HTTPS does not work

marklodge · November 7, 2011, 5:37pm

I cannot access any secure https sites such as: Yahoo Mail
It opens up and the following address shows in the address bar and it just hangs.
https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym

Here are the details that fewi requests.

[admin@UBNTMik] >  /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=10.0.0.48/24 network=10.0.0.0 broadcast=10.0.0.255 
     interface=ether1 actual-interface=ether1 

 1   address=192.168.2.1/32 network=192.168.2.1 broadcast=192.168.2.1 
     interface=Night actual-interface=Night 

 2   address=192.168.3.1/32 network=192.168.3.1 broadcast=192.168.3.1 
     interface=Day actual-interface=Day 

 3 X address=192.168.7.10/24 network=192.168.7.0 broadcast=192.168.7.255 
     interface=ether1 actual-interface=ether1 

 4   address=10.0.11.49/24 network=10.0.11.0 broadcast=10.0.11.255 
     interface=ether3 actual-interface=ether3 

 5   address=10.0.12.1/24 network=10.0.12.0 broadcast=10.0.12.255 
     interface=ether1 actual-interface=ether1 

 6 X address=10.0.0.29/24 network=10.0.0.0 broadcast=10.0.0.255 
     interface=ether2 actual-interface=ether2 

16 D address=10.5.60.14/32 network=192.168.17.248 broadcast=0.0.0.0 
     interface=<pppoe-zak@test> actual-interface=<pppoe-zak@test> 




[admin@UBNTMik] > 
[admin@UBNTMik] > /ip route print detail /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  ;;; 2 WAN route
        dst-address=0.0.0.0/0 gateway=10.0.12.27,10.0.11.22 
        gateway-status=10.0.12.27 reachable ether1,10.0.11.22 reachable ether3 
        check-gateway=ping distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.48 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 2 ADC  dst-address=10.0.11.0/24 pref-src=10.0.11.49 gateway=ether3 
        gateway-status=ether3 reachable distance=0 scope=10 

 3 ADC  dst-address=10.0.12.0/24 pref-src=10.0.12.1 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.2.1/32 pref-src=192.168.2.1 gateway=Night 
        gateway-status=Night reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.3.1/32 pref-src=192.168.3.1 gateway=Day 
        gateway-status=Day reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.17.243/32 pref-src=10.5.60.14 
        gateway=<pppoe-zak@test> gateway-status=<pppoe-zak@test> reachable 
        distance=0 scope=10 

[admin@UBNTMik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1" type="ether" mtu=1500 l2mtu=1526 

 1  R  name="ether2" type="ether" mtu=1500 l2mtu=1522 

 2  R  name="ether3" type="ether" mtu=1500 l2mtu=1522 

 3  R  ;;; Day PPPOE Radius
       name="Day" type="bridge" mtu=1500 l2mtu=65535 

 4  R  ;;; Night PPPOE Radius
       name="Night" type="bridge" mtu=1500 l2mtu=65535 

14 DR  name="<pppoe-zak@test>" type="pppoe-in" mtu=1480 




[admin@UBNTMik] > /ip firewall export
# nov/07/2011 19:23:32 by RouterOS 4.17
# software id = 6S61-VQPK
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Unthrottle all local downloads and uploads" disabled=no dst-address=\
    10.0.0.0/24 new-packet-mark=up passthrough=yes
add action=mark-packet chain=postrouting comment=\
    "Unthrottle all local downloads and uploads" disabled=no new-packet-mark=\
    down passthrough=yes src-address=10.0.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether3
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=\
    tcp to-ports=3129
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@UBNTMik] >

network diagram.png

jandafields · November 7, 2011, 7:45pm

It looks like port 80 gets natted and goes through a web proxy, but you forgot about 443 and it doesn’t get natted.

marklodge · November 7, 2011, 8:31pm

i forgot to mention that not ALL https does not work. there are 3 that i know dose not work,

gumtree.co.za (cannot sign in to : https://secure.gumtree.co.za/capetown-westerncape/s-SignIn?rup=DefaultPage&ruq=redirect%3Dwww )
yahoo mail
paypal

and GMAIL works
https://mail.google.com works and i can login with no problems