I can't understand why

Question

I have a raspberry pi 3 b+ with Raspbian Buster (10) and I am trying to build a router. I have setup the flowing programs:

• bind9 for local dns resolution
• hostapd for wifi hotspot
• bridge-utils to bridge several USB RJ45 network adapters
• isc-dhcp-server for DHCP

Everything works except some sites like https://www.blizzard.com/ and https://elinux.org/RPi_VerifiedPeripherals dose not work on the LAN computer it does work with wget on tge raspberry terminal.

dig elinux.org

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> elinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13532
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 83ac21300a7256c9547d18865dac8a7c05e503c74f8a2539 (good)
;; QUESTION SECTION:
;elinux.org.                    IN      A

;; ANSWER SECTION:
elinux.org.             288     IN      A       140.211.9.40

;; Query time: 5 msec
;; SERVER: 193.231.252.1#53(193.231.252.1)
;; WHEN: Sun Oct 20 17:25:32 BST 2019
;; MSG SIZE  rcvd: 83

ping elinux.org
PING elinux.org (140.211.9.40) 56(84) bytes of data.
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=1 ttl=46 time=204 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=2 ttl=46 time=234 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=3 ttl=46 time=203 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=4 ttl=46 time=203 ms
^C
--- elinux.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 203.260/211.043/234.063/13.298 ms

ping elinux.org
PING elinux.org (140.211.9.40) 56(84) bytes of data.
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=1 ttl=46 time=204 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=2 ttl=46 time=234 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=3 ttl=46 time=203 ms
64 bytes from web3.osuosl.org (140.211.9.40): icmp_seq=4 ttl=46 time=203 ms
^C
--- elinux.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 203.260/211.043/234.063/13.298 ms
root@raspberrypi ~ # traceroute elinux.org
traceroute to elinux.org (140.211.9.40), 30 hops max, 60 byte packets
 1  10.0.0.1 (10.0.0.1)  1.565 ms  1.224 ms  1.262 ms
 2  10.225.82.129 (10.225.82.129)  1.930 ms  1.918 ms  1.963 ms
 3  static-10-220-142-133.rdsnet.ro (10.220.142.133)  5.718 ms static-10-220-142-135.rdsnet.ro (10.220.142.135)                                                      5.515 ms static-10-220-142-131.rdsnet.ro (10.220.142.131)  5.406 ms
 4  buca-b1-link.telia.net (62.115.165.184)  48.952 ms  48.961 ms  48.858 ms
 5  win-bb2-link.telia.net (62.115.119.116)  39.329 ms  38.954 ms  39.079 ms
 6  prag-b3-link.telia.net (62.115.137.41)  39.599 ms prag-b3-link.telia.net (62.115.136.219)  43.260 ms prag-b3-                                                    link.telia.net (62.115.137.41)  39.919 ms
 7  be1299.ccr21.prg01.atlas.cogentco.com (130.117.14.217)  36.927 ms  37.006 ms  40.529 ms
 8  be3029.ccr42.ham01.atlas.cogentco.com (154.54.59.61)  44.963 ms be3027.ccr41.ham01.atlas.cogentco.com (130.11                                                    7.1.205)  48.916 ms  44.906 ms
 9  be2816.ccr42.ams03.atlas.cogentco.com (154.54.38.209)  49.500 ms  49.530 ms be2815.ccr41.ams03.atlas.cogentco                                                    .com (154.54.38.205)  46.480 ms
10  be2183.ccr22.lpl01.atlas.cogentco.com (154.54.58.69)  150.451 ms be2182.ccr21.lpl01.atlas.cogentco.com (154.5                                                    4.77.246)  145.172 ms  141.699 ms
11  be3042.ccr21.ymq01.atlas.cogentco.com (154.54.44.162)  201.322 ms be3043.ccr22.ymq01.atlas.cogentco.com (154.                                                    54.44.166)  143.314 ms  140.090 ms
12  be2088.ccr21.alb02.atlas.cogentco.com (154.54.43.18)  149.432 ms  149.643 ms be3260.ccr32.yyz02.atlas.cogentc                                                    o.com (154.54.42.89)  144.251 ms
13  be2878.ccr21.cle04.atlas.cogentco.com (154.54.26.129)  141.580 ms be2994.ccr22.cle04.atlas.cogentco.com (154.                                                    54.31.233)  149.237 ms be2879.ccr22.cle04.atlas.cogentco.com (154.54.29.173)  143.909 ms
14  be2717.ccr41.ord01.atlas.cogentco.com (154.54.6.221)  144.485 ms be2718.ccr42.ord01.atlas.cogentco.com (154.5                                                    4.7.129)  140.289 ms  141.324 ms
15  be2832.ccr22.mci01.atlas.cogentco.com (154.54.44.169)  168.942 ms be2831.ccr21.mci01.atlas.cogentco.com (154.                                                    54.42.165)  161.018 ms be2832.ccr22.mci01.atlas.cogentco.com (154.54.44.169)  160.662 ms
16  be3035.ccr21.den01.atlas.cogentco.com (154.54.5.89)  177.900 ms  175.603 ms  177.563 ms
17  be3037.ccr21.slc01.atlas.cogentco.com (154.54.41.145)  200.108 ms be3038.ccr32.slc01.atlas.cogentco.com (154.                                                    54.42.97)  187.487 ms  192.694 ms
18  be2029.ccr22.sea02.atlas.cogentco.com (154.54.86.110)  193.006 ms 154.54.89.101 (154.54.89.101)  196.937 ms                                                      195.776 ms
19  be2670.ccr21.pdx01.atlas.cogentco.com (154.54.42.150)  198.230 ms be2671.ccr21.pdx01.atlas.cogentco.com (154.                                                    54.31.78)  200.333 ms be2670.ccr21.pdx01.atlas.cogentco.com (154.54.42.150)  198.074 ms
20  cogent-pdx.nero.net (38.142.108.50)  199.346 ms  202.199 ms  202.046 ms
21  ptck-p2-gw.nero.net (207.98.64.170)  194.704 ms ptck-p1-gw.nero.net (207.98.64.168)  191.265 ms ptck-p2-gw.ne                                                    ro.net (207.98.64.170)  194.576 ms
22  corv-p1-gw.nero.net (207.98.64.25)  199.337 ms corv-p2-gw.nero.net (207.98.64.27)  198.806 ms  201.314 ms
23  corv-car1-gw.nero.net (207.98.64.17)  205.363 ms corv-car1-gw.nero.net (207.98.64.19)  211.461 ms  202.935 ms
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Windows 10:

C:\Users\xx>ping elinux.org

Pinging elinux.org [140.211.9.40] with 32 bytes of data:
Reply from 140.211.9.40: bytes=32 time=203ms TTL=45
Reply from 140.211.9.40: bytes=32 time=203ms TTL=45
Reply from 140.211.9.40: bytes=32 time=203ms TTL=45
Reply from 140.211.9.40: bytes=32 time=203ms TTL=45

C:\Users\IcyTeck>tracert elinux.org

Tracing route to elinux.org [140.211.9.40]
over a maximum of 30 hops:

  1     1 ms    <1 ms     1 ms  192.168.1.1
  2     1 ms     1 ms     1 ms  10.0.0.1
  3     2 ms     2 ms     2 ms  10.225.82.129
  4    49 ms    72 ms    55 ms  10.220.142.133
  5    40 ms    40 ms    40 ms  buca-b1-link.telia.net [62.115.165.184]
  6    37 ms    36 ms    36 ms  prag-bb1-link.telia.net [62.115.119.122]
  7    42 ms    42 ms    42 ms  prag-b3-link.telia.net [62.115.136.219]
  8    39 ms    37 ms    37 ms  be1299.ccr21.prg01.atlas.cogentco.com [130.117.14.217]
  9    45 ms    45 ms    45 ms  be3029.ccr42.ham01.atlas.cogentco.com [154.54.59.61]
 10    46 ms    46 ms    46 ms  be2816.ccr42.ams03.atlas.cogentco.com [154.54.38.209]
 11   147 ms   147 ms   147 ms  be2183.ccr22.lpl01.atlas.cogentco.com [154.54.58.69]
 12   147 ms   144 ms   142 ms  be3043.ccr22.ymq01.atlas.cogentco.com [154.54.44.166]
 13   141 ms   141 ms   142 ms  be3260.ccr32.yyz02.atlas.cogentco.com [154.54.42.89]
 14   146 ms   146 ms   146 ms  be2994.ccr22.cle04.atlas.cogentco.com [154.54.31.233]
 15   146 ms   146 ms   146 ms  be2718.ccr42.ord01.atlas.cogentco.com [154.54.7.129]
 16   172 ms   166 ms   166 ms  be2832.ccr22.mci01.atlas.cogentco.com [154.54.44.169]
 17   186 ms   180 ms   179 ms  be3036.ccr22.den01.atlas.cogentco.com [154.54.31.89]
 18   194 ms   194 ms   194 ms  be3038.ccr32.slc01.atlas.cogentco.com [154.54.42.97]
 19   194 ms   194 ms   194 ms  154.54.89.101
 20   197 ms   197 ms   197 ms  be2671.ccr21.pdx01.atlas.cogentco.com [154.54.31.78]
 21   199 ms   199 ms   199 ms  cogent-pdx.nero.net [38.142.108.50]
 22   192 ms   193 ms   193 ms  ptck-p1-gw.nero.net [207.98.64.168]
 23   209 ms   204 ms   209 ms  corv-p1-gw.nero.net [207.98.64.25]
 24   213 ms   209 ms   209 ms  corv-car1-gw.nero.net [207.98.64.19]
 25   203 ms   203 ms   203 ms  web3.osuosl.org [140.211.9.40]

Any idea?

Thank you so much in advance and have a great weekend!

PS: this is my firewall script

#!/bin/bash
echo "Setting sysctl ..."
/sbin/sysctl net.ipv4.ip_forward=1
/sbin/sysctl net.ipv6.conf.default.forwarding=1
/sbin/sysctl net.ipv6.conf.all.forwarding=1
/sbin/sysctl -p
echo "Cleanig ..."
#Flash IPTABLES
iptables -F 
iptables -t nat -F
iptables -t mangle -F
iptables -X
echo "Creating ..."
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A INPUT -s 8x.1x.x.248 -j ACCEPT
iptables -A INPUT -s 8x.1x.x.0 -j ACCEPT
iptables -A INPUT -s 8x.1x.x.6 -j ACCEPT
iptables -A INPUT -s 8x.1x.x.21 -j ACCEPT
iptables -A INPUT -s 8x.1x.x.36 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.0.255 -j ACCEPT
iptables -A INPUT -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT
#iptables -A nat -j ACCEPT

iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 4
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" --log-level 4
iptables -A FORWARD -j LOG --log-prefix "FORWARD:DROP:" --log-level 4
iptables -A nat -j LOG --log-prefix "nat:DROP:" --log-level 4

iptables -A INPUT -j DROP
echo "Droping ...:"
#iptables -I INPUT -s 95.90.x.x -j DRO

echo "Sysctl rules:"
/sbin/sysctl -p
echo "Iptables rules:"
iptables -v -L -n 

Answer 1

This sounds like an MTU issue. Because you are using PPP over Ethernet the maximum packet size is reduced - this can cause issues with large packets not being forwarded. Packets sent directly from the router are smaller because they use the smaller MTU of the PPP interface.

One way of solving this problem for TCP traffic is MTU clamping - try add

  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ppp0 -j TCPMSS --clamp-mss-to-pmtu

To your iptables config and see if that fixes things.