messenger problem

RouterOS Wireless Networking
1

I have mikrotik 2.9.4
and I have problem with messenger and email dont connect

help me…

2

What Efren wanted to say (He’s english is a little worst than mine — LOL)


We have a 2.9.4 MT box, our setup is very simple, one Public interface, one local interface, a simple ip pool, a dhcp server, and a hotspot with nat.

The issue is:

Hotspot users log in as usual, browse the internet without a problem except when they reach a https site like email services from hotmail.com or yahoo.com, also MSN messenger does not connect, also pop3 and smtp does not work, seems like being firewalled.

In firewall there is NO defined rules except from the Dynamic ones made by the hotspot itself.

Web-proxy is not enabled in the box.

Any ideas? What are we doing wrong?

Best

Jorge Boardman

3

What is the MTU of the public interface? Is it possible that ICMP is blocked somewhere?

4

MTU = 1500

5

http://forum.mikrotik.com/t/msn-blocked/1675/1

I had this with msn, dont know about other things.

6

The final end for this disscusion was: The hotspot did not correctlly (or not at all, i dont remember) created the masquerade srcnat rule in the firewall, that was the problem.

Thks for all the help.

7

Hi guys, I´m newbie on this matter.

I´ve tryied to put a mangle, and I´ve received a following error message:

/ip firewall mangle
/.. add chain=prerouting protocol=tcp tcp_flags=syn action=change_mss NEW TCP MSS= 1360

and received an error like this:

tcp mss clamping is not possibly on prerouting and input chains

what I´m doing wrong?

could you help me pls?

8

Make sure you define the FORWARD chain for this rule. It won’t work in the pre-routing chain on 2.9.x

Try this:

/ ip firewall mangle 
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 comment="" disabled=no
9

willbill, we are better, thanks for the comment, by now the error message is diferent, the contact list is not available.

I belive that the problem is in oder part of my config.

[fvazquez@MikroTik] ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Dropear Conexiones Inv lidas
chain=input connection-state=invalid action=drop

1 ;;; Permitir Conexiones Establecidas
chain=input connection-state=established action=accept

2 ;;; Permitir UDP
chain=input protocol=udp action=accept

3 ;;; Permitir ICMP
chain=input protocol=icmp action=accept

4 ;;; Direcciones de Acceso Remoto
chain=input src-address=192.168.0.0/24 action=accept

5 chain=input src-address=192.168.1.0/24 action=accept

6 chain=input src-address=10.1.0.0/24 action=accept

7 chain=input src-address=201.216.201.177 action=accept

8 ;;; Negar todo otro acceso al Equipo
chain=input action=drop

9 ;;; Drop Invalid Conections

10 ;;; Allow Already Established Connections
chain=forward connection-state=established action=accept

11 ;;; Permitir FTP
chain=forward protocol=tcp src-port=20-21 action=accept

12 chain=forward protocol=tcp dst-port=20-21 action=accept

13 ;;; Allow Related Connections
chain=forward connection-state=related action=accept

14 ;;; Block IP Address called "BOGONS"
chain=forward src-address=0.0.0.0/8 action=drop

15 chain=forward dst-address=0.0.0.0/8 action=drop

16 chain=forward src-address=127.0.0.0/8 action=drop

17 chain=forward dst-address=127.0.0.0/8 action=drop

18 chain=forward src-address=224.0.0.0/3 action=drop

19 chain=forward dst-address=224.0.0.0/3 action=drop

20 ;;; Make Jumps to new chains
chain=forward protocol=tcp action=jump jump-target=tcp

21 chain=forward protocol=udp action=jump jump-target=udp

22 chain=forward protocol=icmp action=jump jump-target=icmp

23 ;;; Deny TFTP
chain=udp protocol=udp dst-port=69 action=drop

24 ;;; Deny RPC Portmapper
chain=tcp protocol=tcp dst-port=111 action=drop

25 chain=tcp protocol=tcp dst-port=135 action=drop

26 ;;; Deny NBT
chain=tcp protocol=tcp dst-port=137-139 action=drop

27 ;;; Deny CIFS
chain=tcp protocol=tcp dst-port=445 action=drop

28 ;;; Deny NFS
chain=tcp protocol=tcp dst-port=2049 action=drop

29 ;;; Deny Netbus
chain=tcp protocol=tcp dst-port=12345-12346 action=drop
30 chain=tcp protocol=tcp dst-port=20034 action=drop

31 ;;; Deny Back Orffice
chain=tcp protocol=tcp dst-port=3133 action=drop

32 ;;; Deny DHCP
chain=tcp protocol=tcp dst-port=67-68 action=drop

33 ;;; Deny RPC Portmapper
chain=udp protocol=udp dst-port=111 action=drop

34 chain=udp protocol=udp dst-port=135 action=drop

35 ;;; Deny NBT
chain=udp protocol=udp dst-port=137-139 action=drop

36 ;;; Deny NFS
chain=udp protocol=udp dst-port=2049 action=drop

37 ;;; Deny Back Orffice
chain=udp protocol=udp dst-port=3133 action=drop

38 ;;; Drop Invalid Connections
chain=icmp protocol=icmp icmp-options=0:0 action=drop
39 ;;; Allow Established Connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept

40 ;;; Allow echo Request
chain=icmp protocol=icmp icmp-options=8:0 action=accept

41 ;;; Allow Time Exceed
chain=icmp protocol=icmp icmp-options=11:0 action=accept

42 ;;; Allow parameter bad
chain=icmp protocol=icmp icmp-options=12:0 action=accept

43 ;;; Allow Source Quench
chain=icmp protocol=icmp icmp-options=4:0 action=accept

44 ;;; Deny all other types
chain=icmp action=drop

Nat Rules:

[fvazquez@MikroTik] ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=10.1.0.0/24 action=masquerade

1 chain=srcnat src-address=192.168.0.0/24 action=masquerade

2 ;;; Redireccionamiento de Proxy
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

===============================================

Some rare work:

Meesenger Not connect
FTP Client: connect but do not receive the content of the directories
WEb Surfing Port 80 - Works Fine
Web Surfing Port 443 - Do not recieve active pages like Home Banking

===============================================

I know that all of this situations are stupid for a trained person, but for me are very dificult to resolve, and all help will be higly apreciatted.

Thanks a lot for your help.

Rgs,

Fernando