Cannot browse all websites

turalo · September 28, 2012, 1:10pm

Hi guys, I have this problem with my new RB751, I’m using it on a static IP base, I have set all basic settings and everything works fine. all computers have IP’s, my Voip phones are connected and are able to make calls, I can visit some INTERNET pages, but some not, for example www.google.com works perfect, but as soon as I click on mail (gmail.com) than it goes to the right domain I can see in the address field, but after about a minute it stops with no result, same on hotmail.com

Also another small problem is to strong Wifi signal, I can recieve it very far, like even 50-60 meters on the street, I get 100% signal strenght but no internet connection, I assume it’s one way, my iphone can see it but cannot make use of it because is not as stong as the router. So how can I put the wifi settings to normal ? sothat it has a normal signal in place of full.

any help / advice is appreciated.

thanks in advance.

turalo · October 1, 2012, 9:39am

I hope somebody can help me with this soon.

thanks in advance.

Feklar · October 1, 2012, 3:59pm

That might be a DNS problem, have you tried other DNS servers? Also what are your firewall rules, please provide “/ip firewall export”, you might be blocking something you don’t intend to.

As far as Wi-Fi TX power, go to the wlan interface menu, turn on advanced mode and go to the Tx power tab. Change the Tx Power Mode to card rates, and lower the Tx power a few dBm at a time until it is where you would like it to be. If I remember correctly a decrease of 3 dBm = %50 reduction in power.

turalo · October 1, 2012, 8:09pm

Hi, thanks for helping, I have checked the dynamic dns IP, and that one is right, I even used google’s free dns servers with 8.8.8.8 and others for testing, still same problem
it’s not DNS cause it opens some sites, but others not, I have also tested with opening sites true IP, but the sites which are not available true domein names also are not available true IP, so it means it’s not a dns issiu.

hereby the info from my firewall roles, I didnot mention that this router was set from full reset, so I made a hardware reset with a pencil, then I set only basics like dhcp and wifi, further I set firewall for the exchange server ports etc… but didnot change any other stuff.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established disabled=no
add action=accept chain=input comment=“default configuration” connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=143 protocol=tcp to-addresses=192.168.1.5 to-ports=143
add action=dst-nat chain=dstnat disabled=no dst-port=110 protocol=tcp to-addresses=192.168.1.5 to-ports=110
add action=dst-nat chain=dstnat disabled=no dst-port=987 protocol=tcp to-addresses=192.168.1.5 to-ports=987
add action=dst-nat chain=dstnat disabled=no dst-port=443 protocol=tcp to-addresses=192.168.1.5 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-port=993 protocol=tcp to-addresses=192.168.1.5 to-ports=993
add action=dst-nat chain=dstnat disabled=no dst-port=25 protocol=tcp to-addresses=192.168.1.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=22 protocol=tcp to-addresses=192.168.1.157 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.45 to-ports=80
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@mikrotik] >

please helps asap.

thanks in advance.

turalo · October 1, 2012, 10:58pm

Well, now almost 1 o clock in the night, after hours of playing with this board, no succes, as soon as I change
the tx power settings the router becomes crazy, not connecting, etc… after many resets an tryouts,
suddenly the router started working in a normal way, now I can acces gmail.com and all other websites,
this gives me a very scarry feeling that I’m not in control and I dont know what’s happening, why does it behave this ways.

Feklar · October 2, 2012, 3:21pm

Chances are, your NAT rules are what is actually causing your issues. What are you trying to accomplish with them? You are redirecting things like HTTPS to a local machine apparently, and the rule has not been narrowed down to exclude other interfaces/subnets, so that means you are redirecting ALL HTTPS traffic among others. This is not something you typically want to do. I would look at that and narrow down your rules so it only matches what you want, or specifically state what you are trying to accomplish here so that others can tell you what needs to happen.

turalo · October 2, 2012, 3:41pm

Yes, that could be the issiu, because I’m new to this, basicly what I wanted to do is to open the mail ports en some other ports for the servers that I have on my network, but as you say it works for all interfaces, so I gues all https traffic goes then back to my local servers ?

Feklar · October 2, 2012, 6:15pm

Yes, that is what is happening. Specify an in-interface for those rules (your WAN if you want them accessible from the outside) and it should take off and work normally. It is also a better thing to set up what is known as a DMZ for any servers you have on your network. You basically place the servers on a different routed interface, with a different IP range. You can then firewall off the networks from each other to provide better protection for both sets of servers, and it makes forwarding to them much easier.

turalo · October 2, 2012, 6:26pm

This router is so much more than a normal that I mostly use. is there a place where I can find the howto’s to make this work ?

Feklar · October 2, 2012, 6:47pm

http://wiki.mikrotik.com/wiki/Main_Page

turalo · October 4, 2012, 9:07pm

First of all, thanks for helping me so far.

Now I’m able to do much more, indeed the problem was in the setting of the firewall/nat, I had some ports forwarded, but didnot set the interface which to ignore the forwardings,
so all traffic with same traffic as in the forwarding was sent to internal servers and because gmail uses https, as soon as I clicked gmail it went to my internal mail server which also used https.

thanks again, I’m now on the way to learn how to shpae / limit and prioritize traffic based on ports or services, hopefully I’ll find the way.

riggerman · October 4, 2012, 10:18pm

Hi,

Have you made sure you’re using the correct MTU and have turned on MSS clamping on your upstream connection?

What you are describing sounds like a classic case of too big packets being sent down the wire to your router without being correctly fragmented.

If you have a pptp/pppoe connection:

/interface pptp-client print
 0  R name="internet_connection_to_isp" max-mtu=1440 max-mru=1440  connect-to=127.0.0.1 user="my_username"  
      password="mypassword" profile=default-encryption add-default-route=yes dial-on-demand=no allow=pap

Note the MTU values specifically.

Check your firewall mangle rules:

/ip firewall mangle print

and it should have 2 rules (at least) with an action of “Change MSS”.

Hope this helps - karma is free

turalo · October 5, 2012, 9:06pm

it was all default, when I started, i made hard reset. but now everything works fine, I’v got VPN working, and also the remote management via www, ssh and winbox all working fine.