Help: IPv4 NAT - some https websites won't load

I have installed a CCR1016 as a router/firewall for student dormatories about a week ago, and I got a lot of complaints about certain websites not working. Investigation yielded some IPv4 TLS connections are affected. Opening a tcp connection via ipv4 works fine. Websites only reachable via IPv4 and HTTPS do not load beyond “establishing a secure connection”

trying to get an affected website via wget stalls after successfully opening the tcp connection on port 443.

Topology:

• CCR is connected to Upstream via Fiber (sfp1), advertising a /28 IPv4 and /48 IPv6.
• Dorm clients each have a vlan with a natted /27 IPv4 and /64 IPv6. Connected via fiber to sfp5.

The

/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm1 to-addresses=x.y.z.1
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm2 to-addresses=x.y.z.2
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm3 to-addresses=x.y.z.3
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm4 to-addresses=x.y.z.4
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm5 to-addresses=x.y.z.5
add action=src-nat chain=srcnat comment="Default NAT" log-prefix=nat-def- out-interface=sfp1_uplink src-address-list=nat-private to-addresses=x.y.z.6

x.y.z.[1-6] are the public IPs advertised via bgp.

/ip firewall filter
add action=accept chain=input comment="Anti-lockout rule from mgmt network" in-interface=sfp12_wh-pf-mgmt log-prefix=mgmt-in
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=input comment="BGP" dst-address=x.y.z.10 dst-port=179 log=yes log-prefix=bgp- protocol=tcp src-address=x.y.z.11
add action=accept chain=input comment=basic protocol=icmp
add action=drop chain=input comment="Drop everything not established, related or permitted from upstream (internet)" connection-state=!established,related in-interface=sfp1_upstream log-prefix=drop-in-unsolicited
add action=accept chain=input comment="Allow broadcast for dhcp" dst-address-type=broadcast in-interface=!sfp1_upstream
add action=accept chain=forward comment="Allow unicast to dhcp servers" dst-address-list=dhcp-servers port=67,68 protocol=udp
add action=accept chain=forward dst-address-list=dhcp-servers protocol=icmp
add action=accept chain=forward comment="Allow APs to controllers" dst-address-list=wlan-controller in-interface=wh-pf-ap/1 log-prefix=allow-aps
add action=accept chain=forward comment="SNMP Traps" dst-address-list=snmp-monitoring dst-port=612 in-interface=wh-pf-ap/1 protocol=udp
add action=accept chain=forward comment="SNMP requests from Monitoring" dst-port=161 protocol=udp src-address-list=snmp-monitoring
add action=accept chain=forward comment="forward from mgmgt" src-address-list=wh-mgmt
add action=accept chain=forward in-interface=sfp12_wh-pf-mgmt src-address-list=wh-stuwe-mgmt
add action=reject chain=forward comment="Disallow residents to mgmt" dst-address-list=wh-mgmt log=yes log-prefix=drop-to-mgmt reject-with=icmp-network-unreachable
add action=reject chain=forward port=25,135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=reject chain=forward port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward dst-address=x.y.z.0/28 in-interface=sfp1_upstream
add action=drop chain=input connection-state=invalid in-interface=sfp1_upstream
add action=accept chain=input src-address=172.19.3.0/26 src-address-list=wh-stuwe-mgmt
add action=accept chain=input src-address=172.19.2.3
add action=drop chain=forward comment="Drop eduroam to internal nets" disabled=yes dst-address-list=private in-interface=wh-pf-eduroam log=yes
add action=reject chain=forward comment="Drop from Bogons" log-prefix=drop-from-bogon reject-with=icmp-net-prohibited src-address-list=BOGONS
add action=reject chain=forward comment="Drop to Bogons" dst-address-list=BOGONS log-prefix=drop-to-bogon reject-with=icmp-net-prohibited
add action=drop chain=input comment=basic log-prefix=default-drop src-address-list=v4_wh
add action=accept chain=forward log=yes log-prefix="mgmt fwd in" src-address-list=wh-stuwe-mgmt

In the connection list I see around 30 active connections with traffic over https/IPv4 of around 2500 connections.

Does anyone have any idea what could be happening here?

Hello there, have you resolved it?
If you haven’t, have you tried enable ssl service in : ip > services > www-ssl ?

If you have resolved it, can you tell us?

Hi guys,
have you resolved this problem at all? I´m in a simiilar Situation. Sometimes user cannot load https sites. Then after reloading the homepage it works.

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you’re clamping TCP MSS if you have a non-standard MTU and aren’t blocking ICMP.

I second this. Although TCP MSS clamping isn’t strictly required if MTU and path MTU discovery (largely an ICMP process) is functioning. Blocking ICMP carte blanche is a very dated security posture.