New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is it possible CloudFlare put a ban on VirMach?
Hello all,
first of all, i haven't opened any ticket at VirMach, as i know i will get an answer next week. So i would like first to check with your experience.
From a VirMach VPS i don't get any answer from CloudFlare. It works on local and other VPS from other providers. iptables is set to accept and no fail2ban or things like that installed. No CloudFlare IPs in blacklist of the VPS.
My VirMach VPS is on network 104/8.
For sure it may be a user issue, meaning i would not like to affirm its provider issue ; my investigations yet makes me feel it's something possible and i would like to check with you.
Any feedback or help welcome, thanks a lot ^^.
CC @VirMach
Comments
As I understand, you cannot reach any Cloudflare hosted website from the VPS acting as client.
Please capture traffic traces:
sudo tcpdump -w 1.pcap "tcp port 443"
curl -vL https://www.lowendtalk.com/cdn-cgi/trace
sudo traceroute -T -p 443 www.lowendtalk.com
If you instead want to host a website on the VPS as a server:
sudo tcpdump -w 1.pcap "tcp port 443"
The binary format traffic trace is required.
Text output of tcpdump is mostly useless.
Yeah mostly this option. I try to reach a docker image on docker.com ; the endpoint i try to reach is behind CloudFlare. So i've ping / traceroute cloudflare.com and other websites behind CloudFlare and seen i cannot reach any of them.
Thanks a lot for your help, here the pcap:
https://transfer.sh/12LKuX/1111121.pcap
I see no obvious problem in the traffic trace.
The destination IP in frame 5 (as shown in Wireshark) belongs to Cloudflare.
My vps5 is on the same router (
64:87:88:b0:9a:c1
), and I am able to connect to Cloudflare hosted websites such as this forum, as well the Docker Hub registry.Thank you @yoursunny , i don't see obvious problem as well in the traffic trace. But in any case i get no route to host. I guess / hope VirMach should be able to update my VPS route, i will open a ticket and cross finger they are not busy like last time i've tried.
It could be specific to the site you are connecting to, and not Cloudflare in general.
In that case, you need a traceroute:
Substitute
www.example.com
with the actual site you are trying to access.Post the result in text format.
i've tried with several CloudFlare ips and websites behind CloudFlare, even CloudFlare.com and even the website that host public Docker images .
I've opened a ticket with all informations i was able to provide, i hope i'll get an answer quick ^^.
We sure we talking the same things? That pcap you put there is clearly connecting to one of the cloudflare servers - it won't result in "No route to host".
Please test the actual broken domain? You sure it's not just some shitty DNS resolve? Are you using IPv4? Did you blindly modify your routes for idk, OpenVPN and now you pay the price?
Thanks for your feedback. I use CloudFlare dns 1.1.1.1 and 1.0.0.1 (and yeah, i can reach those both ips from the VPS). I use IPv4 (no IPv6 settings). I 've tried also to reach the ip directly and same error. I haven't modified route. Actually i only host a python Discord bot and would like now to add a metrics stack using Prometheus. No VPN at all.
Yeah that pcap result doesn't show really relevant information .
ERROR: error pulling image configuration: Get "https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/6d/6d6859d1a42a2395a8eacc41c718a039210b377f922d19076ebbdd74aa047e89/data?verify=1619014862-%2BBb6W2DrB4uG9l7NC0kH0ph5QSU%3D": dial tcp 104.18.125.25:443: connect: no route to host
MTR screenshot: https://prnt.sc/11t045r
And another pcap file when i try to get the Prometheus Docker image:
https://transfer.sh/14xgdg/docker.pcap
I'm on the same router as yours, and can reach this site without problems.
It wouldn't be the first time I've seen incorrectly configured iptables rules cause this problem (possibly even default rules in some images.
Worth checking imo.
With mtr / traceroute like he posted above I would gamble iptables / route too.
Can you show
ip r s
or check your iptables/NAT rules too?To make sure it's working.
Thank you for your feedback. Here's my iptables rules:
You sure you got that from DHCP settings?
This should NOT be the whole 104.0.0.0/8 network, it should only your VPS network, probably /26 or something.
Probably click the "Reconfigure network" button in WHMCS/VirMach Panel and expect server reboot :-)
no, it's static settings:
I run a custom iso: Alpine Linux, so reconfigure network doesn't work on VirMach.
I don't recall where i got this information, but first i've probably checked VirMach and found no information on their knowledge base regarding network settings, so i've found this information on LET.
Thanks for your feedback i think you found the issue, will try to use dhcp instead. I remember it was not working at the beginning (but it was working from PXE boot since i've made a dhcp request to get internet to be able to load netboot.xyz, because in the past VirMach netboot.xyz image was broken ; it's fixed since i've reported it to them).
Alright now it works! thanks a lot @JabJab you found the issue .
It would be nice if i had static configuration informations on @VirMach website, it would help a lot also.
Whatever now it works, problem fixed. I'm closing the ticket on their side.
With DHCP the ip was /27, so if anyone find this post you are now aware ^^.