Unreachable: https://repo.turris.cz/omnia/lists/base.lua

Fenevadkan was doing some helpful troubleshooting yesterday but fell off the radar. FYI I changed DNS forwarding to Google in FORIS and my DNS connection test went through. Via SSH I can ping the server, see my above post.

Oh, this is interesting. My computer can access repo.turris.cz, and even traceroute through the router works.

2 2001:506:6000:11b:71:156:212:142 3.964 ms 2.157 ms 6.325 ms
3 2001:506:6000:11b:69:235:122:82 5.920 ms 9.085 ms 13.480 ms
4 * * *
5 2001:1890:1fff:41e:192:205:32:222 4.818 ms 29.928 ms 4.546 ms
6 nyk-bb3-v6.telia.net 185.798 ms
nyk-bb4-v6.telia.net 178.710 ms 178.680 ms
7 ldn-bb4-v6.telia.net 177.412 ms
ldn-bb3-v6.telia.net 176.848 msldn-bb4-v6.telia.net 179.884 ms
8 hbg-bb1-v6.telia.net 178.157 ms 179.152 ms 229.939 ms
9 prag-bb1-v6.telia.net 174.097 ms
win-bb2-v6.telia.net 183.860 msprag-bb1-v6.telia.net 174.832 ms
10 prag-b3-v6.telia.net 183.476 ms 178.244 ms 180.312 ms
11 cznic-ic-335938-prag-b3.c.telia.net 160.390 ms 164.550 ms 165.213 ms
12 gw-s-01-dnsgw.nic.cz 163.793 ms 165.105 ms 163.312 ms
13 *^C

But it still fails on the router running 3.11.2.

Other IPv6 hosts work, e.g.,

root@turris:~# ping6 www.google.com
PING www.google.com (2607:f8b0:4005:808::2004): 56 data bytes
64 bytes from 2607:f8b0:4005:808::2004: seq=0 ttl=56 time=3.305 ms
64 bytes from 2607:f8b0:4005:808::2004: seq=1 ttl=56 time=3.277 ms
64 bytes from 2607:f8b0:4005:808::2004: seq=2 ttl=56 time=3.194 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3.194/3.258/3.305 ms
root@turris:~#

So I think I’ll just try rspoerri’s solution and hope it’s fixed soon.

Ah-hah. I have determined the root cause, in my situation. It’s that AT&T sucks, and there’s nothing the CZ.NIC people can do about it except implement Happy Eyeballs. When I use the -I option to use one of the delegated prefixes for ping6, then my router successfully reaches repo.turris.cz.

They’re apparently doing source address filtering for whatever reason, so the routers can’t access Europe. Most people don’t notice because they’re using ISP-supplied routers that only access American services. AT&T made it very difficult to use this third-party router on this Internet connection, so I think this is not a supported configuration.

I’d ask the ISP. So far I can’t see why the breakage should be intentional. It might just have been undetected (most of affected people don’t know how to triage these). I’ve seen some (unintentional) IPv6 routing issues recently.

When I try traceroute to your address, it seems to die here in Europe already:

10  2a01:5e0::3:41 (2a01:5e0::3:41)  7.413 ms !N * *

and it’s completely stuck when I try it from yet another Czech ISP, but AFAIK these might be completely independent to the route between you and cz.nic.

Still not finding a solution for this issue…can the folks from Turris fix this or can someone post a guide on how to fix this with a modification to the hosts file?

Hey Brian,

I think you didn’t see my post. This issue is most probably on the ISP side, which you are experiencing. On the forum together with support, there are 3 people, which has this issue and I don’t think this is something on our side.

May I know, if you try to enable or disable DNS Forwarding in DNS tab when you’re logged in to administration interface Foris? Did you try to change DNS servers (maybe the ones, which supports DNS over TLS) to some preferred once, which are listed in Foris? If you do and it still doesn’t work, I suggest you to send us diagnostics following our Error reporting article in our documentation to get at least some basic details, which can help us and if it still doesn’t work, we have also article for Debugging DNS problems and it can give us a further view, what’s happening and why.

Anyway, the forum is not meant to be for bug reporting.

Pepe,

Thank you for addressing. I have toggeled DNS Forwarding from OFF to On (Google) (no solution) and then onto Cloudfare which finally seems to have fixed the issue.

So the ISP is likely intercepting DNS packets not directed at them when only encryption helps? Well, if these at least returned answers that are correct and work fine…

it seems to be resolved for me. updating works again.

I have two omnia routers with diferents connections but the same ISP from Spain

Both of them
cat /etc/turris-version
3.11.2

Two weeks ago, more or less, both of them continuosly messages with error update.
Updater selhal:

unreachable: https://repo.turris.cz/omnia/lists/base.lua: Operation timed out after 30000 milliseconds with 0 out of 0 bytes received

I check all combinations dns forwarding or without forwarding but no solution

What can I do?

I had exactly the same problem as you and adding the record to /etc/hosts resolved the issue for me as well. Were you able to figure out the root cause?

The root cause seems to be some provider inbetween you and turris making an error or change how ipv6 is routed.
After some time it worked again for me without any modifications.

switch off ipv6 temporarily worked for me.

Why do I have this problem with Turris address only and only from the router?

I am looking for permanent non-workaround solution.

JFYI, in france the provider named “free” is going all ipv6 soon. So maybe, handling this can be good for some french users.

No, this is not a Turris problem. This is an ISP problem. As long as Free.fr and all the transit providers between them and Turris.cz are working properly, going all IPv6 will not be an issue.

In my case, it’s because the AT&T DHCPv6 server distributes an address to the router (IA_NA) from a different address pool than the delegated prefix (IA_PD) for the local network (2001:506:6000::/35 vs 2600:1700::/28). The packets from the IA_NA address are able to reach American servers, but they’re filtered out at AT&T’s interfaces to the rest of the world.

When I was experiencing this issue back in April, I fixed it by changing my DNS provider in Turris, however the same problem has come back again. I am on AT&T (Los Angeles, CA) and have tried all 5 DNS forwarding options and the updater fails on all 5 options. Tired disabling DNS forwarding and DNSSEC and updater still fails. Not sure what I can do at this point?

I am at a loss on how to fix this now.

Had the same issue here in france with the free isp