I have a weird situation at one of my clients on Comcast business cable modem in Chicago
I have a mikrotik 2011 behind the modem (i have to double nat unfortunately, since on my ether1 i have 10.1.10.x and local network has 192.168.9.0/24)
Http/HTTPS traffic is not working, all webpages are timing out except for google.com
DNS resolution works
traceroute works
Ping works
GRE works
PPTP works
I have the latest ROS 3.4.2 on that router.
Tried also with the firewall disabled
I have no webproxy enabled.
The only thing enabled is a simple source nat.
On that mikrotik i have a vpn set up with their main office. If i mark all traffic to go through the vpn tunnel, http and https works, they can browse any page.
At this point i am forced to route all their web traffic through the VPN from their main site.
The ISP insists it is a problem with the Mikrotik and they ahve no issue on their network.
Haven’t tested but i am pretty sure if i connect a PC to the modem it works.
I thought of being an MTU issue or something, but the ISP said that there is no need to lower the MTU.
I am out of ideas.
I would really appreciate if someone could give me an idea.
I am shipping another mikrotik there today, but 99,99 sure it will not solve the issue.
If the modem has NAT, why not use 2011 in bridge/switch?
I set up my modem in bridge mode and use my own router (3011) but to another provider and another continent
You could verify whether things are getting past the Mikrotik properly by doing a quick sniffer check on the Mikrotik…
capture the WAN interface and set the capture to save to a file.
Start capture, try a web page or two, and then stop the capture.
Download and open in Wireshark, checking whether you see the SYN requests going out, and checking that the source IP address is properly translated.
If you’re using ether1 as the wan interface, then the simple nat rule should be:
chain=srcnat action=masquerade out-interface=ether1
Also - double check that there aren’t any dstnat rules in the configuration. If you’re also trying to map NAT pinholes for 80 and 443, make sure those dstnat rules aren’t matching outbound conenctions - in general, dstnat pinhole rules should use in-interface=ether1 as part of their setup.
If you also want to allow hairpin NAT, then instead of using in-interface=ether1, try using dst-address=your.wan.ip (since Comcast business lets you go static IP just fine…)
I don’t think they can do that with Comcast business - the last time I interacted with them was to get a public IP for our ASA at a site, and they had to just put a /29 on their ethernet interface. Apparently, it’s a branded Cisco IOS router with a DOCSIS interface, and either the device doesn’t support bridging, or Comcast won’t use that mode for whatever reason if it does exist.
Fair enough. If the rules are simple and everything else works (FTP, SSH, Remote Desktop, etc) then it’s time to figure out exactly where in the process lies the issue… do the browsers have any proxy settings configured? Does the LAN have anything in DNS/DHCP which would trigger the auto-discovery of a proxy? Are the browsers actually sending packets out on the wire? Are they being correctly forwarded by the 2011? Do you see these same requests on the wire? On the WAN side?
Do you see the connection attempts in the connection tracking table of the 2011’s firewall? (this would be the easiest first place to look w/o breaking out Wireshark) Make sure the reply-src and reply-dst columns are also shown so that you can verify that NAT is being done correctly.
