[tor-relays] bridge relay marked as down but I can manually connect to it

Hi,

I don’t know why but my bridge relay marked as down but I can connect to it with my Tor browser. Nyx can successfully detected my traffic and two others join after my traffic(but in other time it’s just ~700B/s w/o connection). And every-time I restart the tor service, it will up for some hours. There is no error or warning in log.

More context: I setup my first relay on yesterday(>18hrs ago) on Ubuntu 24, Tor 0.4.8.18 following the guide; It’s on KVM/QEMU VPS with some of my other services.

the status is right here: https://bridges.torproject.org/status?id=A69AD85C2E175BD0F753E1CCBE5D4BA371149685 and https://metrics.torproject.org/rs.html#details/A69AD85C2E175BD0F753E1CCBE5D4BA371149685.

Do I need to allow some extra ports? right now I only accept the ORPort and block any others. Or it may relatives with my VPS ISP?

I don't know why but my bridge relay marked as down but I can connect to it
with my Tor browser.[...]

the status is right here: <https://bridges.torproject.org/status?id=A69AD85C2E175BD0F753E1CCBE5D4BA371149685&gt;
and <Relay Search.

For me the bridge status page says

"Bridge A69AD85C2E175BD0F753E1CCBE5D4BA371149685 advertises:

* obfs4 IPv6: dysfunctional
  Error: timed out waiting for bridge descriptor
  Last tested: 2025-10-01 15:12:26.831787229 +0000 UTC (1h58m7.473805368s ago)

* obfs4 IPv4: dysfunctional
  Error: timed out waiting for bridge descriptor
  Last tested: 2025-10-01 15:12:26.831787229 +0000 UTC (1h58m7.473813933s ago)"

Do I need to allow some extra ports? right now I only accept the ORPort and
block any others.

Yes: you are running an obfs4 bridge, so you need to allow incoming
connections to your obfs4 port too.

(In the future we would like to make it easier for you to firewall
connections to your ORPort, since clients don't normally use it directly,
but we're not quite there yet. There are some hacky workarounds, but
for simplicity you should keep allowing connections to your ORPort too,
so your bridge will pass its self-reachability tests.)

Thanks for running a bridge!

--Roger

I am actually experiencing the same problem, but with a
OBFS4 bridge I've set up over a year ago on FreeBSD.

The bridge keeps getting marked as down for a few hours
and I am receiving Tor weather down mail each time, even
though it is always online and reachable (ORPort + OBFS4).

Hi! Thanks for running a bridge.

I think your situation is different than the other person's issue. Your
bridge gets a *lot* of use, presumably because many people have learned
about it and use it as their bridge.

So it makes sense that it continues to get use even when it's marked as
down by rdsys and bridgestrap -- the users keep using it independent of
whether it is marked down or given out to further users at that moment.

One possible explanation is that it is overloaded to the point that it
is inconsistent at receiving new incoming connections. That is, most
of the time bridgestrap can successfully connect to it, but sometimes
bridgestrap fails because you are out of some resource (file descriptors,
socket accept queue, bandwidth, etc) at that moment.

Another possible explanation is that some bug in the anti-censorship
team toolchain (rdsys, bridgestrap, maybe the metrics side) is making
it be marked down when it shouldn't be.

Status:
https://bridges.torproject.org/status?id=159DAE6BC567CAE6F87281077518B6593C49E131

Some days ago I tried this url and it said your bridge is working. But
I just tried going there this moment and it says

* obfs4 IPv4: dysfunctional
  Error: timed out waiting for bridge descriptor
  Last tested: 2025-10-04 18:15:42.513154413 +0000 UTC (2h47m17.286882518s ago)

* obfs4 IPv6: dysfunctional
  Error: timed out waiting for bridge descriptor
  Last tested: 2025-10-04 18:15:42.513154413 +0000 UTC (2h47m17.286890098s ago)

Yet I can still connect when I tried just now (albeit almost 3 hours
after bridgestrap tried and failed so that doesn't say that much).

So my guess is more toward 'inconsistently unreachable, perhaps because
overloaded' rather than some toolchain bug.

--Roger