cannot access https websites

RouterOS General
1

Hello,

I’ve a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I’ve looked at all firewall rules and also added a rule allow any any, but it won’t work.

Does somebody has suggestions?

2

Maybe you have forwarded the https 443 port from wan to internal lan device ?
This will be just one cause

3

I have the same problem on some of my routers. Not all.
https sites like https://wellsfargo.com can not be rendered. Other sites like https://crucial.com are very slow to render.

I do not have a router workaround. The problem is exacerbated by some third party routers at the client location. Like a netgear. The DNS proxy does not seem to get information from the my Mikrotik main router and pass on to the client PC. I can ping to domain but cannot pass https:// site to the client.

My only solution has been to replace the client router (ex: netgear) with a mikrotik. I have 600 customers and cannot replace all their routers.

Is there a known issue with Mikrotik - ROS passing https data on to third party routers?

4

Do you have a drop invalid packets rule on the firewall ?

If you do how much data does it say its processed ?

5

Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.

6

Thank you for that insight about EOIP. I believe that may be the smoking gun in my case.
I have used eoip for various access situations and the scenario fits with my problems with https.

Much appreciated.

Rick

7

Glad to have helped. It took me several days of looking at every little thing to figure that out.

8

I just wanted to say thank you, because I was looking into this same issue for days… Of course it was an eoip tunnel related. Btw, it was so difficult to even realize there was an issue, because some websites work normally and some don’t (seemingly randomly). Anyway, thank you once again, your post was a life saver :slight_smile:

9

Thank you very much, I had the same problem and it was driving me crazy.
I had created an EoIP tunnel and this was the problem.
But the most curious thing is that it was disabled, and even then I had problems with https browsing.
I had to eliminate the tunnel, and now everything works perfect.
Thank you very much and greetings.

10

I just faced the same issue. The problem as you mentioned was related to EOIP tunnel MTU (1408), but in my case I fixed it only setting the value to 1500 in the Bridge at MTU field, before was empty and as mentioned, takes the lowest MTU of the LAN “Actual MTU 1408”(was the EOIP interface 1408). Now EOIP and TLS webs are working in parallel and currently “Actual MTU 1500”.

11

Thnx for the great tip, I also created a EOIP interface in my bridge and it changed my MTU and it caused multiple problems.
After the change of the MTU on the EOIP interface it solved the problem.


Regards,

Sparo90

12

Thank you! Thank you! Thank you!

This has been driving me nuts for several days! I use eoip links to bring customers networks to my desk so I can work on things that require wire type access and I never noticed the change it was making to the bridge MTU.

I had two sites where for whatever reason this was really screwing up general internet access.

Note also to check any VLAN interfaces hanging off the bridge. They don’t seem to update their MTU inline with the bridge until toggled.

13

Just wanted to share this…

I had another site with really patchy internet and https, it also had the issue with a EoIP interface dropping the MTU which I fixed and expected everything to work again but it didn’t which has had me scratching my head.

I exported the config verbose and went through it line by line and found that the routers IP was on ether2 and not the bridge which I hadn’t noticed. Moved it to the bridge and all working normally!

14

Great. It’s the first time I’ve seen an example of an actual issue caused by attaching the IP configuration to a member port of a bridge rather than to the cpu-facing virtual port of that bridge.

15

Yes, Ive found routers setup with the IP on a member port before and its not really seemed to caused a problem, although in all cases if I spot it I move it to the bridge.

16

that was my issue! it worked with cisco router but not mikrotik! thanks!!!

17

Hi,

I faced the issue recently with SOME websites not opening via HTTPS protocol correctly. The behavior was:

$ curl -i -v https://web.site
*   Trying 185.xx.xx.xx:443...
* Connected to web.site (185.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

it was for SOME websites only and only in SOME locations - the same device was passing traffic correctly in one network but was failing in the other network (ISP INEA). Configuration was fairly simple - just basic routing with masquerade.

It was narrowed down to MTU issue and removing EOIP tunnel from bridge was the solution. I haven’t tried to force MTU at the bridge level as suggested earlier.

leaving this post here as it was second time I was struggling with such issue within last 3 years, so I have reference in the future

Ser@fin