Can't open government webistes

dnikms · January 22, 2022, 10:37pm

Hi,

Well, this is strange because I only can’t open/resolve government websites from my country e.g gov.si. I have tried directly ISPs modem > laptop = websites opens/resolves…
ISPs modem > router > laptop = does not.
First I thought it’s Piholes problem, I whitelisted it and everything I could think of but Pihole is resolving the domain correctly.

Jan 22 22:43:36 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:36 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:36 dnsmasq[32208]: reply gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: cached gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[AAAA] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:37 dnsmasq[32208]: reply gov.si is 2a00:d440:7777:7777::5427:d3f3

And now I am investigating on the router side and there’s where the problem lies but I can’t think of solution…
Traceroute websites IP of gov.si

[admin@Dan'sTik] > /tool traceroute 
address: 84.39.211.243
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 188.230.128.1                      0%    2   3.3ms     3.5     3.3     3.6
 2 84.255.209.161                     0%    2   3.7ms     3.5     3.2     3.7
 3 84.255.211.82                      0%    2   2.2ms     2.1       2     2.2
 4 91.220.194.102                     0%    2   3.2ms     3.3     3.2     3.3
 5 88.200.2.183                       0%    2   8.5ms     6.1     3.7     8.5
 6                                  100%    2 timeout
 7                                  100%    1 timeout
 8                                  100%    1 timeout
 9                                  100%    1 timeout
10                                  100%    1 timeout

And here is the config If it might help…

# jan/22/2022 23:31:33 by RouterOS 6.49.2
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add admin-mac=48:8F:5A:CC:E7:E4 auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=DE2Ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=slovenia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=DE5GHz wireless-protocol=\
    802.11
/interface vlan
add comment="RaspberryPi VLAN" interface=ether5 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=vpn_pool ranges=192.168.2.192-192.168.2.250
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool10 disabled=no interface=vlan10 name=vlan10
/ppp profile
add local-address=192.168.2.1 name=vpn_profile remote-address=vpn_pool
set *FFFFFFFE dns-server=10.0.1.1 local-address=192.168.89.1 remote-address=\
    vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=Manage
add interface=vlan10 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
add address=89.212.52.216/16 interface=ether1 network=89.212.0.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.10.5 gateway=10.0.1.1 \
    netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.5 gateway=10.0.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.10.5 use-doh-server=\
    https://dns.nextdns.io/f4efa2 verify-doh-cert=yes
/ip dns static
add address=10.0.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.1.10 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.0.1.5-10.0.1.254 list=allowed_to_16bit.mk
add address=192.168.89.2-192.168.89-254 list=allowed_vpn_to_router
add address=10.0.10.5 list=allowed_to_router_from_vpn
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="disallow public ip for router use" \
    dst-address=89.212.52.216 dst-port=8080 protocol=tcp
add action=accept chain=input comment="admin allowed to router" \
    connection-state=established,related src-address-list=allowed_to_router
add action=accept chain=input comment="allow openvpn" dst-port=1194 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward in-interface=vlan10 out-interface=ether1 \
    protocol=tcp src-port=9090
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Malina2 HTTP" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=80
add action=dst-nat chain=dstnat comment="Malina2 HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=443
add action=dst-nat chain=dstnat comment="Malina HTTP" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="Malina HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="Malina TorDir" dst-port=9030 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9030
add action=dst-nat chain=dstnat comment="Malina Tor Relay " dst-port=9090 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9090
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10051
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=51820
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=51820
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=89.212.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes port=2222
set www-ssl address=0.0.0.0/0
set api disabled=yes
set winbox address=10.0.1.0/24,192.168.89.0/24,10.0.10.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add local-address=10.0.1.1 name=daniel profile=vpn_profile remote-address=\
    192.168.2.192 service=ovpn
add name=vpn
/snmp
set contact=nikoloskid@protonmail.com enabled=yes location="Vojkova cesta 30"
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Dan'sTik"
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Manage

mkx · January 23, 2022, 10:08am

As traceroute shows quite a few hops before getting lost, this proves there’s nothing wrong with your configuration, the problem lies within government network.

Details in Slovenian … they’re not really of general interest …

Kot kaže, MJU izvaja velike spremembe v svojem omrežju, pri tem seveda delajo napake in deli omrežja niso dostopni … in to je celo odvisno od tega, pri katerem ponudniku interneta si. Pred tedni je bila podobna težava, takrat eden od DNS strežnikov ni bil dostopen iz Telekomovega omrežja, iz T-2 omrežja pa je bil. Pri tem je traceroute v obeh primerih šel preko nekaterih skupnih usmerjevalnikov v MJU omrežju. Pa razumi če moreš.
Saj bo …

dnikms · January 24, 2022, 10:40am

mkx, hvala za odgovor …
Upam da bojo zrihtali …