I noticed the network (NYGC computer room) on one switch could not do www (port 80) when I block more than port range 4000-65535;
and the same network (NYGC public PCs) on another switch couldn't do www when I block more than port range 4000-45000.
The port ranges given above are rounded to 1000, since I didn't test every ports - that's crazy.
This is a mystery to me. I would like to think it's a bug in the router system - DD-WRT.