TLS negotiation on HTTPS

The vyos configuration is as follows:

     firewall {
         all-ping enable
         group {
             network-group private {
                 network 192.168.0.0/24
                 network 192.168.101.0/24
                 network 192.168.1.0/24
                 network 192.168.2.0/24
                 network 192.168.3.0/24
                 network 192.168.4.0/24
             }
         }
         name out-global-rule {
             default-action accept
             rule 1 {
                 action accept
                 protocol all
                 source {
                     group {
                         network-group private
                     }
                 }
             }
         }
     }
     interfaces {
         bridge br1 {
             address 192.168.0.1/24
             aging 300
             description "Private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             hello-time 2
             ip {
                 enable-arp-accept
             }
             max-age 20
             priority 0
             stp true
         }
         bridge br2 {
             address 192.168.101.1/24
             aging 300
             description "private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             ip {
                 enable-arp-accept
             }
             max-age 20
             priority 0
             stp true
         }
         bridge br3 {
             address 192.168.2.1/24
             aging 300
             description "private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             hello-time 2
             ip {
                 enable-arp-accept
             }
             max-age 20
             priority 32768
             stp true
         }
         bridge br4 {
             address 192.168.3.1/24
             aging 300
             description "private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             hello-time 2
             ip {
                 enable-arp-accept
             }
             max-age 20
             priority 32768
             stp true
         }
         bridge br5 {
             address 192.168.4.1/24
             aging 300
             description "private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             hello-time 2
             ip {
                 enable-arp-accept
             }
             max-age 20
             priority 32768
             stp true
         }
         bridge br6 {
             address 192.168.1.1/24
             description "Private switch"
             firewall {
                 out {
                     name out-global-rule
                 }
             }
             stp true
         }
         ethernet eth0 {
             bridge-group {
                 bridge br2
             }
             description private
             duplex auto
             hw-id 00:98:2b:f8:3f:11
             smp-affinity auto
             speed auto
         }
         ethernet eth1 {
             description private
             duplex auto
             hw-id 00:98:2b:f8:3f:12
             smp-affinity auto
             speed auto
             vif 1 {
                 bridge-group {
                     bridge br6
                 }
                 description "private VLAN 1"
             }
             vif 2 {
                 bridge-group {
                     bridge br1
                 }
                 description "private VLAN 2"
             }
             vif 1002 {
                 bridge-group {
                     bridge br3
                 }
                 description "private VLAN 1002"
             }
             vif 1003 {
                 bridge-group {
                     bridge br4
                 }
                 description "private VLAN 1003"
             }
             vif 1004 {
                 bridge-group {
                     bridge br5
                 }
                 description "private VLAN 1004"
             }
         }
         ethernet eth2 {
             bridge-group {
                 bridge br2
             }
             description private
             duplex auto
             hw-id 00:98:2b:f8:3f:13
             smp-affinity auto
             speed auto
         }
         ethernet eth3 {
             bridge-group {
                 bridge br2
             }
             description private
             duplex auto
             hw-id 00:98:2b:f8:3f:14
             smp-affinity auto
             speed auto
         }
         ethernet eth4 {
             bridge-group {
                 bridge br2
             }
             description private
             duplex auto
             hw-id 00:98:2b:f8:3f:15
             smp-affinity auto
             speed auto
         }
         ethernet eth5 {
             description public
             duplex auto
             hw-id 00:98:2b:f8:3f:16
             pppoe 0 {
                 default-route auto
                 firewall {
                     out {
                         name out-global-rule
                     }
                 }
                 mtu 1492
                 name-server auto
                 password 27195008
                 user-id fsDSL81150434
             }
             smp-affinity auto
             speed auto
         }
         loopback lo {
             address 127.0.0.1/8
             address ::1/128
             description local
         }
     }
     nat {
         source {
             rule 100 {
                 description "TO PUBLIC"
                 outbound-interface pppoe0
                 protocol all
                 source {
                     address 192.168.0.0/16
                 }
                 translation {
                     address masquerade
                 }
             }
         }
     }
     service {
         dhcp-server {
             shared-network-name lan1 {
                 subnet 192.168.101.0/24 {
                     default-router 192.168.101.1
                     dns-server 192.168.101.1
                     lease 86400
                     range 0 {
                         start 192.168.101.2
                         stop 192.168.101.254
                     }
                 }
             }
         }
         dns {
             forwarding {
                 cache-size 512
                 listen-address 0.0.0.0
                 name-server 114.114.114.114
                 name-server 8.8.8.8
             }
         }
         snmp {
             community v3 {
                 authorization ro
             }
             listen-address 0.0.0.0 {
                 port 161
             }
         }
         ssh {
             port 22
         }
     }
     system {
         console {
             device ttyS0 {
                 speed 9600
             }
         }
         host-name router
         ip {
             arp {
                 table-size 16384
             }
         }
         login {
             user vyos {
                 authentication {
                     encrypted-password $1$rD6QpxYO$NIq4e2xQ2eQ4k8MOMeupP1
                     plaintext-password ""
                 }
                 level admin
             }
         }
         ntp {
             server 0.pool.ntp.org {
             }
             server 1.pool.ntp.org {
             }
             server 2.pool.ntp.org {
             }
         }
         syslog {
             global {
                 facility all {
                     level notice
                 }
                 facility protocols {
                     level debug
                 }
             }
         }
         time-zone Asia/Shanghai
     }

This configuration seems to be normal, but there is a strange phenomenon. For the physical interface eth4, I walk a secondary router. In this case, HTTPS access is normal, but if I connect eth4 directly to the Linux computer, I can’t complete the TLS negotiation. I go from Https NAT failure See a problem, it seems that this phenomenon is similar to mine, because I can not complete normal access to https, and HTTP seems normal (curl is normal at least), but HTTPS can not normal TLS negotiation, I have tried to use Firefox browser to access https, the same can not normal access. Can you give me some advice to help me solve this problem?

I’m having a little bit of troubles understanding exactly what’s going on. So whenever you try and access anything HTTPs anywhere, it breaks?

Also, though unrelated, I suspect you aren’t really understanding how the firewall rules work. OUT means any traffic originating at the router itself, not going through it.

The bottom-line is there are very few reasons generally to use OUT. Though like I said in this case, probably unrelated.

You can ignore the firewall configuration, because that’s what I added when I tried. In fact, even without the firewall configuration, I still can’t complete the normal work.

As mentioned, I guess I’m still not fully understanding the problem.

What sites is HTTPS failing on? All sites anywhere?

I can’t initiate HTTPS requests through the physical interface of a direct router. If the router is connected to a secondary route, everything will be fine. I don’t know what exactly happened.

If eth4 is a physical port of vyos router and eth5 is pppoe, then if eth4 is connected to pc, the PC (linux operating system) will not be able to initiate HTTPS requests to any website, and even TLS negotiation can not be completed. If Huawei router is connected to WAN port of secondary router, everything will be normal.

So the firewall configuration can be ignored. It has nothing to do with this problem. It can even be said that the firewall configuration was added temporarily when I made a preliminary attempt. Before I added the firewall, the problem already existed. I want to say whether it has something to do with the firewall.

I understand now.

You are probably having MTU problems

See the TCP MSS Clamping example. It didn’t make it over to the new documentation system, but I’ve migrated it.

Thank you. The problem has been solved. It’s really a TCP Mss problem.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.