After mucking about a bit, I dropped a line to Firewalla's support and laid out the things from the last few days. Then I put the old router back and tried the same things.

It looks like the old router can't ping or curl things on the Internet, either! Well, some things work, on both routers.

Because it's resilient and easy to use, 1.1.1.1 comes into play a lot. It hosts DNS, responds to ping, and delivers web pages. A great bit of help when trying to figure out what's up. Shout out to Cloudflare for the assist!

Using a browser to hit https://1.1.1.1/help will give a nice screen letting you know if your system or browser is using DoH or DoT or their public DNS. Hitting that URL with curl gives a quick redirect to https://one.one.one.one/help instead of the same splash of data.

On both routers, when I started poking around, 1.1.1.1 didn't respond to anything, but after a while it did. Frustrating when errors aren't consistent!

There are other things to test. Hitting https://ipconfig.me/ will echo back your Internet IP. Visiting it in a browser gives a lot more information. It's generally quick, and from curl responds with just the IPv4 octet. I haven't tested it on IPv6. That didn't work on either router, but does work from the servers on the subnet the routers route, as well as from nodes on the NAT LAN on the WiFi router.

I also tested some of the things that were failing on the Firewalla, like its attempts to hit https://check.firewalla.com/, which in a browser redirects to https://diag.firewalla.com/, which gives some details about the network. I didn't test from a node on the network with the old edge router in place, but I did check on both routers, and it doesn't work.

I was able to also get intermittent responses from pinging my ISP's DNS from either router. Sometimes the ping worked, sometimes it didn't.

Both routers consistently resolve IPs, though, either when in the curl commands or tested through nslookup. DNS does use UDP in addition to TCP (many people think it only uses UDP, but that's "usually" not "only"), so it might be a good indicator that there's something blocking TCP from my routers through the ISP's network.

I dropped a line to my ISP to see if they can see something.