Certain sites wont load behind a very basic NAT setup.

derr12 · April 12, 2011, 8:52pm

Hi guys, I have a Mikrotik router acting as a NAT device for a site.

Network goes like this: Edge router → bridged wireless network → mikrotik (nat) - Wireless AP (bridged) → Wireless client bridge → Router (nat) → Client network

The sites we were having problems with were having issues with were gov.bc.ca sites also intel.com and health canada websites.. They resolve DNS fine but would not load more than the first site image. Bypassing the customers network revealed the same issue.

So I changed the max mtu size via a mangle rule to 1360. That got almost all of the sites working. We found that the health canada website still wont load tho. so I disabled the mtu resize rule and instead put in place a Clear DF bit rule. The gov.bc.ca sites still work The health canada site will not load still: http://www.hc-sc.gc.ca/

The only other rules I have are 1-1 NAT rules for thier public IP’s. We have 6 DST-NAT rules and 3 SRC-NAT rules. 3 devices are just wireless bridges, so i didnt bother with src-nats for them, the other 3 are running servers, so I have SRC-NAT’s for them.

nat rules and mangle rules.

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 chain=srcnat action=src-nat to-addresses=
src-address=10.0.0.95

2 ;;; NIB OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses=
src-address=10.0.0.84

3 ;;; NEC OFFICE CPE SRC
chain=srcnat action=src-nat to-addresses=
src-address=10.0.0.83

4 ;;; NEC COMP LAB CPE SRC
chain=srcnat action=src-nat to-addresses=
src-address=10.0.0.86

5 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/22

6 ;;; NIB OFFICE SU
chain=dstnat action=dst-nat to-addresses=10.0.0.81
dst-address=

7 ;;; NIB OFFICE AP
chain=dstnat action=dst-nat to-addresses=10.0.0.80
dst-address=
8 ;;; NEC OFFICE
chain=dstnat action=dst-nat to-addresses=10.0.0.82
dst-address=
9 ;;; NEC OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.83
dst-address=
10 ;;; NIB NEC COMP LAB CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.86
dst-address=
11 ;;; NIB OFFICE CPE
chain=dstnat action=dst-nat to-addresses=10.0.0.84
dst-address=
12 ;;; test nat
chain=dstnat action=dst-nat to-addresses=10.0.0.95
dst-address=

Flags: X - disabled, I - invalid, D - dynamic
0 X chain=forward action=change-mss new-mss=1360 tcp-flags=syn protocol=tcp
fragment=no

1 chain=forward action=clear-df passthrough=yes tcp-flags=syn protocol=tcp

What do you guys think?

derr12 · April 13, 2011, 5:49pm

bump

derr12 · April 13, 2011, 6:48pm

I had vpn’d to the mikrotik and could not reproduce the problem. perhaps this is a time to live problem?

derr12 · April 13, 2011, 9:26pm

upped the ttl to 63. still no luck.

any ideas?

derr12 · April 14, 2011, 12:00am

upped ttl to 200 with no affect.

Im going to assume there is an issue with the wireless AP or bridge behind it since i can vpn to the MT and not reproduce the problem.

fewi · April 14, 2011, 12:23am

TTL means hop count - how many routers can a packet traverse on its path. It is unfortunately named but has nothing to do with actual time frames.

derr12 · April 16, 2011, 12:45am

Ok so i finally got a guy onsite there, as it turns out, the sites would load properly no problem if i disabled wireless security on the Ubiquity AP. With WEP or WPA encryption on the sites would fail to load. No security = no problem.