Is there a firewall for certain IP addresses?

mikro · 2026-02-19 05:28:33

Hi,

I hope this is the right place to ask. I have a weird issue. A few months ago I moved to Australia. I shipped my computer gear with me, so I have literally the same setup as I had back in Europe. And I have noticed that suddenly, none of AUR-based updates work. First I thought it's just a random downtime (usually it's night time in Europe when I use the computer) but when it kept occurring, I started to smell some trouble.

Basically, I'm unable to connect to servers in the 209.126.35.x range from NBN (fibre optic) internet. This includes archlinux.org, aur.archlinux.org, and wiki.archlinux.org. When I switch to the same provider's *mobile* network, it works. From my work's network, all good. Just when I get home and want to use the fast internet, I'm stuck.

I'm trying to win a hopeless battle with My Optus (the internet/mobile provider) to send someone to take a look. They swear they checked it internally and the access worked for them (I can't verify this claim or provide further technical details).

So I have been wondering... is there any chance that my IP address (better said, my provider's IP address) is somehow blocked for *.archlinux.org domain?

Symptoms:

HTTPS connections time out completely
Ping shows >90% packet loss
Latency when packets do arrive: ~340ms
Other destinations (e.g., google.com) work normally
The same sites work fine from other networks/ISPs
Tracepath shows packets reach My Optus network (61.88.33.x hops) but never exit to the destination.

========================================
DIAGNOSTIC OUTPUT 1: Git clone timeout
========================================

[mikro@pc Trash]$ GIT_CURL_VERBOSE=1 git clone https://aur.archlinux.org/openssl-1.1.git/
Cloning into 'openssl-1.1'...
20:12:39.887868 http.c:890 == Info: Could not find host aur.archlinux.org in the .netrc file; using defaults
20:12:39.903973 http.c:890 == Info: Host aur.archlinux.org:443 was resolved.
20:12:39.903981 http.c:890 == Info: IPv6: 2604:cac0:a104:d::2
20:12:39.903986 http.c:890 == Info: IPv4: 209.126.35.78
20:12:39.904005 http.c:890 == Info: Trying [2604:cac0:a104:d::2]:443...
20:12:39.904039 http.c:890 == Info: Immediate connect fail for 2604:cac0:a104:d::2: Network is unreachable
20:12:39.904056 http.c:890 == Info: Trying 209.126.35.78:443...
20:14:53.816825 http.c:890 == Info: connect to 209.126.35.78 port 443 from 192.168.0.8 port 51682 failed: Connection timed out
20:14:53.816855 http.c:890 == Info: Failed to connect to aur.archlinux.org port 443 after 133930 ms: Could not connect to server
20:14:53.816865 http.c:890 == Info: closing connection #0
fatal: unable to access 'https://aur.archlinux.org/openssl-1.1.git/': Failed to connect to aur.archlinux.org port 443 after 133930 ms: Could not connect to server

========================================
DIAGNOSTIC OUTPUT 2: Ping with packet loss
========================================

[mikro@pc Trash]$ ping wiki.archlinux.org
PING wiki.archlinux.org (209.126.35.81) 56(84) bytes of data.
64 bytes from 209.126.35.81: icmp_seq=22 ttl=48 time=346 ms
64 bytes from 209.126.35.81: icmp_seq=32 ttl=48 time=344 ms
64 bytes from 209.126.35.81: icmp_seq=43 ttl=48 time=338 ms

(Only 3 responses out of 43+ packets sent — over 90% packet loss)

========================================
DIAGNOSTIC OUTPUT 3: Tracepath showing route failure
========================================

[mikro@pc Trash]$ tracepath -n 209.126.35.78
1?: [LOCALHOST] pmtu 1500
1: 192.168.0.1 0.945ms
1: 192.168.0.1 0.554ms
2: no reply
3: no reply
4: no reply
5: no reply
6: 61.88.33.47 25.998ms
7: 61.88.33.48 24.997ms
8: 61.88.33.47 27.012ms asymm 6
9: 61.88.33.1 27.512ms
10: no reply
11: 61.88.33.48 31.077ms asymm 7
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

Lone_Wolf · 2026-02-19 10:26:34

archlinux.org is hosted by hetzner in germany . Can you reach https://www.hetzner.com/ ?

Moderator note

This includes archlinux.org, aur.archlinux.org, and wiki.archlinux.org

Moving to Networking, Server, and Protection

mikro · 2026-02-19 10:49:04

Lone_Wolf wrote:

archlinux.org is hosted by hetzner in germany . Can you reach https://www.hetzner.com/ ?

I can but it shows a different IP:

ping www.hetzner.com
PING www.hetzner.com (213.133.116.44) 56(84) bytes of data.
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=1 ttl=44 time=431 ms
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=2 ttl=44 time=430 ms
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=3 ttl=44 time=429 ms
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=4 ttl=44 time=428 ms
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=5 ttl=44 time=430 ms
64 bytes from static.213-133-116-44.clients.your-server.de (213.133.116.44): icmp_seq=6 ttl=44 time=429 ms

while the "problematic" seems to be 209.126.35.xx.

To me it almost look like there is some kind of black list on the (arch) server side but of course that's just a guess.

seth · 2026-02-19 10:49:40

The bbs works?
209.126.35.81 is HAProxy Technologies, likely more of https://bbs.archlinux.org/viewtopic.php?id=311669
Check the curl behavior

mikro · 2026-02-19 12:24:02

Hmm, the other posters claimed that ping works for them and are seeing mostly TLS / EOF errors. I can't even ping aur.archlinux.org. wiki.archlinux.org sometimes returns a couple of packets but for example right now it's as dead as aur.

For example, I tried "openssl s_client aur.archlinux.org:443" and it took ages to get at least:

openssl s_client aur.archlinux.org:443
Connecting to 209.126.35.78
CONNECTED(00000003)

(and then nothing)

I tried also:

curl -v https://aur.archlinux.org
* Host aur.archlinux.org:443 was resolved.
* IPv6: 2604:cac0:a104:d::2
* IPv4: 209.126.35.78
* Trying [2604:cac0:a104:d::2]:443...
* Immediate connect fail for 2604:cac0:a104:d::2: Network is unreachable
* Trying 209.126.35.78:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: /etc/ssl/certs/ca-certificates.crt

(took again ages to show up, and then nothing)

So it would seem that my issue occurs even before reaching what others are seeing in the other thread. My IP is 110.32.253.143.

Oh and yes, bbs seems to be unaffected.

Last edited by mikro (2026-02-19 12:24:25)

xerxes_ · 2026-02-19 13:23:26

How about this: 'traceroute -I aur.archlinux.org' ?
Do you use ISP DNS? What about different DNSes? Or DNS over HTTPS (you may try in browser like Firefox first) ?

seth · 2026-02-19 15:02:03

My IP is 110.32.*.*

You don't want to publish that.

Fwwi, tracepath never reaches HAProxy Technologies here either (but there's no problem pinging the IPs or domains)
Do you have a trace from the mobile connection, though?
Same WAN segment (110.32.*.*)?

cryptearth · 2026-02-19 15:34:03

@seth
nothin to worry about - residential ISP
https://ipinfo.io/AS4804/110.32.0.0/15

xerxes_ · 2026-02-19 18:14:46

mikro wrote:

I'm trying to win a hopeless battle with My Optus (the internet/mobile provider) to send someone to take a look. They swear they checked it internally and the access worked for them

You have to tell them that the access should work not only for them, but also for you.

seth · 2026-02-19 20:29:19

If you're booting some random live distro like grml.org, do you run into the same situation?
If so, it's on your ISP. If not there might be some really weird, local, broken netfilter rule at play.

mikro · 2026-02-20 11:25:45

The same I can observe in Windows 11, so I'd say that is random enough.

Current tracepath from wired internet:

[mikro@pc ~]$ tracepath -n 209.126.35.78
1?: [LOCALHOST] pmtu 1500
1: 192.168.0.1 0.605ms
1: 192.168.0.1 0.351ms
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply
7: 59.154.57.180 25.005ms
8: no reply
9: 203.208.150.189 261.738ms asymm 11
10: 203.208.151.94 258.021ms asymm 11
11: no reply
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

And mobile internet:

[mikro@pc ~]$ tracepath -n 209.126.35.78
1?: [LOCALHOST] pmtu 1500
1: 10.119.138.122 6.421ms
1: 10.119.138.122 6.240ms
2: 10.111.65.189 78.454ms
3: 10.194.221.67 53.696ms
4: 10.194.221.56 30.551ms
5: no reply
6: no reply
7: no reply
8: 61.88.33.47 114.938ms
9: 203.208.150.173 387.702ms asymm 12
10: 203.208.147.113 399.859ms asymm 11
11: 203.208.166.61 400.282ms asymm 14
12: 203.208.178.229 319.331ms asymm 13
13: 129.250.2.238 354.728ms asymm 16
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

IP address is different: 110.32.253.143 (wired) vs. 211.30.163.35 (mobile).

seth · 2026-02-20 14:39:41

Mobile and landline use different segments belonging to Optus, both route you through Singtel (looks like Optus is their subsidiary?) and the mobile connection then goes to NTT America.
Can you ping 129.250.2.238 from the landline?

mikro · 2026-02-20 14:46:36

Yup, ping 129.250.2.238 works OK.

seth · 2026-02-20 15:27:44

Then it's probably the routing inside singtel/optus
Have you tried to get a new IP by rebooting the modem?

mikro · 2026-02-20 15:43:18

Not for this specific reason but yes, the Optus support representative made me even factory-reset it.

seth · 2026-02-20 16:03:26

Contact accountsupport@archlinux.org w/ this data - HAProxy might not like SingTel but might like NTT and that hop "saves" you.
They might also be discriminating the two Optus ranges, but none of that really fits w/ the weak behavior and w/ ping it also can't be package fragmentation (MTU related)

Arch Linux

#1 2026-02-19 05:28:33

Is there a firewall for certain IP addresses?

#2 2026-02-19 10:26:34

Re: Is there a firewall for certain IP addresses?

#3 2026-02-19 10:49:04

Re: Is there a firewall for certain IP addresses?

#4 2026-02-19 10:49:40

Re: Is there a firewall for certain IP addresses?

#5 2026-02-19 12:24:02

Re: Is there a firewall for certain IP addresses?

#6 2026-02-19 13:23:26

Re: Is there a firewall for certain IP addresses?

#7 2026-02-19 15:02:03

Re: Is there a firewall for certain IP addresses?

#8 2026-02-19 15:34:03

Re: Is there a firewall for certain IP addresses?

#9 2026-02-19 18:14:46

Re: Is there a firewall for certain IP addresses?

#10 2026-02-19 20:29:19

Re: Is there a firewall for certain IP addresses?

#11 2026-02-20 11:25:45

Re: Is there a firewall for certain IP addresses?

#12 2026-02-20 14:39:41

Re: Is there a firewall for certain IP addresses?

#13 2026-02-20 14:46:36

Re: Is there a firewall for certain IP addresses?

#14 2026-02-20 15:27:44

Re: Is there a firewall for certain IP addresses?

#15 2026-02-20 15:43:18

Re: Is there a firewall for certain IP addresses?

#16 2026-02-20 16:03:26

Re: Is there a firewall for certain IP addresses?

Board footer