Mikrotik 2011 on comcast connection

Hi everyone

I’ve encountered the weirdest issue on a comcast internet connection and i can’t find where the issue is:

First setup: Comcast was giving private ip 10.1.10.x, the Mikrotik was using 10.1.10.20 and for internal subnet 192.168.9.0/24 - double natting
all traffic works except for http/https - some pages are working some are not:
www.yahoo.com - works
www.microsoft.com - times out after a few.
It is not a DNS related issue, all adresses were correctly resolved.
Tracert was working to all destinations

Second setup: Comcast provided a public ip which was configured on the mikrotik.
same issue as before some websites are working some are not.

Important to mention: using PBR, and routing traffic through a VPN using a different provider, the pages were working correctly.

3rd setup: Configured a cheap old linksys and the mikrotik behind acting as a bridge for eoip tunnels. the gateway for the computers is the linksys router.
All websites are working flawlesly.

If someone could shed some light.

thank you

Config:
/interface bridge
add name=Lan
/interface ethernet
set [ find default-name=ether10 ] name=“ether10 - Static”
set [ find default-name=sfp1 ] disabled=yes
/ip pool
add name=dhcp_pool1 ranges=192.168.9.2-192.168.9.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Lan lease-time=4h name=dhcp1
/interface bridge port
add bridge=Lan interface=ether2
add bridge=Lan interface=ether3
add bridge=Lan interface=ether4
add bridge=Lan interface=ether5
add bridge=Lan interface=ether6
add bridge=Lan interface=ether7
add bridge=Lan interface=ether8
add bridge=Lan interface=wlan1
add bridge=Lan interface=ether1
add bridge=Lan interface=ether9
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.9.1/24 interface=Lan network=192.168.9.0
add address=96.84.x.x/30 interface=“ether10 - Static” network=96.84.x.x
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=192.168.9.11,8.8.8.8 gateway=192.168.9.2
/ip dns
set servers=75.75.75.75,75.75.76.76,8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment="Port scanners to list " in-interface=“ether10 - Static” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/FIN scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/RST scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“ALL/ALL scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP NULL scan” in-interface=“ether10 - Static” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” src-address-list=“port scanners”
add chain=input comment=ICMP in-interface=“ether10 - Static” limit=5,0:packet protocol=icmp
add chain=input comment=PPTP dst-port=1723 in-interface=“ether10 - Static” protocol=tcp
add chain=input comment=“Allow packets belonging to existing connections” connection-state=established in-interface=“ether10 - Static” protocol=tcp
add chain=forward comment=“Allow packets belonging to existing connections” connection-state=established in-interface=“ether10 - Static” protocol=tcp
add chain=input comment=“Allow packets related to existing connections” connection-state=related in-interface=“ether10 - Static”
add chain=forward comment=“Allow packets related to existing connections” connection-state=related in-interface=“ether10 - Static”
add chain=input comment=“Allow WinBox safe hosts” connection-state=new dst-port=8291 protocol=tcp src-address-list=safe
add action=drop chain=input comment=“Drop WinBox brute forcers” dst-port=8291 protocol=tcp src-address-list=wb_blacklist
add action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=1w3d chain=input comment=“WinBox brute forcers blacklisting” connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m chain=input comment=“WinBox brute forcers the third stage” connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m chain=input comment=“WinBox brute forcers the second stage” connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage1
add action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m chain=input comment=“WinBox brute forcers the first stage” connection-state=new dst-port=8291 protocol=tcp
add chain=input comment=“Allow WinBox” connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop everything else” connection-state=new in-interface=“ether10 - Static”
add chain=input comment=“Allow FTP” connection-state=new disabled=yes dst-port=20-21 protocol=tcp
add action=drop chain=input comment=“Drop FTP brute forcers” disabled=yes dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output comment=“Allow only 10 FTP login incorrect answers per minute” content=“530 Login incorrect” disabled=yes dst-limit=1/1m,9,dst-address/1m protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=“ether10 - Static”
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add distance=1 gateway=96.x.x.x
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=108.59.2.24 secondary-ntp=198.211.106.151
/system routerboard settings
set protected-routerboot=disabled

Try to contact the ISP and ask him what does he recommends for MTU, and set that MTU on WAN interface. Maybe you could give it a shot.

thank you for your answer.

I already tried that but they said that the MTU is 1500.

The linksys has 1500 set as MTU and performes fine

Same problem as your other thread, even with a public static IP, eh?

Out of curiosity - the browsers don’t have some kind of proxy configuration in them do they?

It seems odd that exactly ports 80 and 443 are affected, and only for certain destinations.

Do you have IPv6 enabled on the router? (Comcast does offer IPv6 nowadays)
[guessing no]

Can a browser access ftp:// urls without issue? If not, can an FTP client on the same computer access these same ftp:// sites?

What about WiFi? If you attach a phone/tablet to Wifi on the 2011, does it also suffer? Do the non-web apps work?

I’m going to go read the configuration in more detail now, but just thought I’d throw a few more things out there to think about.