error in the pull function.
>> > # root@odc1:/home/henrique/tmp# git clone
https://github.com/Henriquegravina/DxccResolver
>> > Cloning into 'DxccResolver'...
>> > fatal: unable to access
'https://github.com/Henriquegravina/DxccResolver/': gnutls_handshake() failed:
Error in the pull function.
>> >
>> > Thanks for any help.
>> > PU3IKE
>> >
>> >
>> > _______________________________________________
>> > 44net mailing list -- 44net(a)mailman.ampr.org
<mailto:44net@mailman.ampr.org>
>> > To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org> 
6:30 p.m.
New subject: Problems accessing guthub
After you put it in via the command line, you can go into the GUI under IP,
Firewall, Mangle tab and click on the rule to see how it looks in the GUI.
On Thu, Sep 21, 2023 at 5:43 PM Dave Gingrich via 44net <
44net(a)mailman.ampr.org> wrote:
Do you happen to have any idea where that command or parms might go in the
RouterOS GUI? It seems like there ought to be a place to put it, for those
that prefer the GUI. Also I wonder why it is not a default?
—
Dave K9DC, K9IP
On Sep 21, 2023, at 08:46, Henrique Brancher Gravina via 44net <
44net(a)mailman.ampr.org> wrote:
Glad to hear it!
I am using wireguard too;
On Thu, Sep 21, 2023 at 9:43 AM Dave Gingrich <dave(a)dcg.us> wrote:
I’ve been struggling with a similar problem, using a Mikrotik running
WireGuard. Same symptoms. Your commands fixed my problem as well. Thanks!
—
Dave K9DC, K9IP
On Sep 21, 2023, at 07:52, Henrique Brancher Gravina via 44net <
44net(a)mailman.ampr.org> wrote:
Thanks, TCP MSS was the answer!
On my router ( Mikrotik ):
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp
tcp-flags=syn
On Sun, Sep 17, 2023 at 4:02 PM Jonathan Lassoff <jof(a)thejof.com> wrote:
44net mailing list --
44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
That DNS resolution seems ok, 20.201.28.151 is
one of the web frontend
IPs. (Confirmed with their API's /meta endpoint:
https://api.github.com/meta)
However, an operation timing out implies that something along the path
is filtering your TCP connection.
Maybe use `tcptraceroute` to try and tell how far your initial TCP SYN
packet is making it (to try and tell whom is filtering).
The other thought that comes in mind in the context of TCP breaking
while traversing VPNs (where small packets like ICMP pings are
working) is that maybe something along the path is not clamping TCP
MSS? Maybe try adding a `mssfix` option into the OpenVPN config (maybe
sized 1420 bytes).
--j
On Sat, 16 Sept 2023 at 11:19, Henrique Brancher Gravina
<henrique(a)gravina.com.br> wrote:
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
_______________________________________________
gnutls-cli cannot connect to the host, it give me a timeout:
$gnutls-cli github.com:443
Processed 137 CA certificate(s).
Resolving 'github.com:443'...
Connecting to '20.201.28.151:443'...
*** Fatal error: The operation timed out
But I cant ping the host:
$ping www.github.com
PING github.com (20.201.28.151) 56(84) bytes of data.
64 bytes from 20.201.28.151 (20.201.28.151): icmp_seq=1 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=2 ttl=111
time=19.5 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=3 ttl=111
time=22.3 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=4 ttl=111
time=19.8 ms
64 bytes from 20.201.28.151 (20.201.28.151):
icmp_seq=5 ttl=111
time=19.7 ms
On Sat, Sep 16, 2023 at 3:33 AM Jonathan Lassoff <jof(a)thejof.com>
wrote:
>
> For what it's worth, I am able to successfully do git clones from IPv4
> Github from 44net BGP island space, and even that repo you list.
>
> That error suggests that something happened with GNUTLS while
> establishing a TLS connection. Maybe test just that with GNUTLS and
> run "gnutls-cli github.com:443"?
>
> On Fri, 15 Sept 2023 at 23:08, Henrique Brancher Gravina via 44net
> <44net(a)mailman.ampr.org> wrote:
> >
> > Hello,
> >
> > I am running a 44 network with bgp announces on Vultr ( mikrotik )
and a
VPN to my home ( mikrotik ) . Everything is working fine inbound and
outbound traffic are being routed ok.
> >
> > The problem is that I can use github on the server on my 44 hosts.
> >
> > For example:
> >
> > # git clone https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> > # root@odc1:/home/henrique/tmp# git
clone
https://github.com/Henriquegravina/DxccResolver
> > Cloning into 'DxccResolver'...
> > fatal: unable to access '
https://github.com/Henriquegravina/DxccResolver/'#39;: gnutls_handshake()
failed: Error in the pull function.
> >
> > Thanks for any help.
> > PU3IKE
> >
> >
> > _______________________________________________
> > 44net mailing list -- 44net(a)mailman.ampr.org
> > To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
430
days inactive
430
days old
4 comments
3 participants
participants (3)
-
Dave Gingrich -
Henrique Brancher Gravina -
Rich Gopstein