Can't access Bitbucket.org through Mikrotik

rpi · October 2, 2023, 10:44am

Hi all,

I have a very weird problem, I can’t access bitbucket.org through my mikrotik router. Everything works well, except this one site. Any idea?

curl -IL https://bitbucket.org -vvvv
* processing: https://bitbucket.org
*   Trying 104.192.141.1:443...
* Connected to bitbucket.org (104.192.141.1) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=3928449; C=US; ST=California; L=San Francisco; O=Atlassian US, Inc.; CN=bitbucket.org
*  start date: Apr 28 00:00:00 2023 GMT
*  expire date: Apr 19 23:59:59 2024 GMT
*  subjectAltName: host "bitbucket.org" matched cert's "bitbucket.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: HEAD]
* h2 [:scheme: https]
* h2 [:authority: bitbucket.org]
* h2 [:path: /]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* Using Stream ID: 1
> HEAD / HTTP/2
> Host: bitbucket.org
> User-Agent: curl/8.2.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* HTTP/2 stream 1 was not closed cleanly: STREAM_CLOSED (err 5)
* Connection #0 to host bitbucket.org left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: STREAM_CLOSED (err 5)

Router config:

# 2023-10-02 12:36:32 by RouterOS 7.11.2
# software id = 6GH8-7J3B
#
# model = RB4011iGS+
# serial number = AAAF0A39FF87
/interface bridge add name=LAN-BRIDGE
/interface ethernet set [ find default-name=ether1 ] disabled=yes name=ISP1
/interface ethernet set [ find default-name=ether2 ] name=ISP2
/interface ethernet set [ find default-name=ether3 ] name=LAN2
/interface ethernet set [ find default-name=ether4 ] name=LAN3
/interface ethernet set [ find default-name=ether5 ] name=LAN4
/interface ethernet set [ find default-name=ether6 ] name=LAN5
/interface ethernet set [ find default-name=ether7 ] name=LAN6
/interface ethernet set [ find default-name=ether8 ] name=LAN7
/interface ethernet set [ find default-name=ether9 ] name=LAN8
/interface ethernet set [ find default-name=ether10 ] name=LAN9
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client add add-default-route=yes default-route-distance=2 disabled=no interface=ISP2 keepalive-timeout=60 name=ISP2-PPPoE user=*****
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=dhcp-pool ranges=10.0.90.1-10.0.99.100
/ip dhcp-server add address-pool=dhcp-pool interface=LAN-BRIDGE lease-time=521w3d name=dhcp-server
/port set 0 name=serial0
/port set 1 name=serial1
/interface bridge port add bridge=LAN-BRIDGE interface=LAN2
/interface bridge port add bridge=LAN-BRIDGE interface=LAN3
/interface bridge port add bridge=LAN-BRIDGE interface=LAN4
/interface bridge port add bridge=LAN-BRIDGE interface=LAN5
/interface bridge port add bridge=LAN-BRIDGE interface=LAN6
/interface bridge port add bridge=LAN-BRIDGE interface=LAN7
/interface bridge port add bridge=LAN-BRIDGE interface=LAN8
/interface bridge port add bridge=LAN-BRIDGE interface=LAN9
/interface list member add interface=LAN-BRIDGE list=LAN
/ip address add address=10.0.0.1/16 interface=LAN-BRIDGE network=10.0.0.0
/ip dhcp-server network add address=10.0.0.0/16 gateway=10.0.0.1 netmask=16
/ip dns set servers=8.8.8.8,8.8.4.4
/ip firewall nat add action=masquerade chain=srcnat comment=ISP2 out-interface=ISP2-PPPoE
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=10.0.0.0/16
/ip service set ssh disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Europe/Budapest
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

pe1chl · October 2, 2023, 11:34am

Such problems are normally a combination of MTU issues and badly configured firewall (not necessarily your firewall, can just as well be at bitbucket.org).