https webpage timeout

IU1LCU · September 22, 2022, 8:56pm

Hello everybody, is my first time on this forum, i was looking for some articles about https into browser webpage timeout
There is some https webpage that say timeout and i dont know why
bevore i have a fritz box 7530 and work all, after i put a Hap AC to get more experience in mikrotik (i already use but i want learn more), from when i put my hap ac i start having problem with some https website (not every https) in my case are verti.it, speedtest.net, test.eolo.it.
the test i’ve made:
i try to disable some or all firewall rules and nat but nothing
try to reset and reconf the router, nothing
i started to reset and put a very poor configuration, adding a piece very day, it look working, at the end i have the same configuration as when i got problems, but this time without problems…
now i put an HAP ac3, export the old conf from AC and put into AC3, vpn, firewall, nat, work everything but i have again problem with these https page (with eth or wifi, but if i use openvpn on my phone i can open)
is not a problem from ISP or DNS (i have my own pi-hole dns and it work since i have 7530, but i already tried with google dns without resolve)

anybody have same experience? im getting very confused about it and i dont find what could be

rextended · September 22, 2022, 9:39pm

Ciao, meglio se metti un /export sul forum, sostituendo i dati sensibili con *** (non cancellare niente) così do’ un’occhiata,
come potrebbero farlo altri membri quando vedono l’export.
Quando chiedi aiuto ricordati sempre di specificare la versione di RouterOS e il modello preciso del dispositivo (nell’export ci sono entrambi)

IU5

IU1LCU · September 23, 2022, 11:04am

CONFIGURATION
i export the conf and remove some private with ***
the conf just have a IP wan (not ppoe), some firewall rules for vpn, some nat (most of them disable), wifi, dhcp, l2tp openvpn

# sep/23/2022 12:51:44 by RouterOS 7.5
# model = RBD53iG-5HacD2HnD
/interface bridge
add arp=proxy-arp name=LAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=SWITCH
set [ find default-name=ether4 ] comment=NAS
/interface eoip
add allow-fast-path=no mac-address=02:57:90:89:8B:B6 name=eoip-tunnel1 \
    remote-address=192.168.10.5 tunnel-id=2929
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    comment=2.4 disabled=no frequency=2457 installation=indoor mode=ap-bridge \
    security-profile=profile1 ssid=DAVID-2G
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeCe \
    comment=5 disabled=no frequency=5220 mode=ap-bridge security-profile=\
    profile1 ssid=DAVID-5G
/interface wireless manual-tx-power-table
set wlan1 comment=2.4
set wlan2 comment=5
/interface wireless nstreme
set wlan1 comment=2.4
set wlan2 comment=5
/ip pool
add name=dhcp_pool1 ranges=192.168.10.100-192.168.10.150
add name=pool-vpn ranges=192.168.10.6-192.168.10.10
/ip dhcp-server
add address-pool=dhcp_pool1 interface=LAN lease-time=1d name=dhcp1
/ppp profile
add bridge=LAN local-address=192.168.10.254 name=l2tp only-one=yes \
    remote-address=192.168.10.5
add bridge=LAN local-address=192.168.10.254 name=l2tp2 only-one=no \
    remote-address=pool-vpn
add local-address=192.168.10.254 name=ovpn remote-address=pool-vpn
/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3
add bridge=LAN ingress-filtering=no interface=ether4
add bridge=LAN ingress-filtering=no interface=wlan1
add bridge=LAN ingress-filtering=no interface=ether2
add bridge=LAN ingress-filtering=no interface=wlan2
add bridge=LAN ingress-filtering=no interface=eoip-tunnel1
add bridge=LAN ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default enabled=yes \
    use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 enabled=yes port=1094 \
    require-client-certificate=yes
/ip address
add address=192.168.10.254/24 interface=LAN network=192.168.10.0
add address=192.168.2.253/24 interface=ether1 network=192.168.2.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.254 \
    netmask=24
/ip dns
set servers=192.168.10.1
/ip firewall filter
add action=accept chain=input src-address=192.168.10.0/24
add action=accept chain=input src-address=192.168.2.0/24
add action=accept chain=input comment=ovpn port=1094 protocol=tcp
add action=accept chain=input comment="x vnp l2tp" port=1701,500,4500 \
    protocol=udp
add action=accept chain=input comment="vpn l2tp" protocol=ipsec-esp
add action=accept chain=input comment="eoip tunnel" protocol=gre
add action=drop chain=input connection-state=new src-address=0.0.0.0/0
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
    ether1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=pc-win4icom disabled=yes dst-address=\
    192.168.2.253 dst-port=5001 protocol=tcp to-addresses=192.168.10.99 \
    to-ports=5001
add action=dst-nat chain=dstnat comment=pc-win4icom disabled=yes dst-address=\
    192.168.2.253 dst-port=5001 protocol=udp to-addresses=192.168.10.99 \
    to-ports=5001
add action=dst-nat chain=dstnat comment=telefono disabled=yes dst-address=\
    192.168.2.253 dst-port=5060 protocol=udp to-addresses=192.168.10.115 \
    to-ports=5060
add action=dst-nat chain=dstnat comment=pc-win4icom disabled=yes dst-address=\
    192.168.2.253 dst-port=50002 protocol=tcp to-addresses=192.168.10.99 \
    to-ports=50002
add action=dst-nat chain=dstnat comment=pc-win4icom disabled=yes dst-address=\
    192.168.2.253 dst-port=50002 protocol=udp to-addresses=192.168.10.99 \
    to-ports=50002
add action=dst-nat chain=dstnat comment=server-FTP dst-address=192.168.2.253 \
    dst-port=9921 protocol=tcp to-addresses=192.168.10.1 to-ports=9921
add action=dst-nat chain=dstnat comment=server-openvpn dst-address=\
    192.168.2.253 dst-port=1194 protocol=udp to-addresses=192.168.10.1 \
    to-ports=1194
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.254
/ip service
set telnet address=192.168.10.0/24 disabled=yes port=7123
set ftp address=192.168.10.0/24 disabled=yes port=7121
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24 port=7021
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ppp secret
add name=*** profile=l2tp service=l2tp
add name=*** profile=l2tp2 service=l2tp
add name=*** profile=ovpn service=ovpn
add name=*** profile=ovpn service=ovpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=IU1LCU-QTH
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system scheduler
add interval=30m name=APRS on-event=" /system script run aprs" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/04/2022 start-time=00:00:00
/system script
add dont-require-permissions=yes name=aprs owner=iu1lcu policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    !rsc\r\
    \n# RouterOS script: aprs\r\
    \n\r\
    \n# --- Begin customization ---\r\
    \n:local aprsCall \"IU1LCU\";\r\
    \n:local aprsSsid \"RB\";\r\
    \n:local aprsPass \"***\";\r\
    \n:local aprsLat \"***\";\r\
    \n:local aprsLon \"***\";\r\
    \n:local aprsComment \"Mikrotik\"\r\
    \n:local aprsSymbol \"I\";\r\
    \n# --- End customization ---\r\
    \n\r\
    \n# HTTP Post to APRS-IS\r\
    \n# Note: Requires line feed at beginning of http-data\r\
    \n\r\
    \n/tool fetch keep-result=no http-method=post http-header-field=\"accept-t\
    ype: text/plain,content-type: application/octet-stream,content-length: 93\
    \" port=8080 url=http://srvr.aprs-is.net/ http-data=(\"\r\
    \nuser \$aprsCall pass \$aprsPass vers mikrotik\r\
    \n\$aprsCall\".\"-\".\"\$aprsSsid\".\">APRS,TCPIP*:=\$aprsLat\".\"/\$aprsL\
    on\".\"\$aprsSymbol \$aprsComment\")"

rextended · September 23, 2022, 4:19pm

I do not see anything strange except “b” for 2.4 and old wpa active.

For fix paste this on terminal:

{
/interface wireless security-profiles
set profile1 authentication-types=wpa2-psk eap-methods=passthrough supplicant-identity="MikroTik"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n
}

But for problems on that sites, I do not see anything strange…

IU1LCU · September 23, 2022, 6:11pm

One friend of mine tell me about something in ip-firewall and in the top tab “connection” where are the timeout limit but he didnt remember wich parameter is, i see also some similar problem on forum they talk about MTU (i dont know what is)

rextended · September 23, 2022, 6:20pm

Do not matter.
Your firewall timing is right.

The problem can be your ISP or the device you use, if “touched” like RouterBOARD…
I hope this is still disabled…

/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
    ether1 passthrough=yes protocol=tcp tcp-flags=syn

IU1LCU · September 23, 2022, 6:26pm

I find in another forum post this command

 ip firewall/ mangle/ add action=change-mss chain=forward new
-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn

i honestly dont know what is (im not a mikrotik expert) but now is working
i hope this can be helpful for other people
very thank you rextended 73