this post was submitted on 01 Dec 2024
9 points (100.0% liked)

techsupport

2496 readers
2 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 2 years ago
MODERATORS
GatoB@lemmy.world
9
[SOLVED] Firefox Can't Connect to Specific LAN IP (infosec.pub)
submitted 3 weeks ago* (last edited 3 weeks ago) by henfredemars@infosec.pub to c/techsupport@lemmy.world
19 comments fedilink hide all child comments
 

This is a really weird problem that I can't seem to track down further. Perhaps a creative person could suggest some test ideas. Here are the facts:

  • Firefox "Unable to connect" to my LAN server (a router) at 192.168.0.2 port 80.
  • Network error is specifically "NS_CONNECTION_REFUSED".
  • Wireshark on a Raspberry Pi placed between the laptop and server shows no packets exchanged trying to connect. Any packet containing 192.168.0.2, any port.
  • Chrome and Safari work just fine on the same machine. I can see the packets in Wireshark. This validates my test setup works.
  • Curl works, loads the web page. I can see the packets.
  • I have reinstalled, refreshed, removed all extensions, cleared all history and cookies in Firefox and still cannot load the page.
  • Firefox in Safe Mode cannot load the page.
  • Disabled DNS over HTTPS, made sure No Proxy is selected in network settings. Still cannot load the page.
  • Disabled IPv6 in Firefox with about:config setting. Still fails.
  • I have no security software installed of any kind on this Mac. No antivirus or firewall except the default OS one.
  • Turned off Mac built-in Firewall. Still unable to connect.

Why is Firefox apparently refusing to connect to my server? Other LAN IP addresses work fine, even local ones. It specifically hates this one.

top 19 comments
sorted by: hot top controversial new old
[–] Dragomus@lemmy.world 3 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I once had a similar issue (but not fully the same), alas I forgot how I fixed it.

Some suggestions:

  • Any mention of *.0.2 in your host file? FF might read it differently from other programs
  • if nothing there perhaps you can add a link to *.0.2 in the host file?
  • clear the dns cache etc via ipconfig in a command prompt
  • Firefox proxy settings, set something else, close ff, open it again then revert to no proxy
  • Disable the FF safebrowsing thing (forgot the name and can't currently check)
  • Disable FF secure dns features, don't let firefox choose one nor set a custom one, just put it on isp provided only <- also, use this one in windows tcp/ip settings, not a google one etc.
  • is the subnet mask set correctly? If behind a switch and 2nd network/NAT
  • make a new empty FF profile and try the adress from there

Percussive maintenance? ;-)

Hope you get it resolved.

[–] henfredemars@infosec.pub 4 points 3 weeks ago (2 children)

You are a god. For mysterious reasons, having this IP in my hosts file breaks loading the page. Removing it from hosts restores access. I have no idea why Firefox would care about this because I'm not trying to access the page by name, but by IP address. My best guess is there's some sort of bug relating to handling of hosts file entries.

[–] elmicha 2 points 3 weeks ago

I found this answer, but I still don't understand what's going on and why this network.trr.exclude-etc-hosts might be useful.

[–] Dragomus@lemmy.world 2 points 3 weeks ago

Haha thanks :-)

I vaguely remembered an issue with a host file that firefox blocked instead of rerouted. Never did get to submit a bug report for it I think, hmm.

Glad I could help you resolve it.

[–] NegativeLookBehind@lemmy.world 3 points 3 weeks ago (1 children)

I don’t have any great suggestions, but a few things come to mind:

Did you try it in private browsing mode?

Did you try an older version of Firefox?

Can you set up a proxy and configure Firefox to use it?

Can you find Firefox’s logs on that machine and analyze them?

Can you try it from another machine that has Firefox on it?

Can you run Firefox in a container and see if that works?

[–] henfredemars@infosec.pub 3 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Private browsing has no effect. Cannot connect, no packets observed in Wireshark. What are these logs that you might suggest viewing? There's a console, but I didn't observe any relevant long messages.

I downloaded an older version from three months ago and it cannot load the page on the test machine. A arbitrarily-tested older version wasn't compatible with my Mac.

I tried Firefox on another machine (Linux) and it can load the page no problems. Sadly, I don't have a second Mac to test if it's a Mac thing, but then why this IP? Seems strange to me.

If I use an SSH tunnel to direct localhost:8000 to 192.168.0.2:80 using a third box as a go-between, it connects just fine. Enter it directly in the address bar and no dice. Cannot connect.

Thank you for the suggestions! I'm stumped. I can work around it, but it's really weird and it would be nice to know why it doesn't like this IP.

[–] NegativeLookBehind@lemmy.world 1 points 3 weeks ago (1 children)

You’re welcome! Can you change the IP of the target host?

[–] henfredemars@infosec.pub 1 points 3 weeks ago* (last edited 3 weeks ago)

Hmm, that's a reasonable thing to test. Sadly, this Linksys router doesn't allow changing the IP in bridge mode. It will be the subnet mask ending in .2. It's really lame to be limited in such a way, but nearly all settings are disabled in bridge mode.

This browser cannot access the router settings. Other browsers and devices can. It's very odd that it seems unable to communicate to this IP.

I can live with this, but it really makes me wonder why.

[–] Boozilla@lemmy.world 2 points 3 weeks ago (1 children)

Proxy settings in about:config?

[–] henfredemars@infosec.pub 2 points 3 weeks ago

The proxy is disabled. No proxy.

[–] SanctimoniousApe@lemmings.world 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

The fact you're not seeing any exit packets, along with the ability to connect using anything other than Firefox means it must be an issue with Firefox itself.

Not to insult your intelligence, but do you have any extensions installed on Firefox such as an ad-blocker? Ones that are allowed to operate in private mode as well? I've had random issues with blacklists in my ad-blocker having bad entries in the past.

[–] henfredemars@infosec.pub 2 points 3 weeks ago (1 children)

No insult taken! I reset Firefox and I’m using a new profile. There are no extensions installed.

I’m not sure how I would go about debugging Firefox further to understand why it doesn’t want to attempt connecting to that IP. Currently I agree with you. It seems like there’s some bug with Firefox itself or perhaps an unexpected configuration hidden elsewhere on the system on which it depends but nobody else.

[–] scsi@lemm.ee 2 points 3 weeks ago

You might try a quick shell script to set NSPR_LOG_MODULES and NSPR_LOG_FILE to "all" debug mode to fish for some clues. https://firefox-source-docs.mozilla.org/nspr/reference/nspr_log_modules.html#nspr-log-modules

[–] pack@sh.itjust.works 2 points 3 weeks ago (1 children)

Firefox has an HTTPS-Only mode. Did you double check that? Make sure you can get anywhere on http tcp/80 in the browser.

[–] henfredemars@infosec.pub 1 points 3 weeks ago

Yes that is turned off. Also checked I can visit an unencrypted website, port 80. It also works over LAN using a python script.

[–] CameronDev@programming.dev 1 points 3 weeks ago (1 children)

Does wireshark on the Firefox box show outgoing packets to 192.168.0.2?

[–] henfredemars@infosec.pub 1 points 3 weeks ago

Nope! I just ran this test. No outgoing packets seen on the same machine with firefox trying to visit 192.168.0.2.

[–] InEnduringGrowStrong@sh.itjust.works 1 points 3 weeks ago (1 children)

Start by also running Wireshark on the client device where Firefox is installed.

Might be some weird fringe case that's not handled correctly somewhere like an ipv4 checksum of ffff or something.
This isn't something too plausible, but this seems weird enough that farfetched things might be afoot.
Then again, NS_CONNECTION_REFUSED would mean receiving a reset or something, as opposed to being silently dropped.

Firefox does work for other LAN IPs, right?

[–] henfredemars@infosec.pub 1 points 3 weeks ago

Firefox is able to visit other LAN IPs fine, such as 192.168.0.1 and 192.168.0.203.

Running Wireshark on the same laptop, it doesn't see any outgoing packets for *.2.