Help with 1 website, can't access

dragonauta · February 6, 2018, 1:09am

Hi, I have an RB2011 (routeros 6.41) with two ISP: 1 is Cable (primary, 25MB always running) and another is pppoe but managed by ISP modem (secondary 3MB, using it just as backup) *
I have a problem with only 1 website: http://186.153.139.115/siat/gde/AdministrarAuthClaveTramite.do?method=inicializar
It’s a town site for taxes and such.
I can ping and traceroute (second and third hops are failing)
I can’t access, I get ERR_CONNECTION_TIMED_OUT on Chrome

I’ve tried mss shaping:
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn tcp-mss=1361-65535 action=change-mss new-mss=1360 disabled=no

I’ve tried static route (before drop rules):
/ip firewall filter add chain=forward src-address=186.153.139.115 action=accept

I’ve tried clearing DNS cache.
Tried changing MTU on ethernet port (ether1)

/tool traceroute 186.153.139.115
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 190.7.24.1                         0%  742  10.7ms    17.2       7   354.1
 2 10.6.48.97                       14..  742  23.8ms      16     5.7   304.4
 3 192.168.240.37                   99..  742 timeout      21    17.2    24.4
 4 192.168.254.182                    0%  741  24.5ms    20.3    12.1   431.9
 5 200.63.150.181                   0.4%  741  20.2ms    22.7    13.2     482
 6 200.3.34.1                       0.7%  741    24ms    24.3    15.3   325.5
 7 200.117.126.18                   0.7%  741  40.5ms    27.9    17.5     335
 8 186.108.59.130                   0.4%  741  26.2ms    28.3    19.6   339.6
 9 186.153.139.115                  0.3%  741  28.1ms    27.3    19.4   355.9

Any hint would be appretiated. Thanks in advance

EDIT:

secondary ISP provides modem, and I just can get a 192.168.1.0/24 IP for my ether2 port, so my gateway for ether2 is 192.168.1.1

AlainCasault · February 6, 2018, 1:20am

Hello,

Why do you think it’s your fault IF it’s only this one web site?

It’s normal that certain hops on a traceroute don’t respond. Not all ISPs reply to that.

As for your filter, taken out of context, it doesn’t tell us anything. But if your fw is properly built, you shouldn’t need it. You normally accept return forward traffic that’s "established"or “related”.

Have you tried from another network to see if the site responds?

Regards,

Sent from Tapatalk

dragonauta · February 6, 2018, 2:19am

Thanks Alain.
This site is part of town government. All citizen can access through main site: http://www.parana1.com.ar/afim/ (under SIAT, opens a new tab)
Oddly I can access from same ISP (different service 8MB) and other ISP. I can access from my home. Any time. So, that IP is online always.

I’ll post firewall rules(I’m not there right now), but they’re ok… I think.

I have three guesses:

I misconfigured router
ISP is blocking traffic to Target IP
Target IP is blocking access from my IP

p3rad0x · February 6, 2018, 7:57am

Its most probably your IP being blacklisted by them.

If it was more then one site we could say maybe MTU related issue.

dragonauta · February 6, 2018, 11:32am

Here are original fw rules (I XXX the forwarded ports), I disabled changes for mtu and mss:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-wan1
add action=drop chain=input comment="drop all from WAN2" in-interface=ether2-wan2
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward disabled=yes src-address=186.153.139.115
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan1
add action=drop chain=forward comment="drop all from WAN2not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether2-wan2
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1361-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-wan1
add action=masquerade chain=srcnat out-interface=ether2-wan2
add action=dst-nat chain=dstnat dst-port=XXXXX log=yes protocol=tcp to-addresses=10.0.0.23 to-ports=XXXXX
add action=dst-nat chain=dstnat dst-port=XXXXX protocol=tcp to-addresses=10.0.0.22 to-ports=XXXX

Today I’m calling to helpdesk on target site for this issue.

dragonauta · February 6, 2018, 3:30pm

Something really, really, REALLY ODD is happening.
Connected to Wifi, from my Android phone using Chrome App I CAN ACCESS this f***ing site.
But I can’t access from any laptop Linux/Chromium; Linux/Firefox; Windows/Chrome; Windows/Firefox; Windows/Edge; Windows/IExplorer; neither from a wired server.

Grickos · February 6, 2018, 3:38pm

Upgrade Ros to 6.41.1.
6.41 has bugs with pppoe mss connection.
*) ppp - fixed change-mss functionality in some specific traffic (introduced in v6.41);

dragonauta · February 7, 2018, 12:08am

Just upgraded to 6.41.1.
No changes… still can’t access website.

Making a last test, I used an anonymous proxy: https://us.hidester.com
Bingo! I can access the website.

Obviously there is a problem with my IP (or our ISP) and the website.
I first thought that was my fault, as I’m not an expert with ROS.

Thanks to all.

CZFan · February 7, 2018, 12:08pm

But earlier you said you could access the website from your phone on wifi?
Might have to dig a bit deeper in your config before throwing the problem to ISP

dragonauta · February 7, 2018, 5:00pm

@CZFan Yeah… but I can access ONLY from my phone (a Xiaomi Redmi Note 4).
Can’t access from any other device (laptops, PC or phones of any brand)

I have a very basic config on a really simple network (10.0.0.0/24 with 54 devices), no vlans, posted firewall rules.
The website started to fail in january, coincidentally after I upgraded firmware to 6.41.

But If everything works as expected except THAT website and apparently the culprit is THAT website
I just could “fix it” using an anonymous proxy extension for browser.
You see, it’s just one person in whole company that access that website and once per month.

I think it’s not worth it if I can solve it in another way.
If I start to register any other issue, then yes, it would dig deeper or maybe make a fresh config.

frantoloto · March 16, 2018, 9:13am

Hello,

I would suggest you to use a web proxy it works for me as suggested above. Example : https://anonymster.com/proxy