Hello all,
I have a 2011UAS Mikrotik router with firmware 3.14. I am trying to access http://e107.org and it keeps timing out. I know the site is up as I can access the site through my cell phone, work and if I connect my pc directly to the modem. Only when I am going through the Mikrotik router do I run into problems.
I have checked that there is no entry in the Layer7 Protocols in the Firewall and no entries in the Mangle section. I have even tried setting the DNS servers to google’s dns (8.8.8.8 and 8.8.4.4) and still no luck.
I am not sure what other information might be needed, ask and I will gladly provide any info. Any help would be appreciated.
Kevin
First of all, I think 3.14 are BIOS version, not RouterOS version, install 6.13 and see if it solve.
Second, put “/export compact” result on forum.
Thank you for the reply.
I have upgraded from 6.12 to 6.13 and I am still not able to access http://e107.org .
I am posting the results of /export compact (I have commented out the public ip and domain in the results).
-
jan/01/1970 18:02:03 by RouterOS 6.13
software id = 0LXY-H9N2
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] name=ether2-Lan speed=1Gbps
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=
ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.15.220-192.168.15.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-Lan
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=192.168.15.1/24 comment="default configuration" interface=
ether2-Lan network=192.168.15.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=
sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.15.239 client-id=1:38:aa:3c:90:6f:38 mac-address=
38:AA:3C:90:6F:38 server=default
add address=192.168.15.247 client-id=1:0:d:fe:58:92:91 mac-address=
00:0D:FE:58:92:91 server=default
/ip dhcp-server network
add address=192.168.15.0/24 comment="default configuration" dns-server=
192.168.15.1 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.15.0/24 list=support
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list"
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=input comment="Port Scanner Detect"
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list"
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow"
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=
bogons
add action=add-src-to-address-list address-list=spammers
address-list-timeout=3h chain=forward comment=
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587
protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=
established
add chain=input comment="Accept to related connections" connection-state=
related
add chain=input comment="Full access to SUPPORT address list"
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=drop chain=ICMP comment="Echo request - Avoiding Ping Flood"
icmp-options=8:0 limit=1,5 protocol=icmp
add action=drop chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=
icmp
add action=drop chain=ICMP comment="Time Exceeded" icmp-options=11:0
protocol=icmp
add action=drop chain=ICMP comment="Destination unreachable" icmp-options=
3:0-1 protocol=icmp
add action=drop chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP
protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=80
protocol=tcp to-addresses=192.168.15.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=22
protocol=tcp to-addresses=192.168.15.10 to-ports=22
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=21
protocol=tcp to-addresses=192.168.15.10 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address=xx.xx.xx.235
dst-port=64391 protocol=tcp to-addresses=192.168.15.10 to-ports=64391
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=587
protocol=tcp to-addresses=192.168.15.10 to-ports=587
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=443
protocol=tcp to-addresses=192.168.15.5 to-ports=443
add action=dst-nat chain=dstnat connection-limit=0,32 dst-address=xx.xx.xx.67
dst-port=119 limit=0,5 protocol=tcp to-addresses=192.168.15.40 to-ports=
119
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=25
protocol=tcp to-addresses=192.168.15.10 to-ports=25
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.67 dst-port=995
protocol=tcp to-addresses=192.168.15.5 to-ports=995
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.67 dst-port=993
protocol=tcp to-addresses=192.168.15.5 to-ports=993
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.67 dst-port=8085
protocol=tcp to-addresses=192.168.15.40 to-ports=8085
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.235 dst-port=8080
protocol=tcp to-addresses=192.168.15.10 to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.15.232 dst-port=9080
protocol=tcp to-addresses=192.168.15.205 to-ports=9080
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.15.232
dst-port=9085 protocol=tcp to-addresses=192.168.15.205 to-ports=9085
add action=dst-nat chain=dstnat comment=uTorrent dst-address=xx.xx.xx.67
dst-port=31706 protocol=tcp to-addresses=192.168.15.40 to-ports=31706
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.67 dst-port=7760
protocol=tcp to-addresses=192.168.15.205 to-ports=7760
add action=netmap chain=dstnat dst-address=xx.xx.xx.0/24 to-addresses=
192.168.15.0/24
add action=netmap chain=srcnat src-address=xx.xx.xx.0/24 to-addresses=
192.168.15.0/24
add action=masquerade chain=srcnat src-address=192.168.15.0/24 to-addresses=
0.0.0.0
add action=dst-nat chain=dstnat disabled=yes dst-address=xx.xx.xx.67
dst-port=563 protocol=tcp to-addresses=192.168.15.40 to-ports=563
add action=dst-nat chain=dstnat disabled=yes dst-port=563 protocol=tcp
to-addresses=192.168.15.40 to-ports=563
/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set www address=xx.xx.xx.0/22 disabled=yes port=6969
set api disabled=yes
/ip traffic-flow
set cache-entries=4k enabled=yes interfaces=ether1-gateway
/ip upnp
set allow-disable-external-interface=no
/lcd
set time-interval=hour
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2-Lan interface=ether2-Lan
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
/system clock
set time-zone-name=America/Winnipeg
/system clock manual
set time-zone=-05:00
/system identity
set name=xxxxxxxxx.ca
/system ntp client
set enabled=yes mode=unicast primary-ntp=66.163.71.33 secondary-ntp=
66.163.71.34
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-Lan
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-Lan
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool traffic-monitor
add interface=ether1-gateway name=tmon1 threshold=0 traffic=received
add interface=ether2-Lan name=tmon2 threshold=0
add interface=ether1-gateway name=traf1
Check if the router is resolving that domain. From a command line in the router
:put [:resolve e107.org]
Through the command line I entered :put [:resolve e107.org] and the result was 64.235.55.242 . Which is the ip address for e107.org. So the router is resolving the DNS for it but i’m not able to get through. I must admit, this one has me stumped… which means it will probably be something really simple in the end.
That is the same ip I get here. That website is using virtual hosting. If you try that ip, you get a webpage from the virtual host. Then try nslookup from a command line on the computer if it has that capability. Maybe the computer is not getting the resolution on that domain.
Is the request to that domain failing from more than one device?
When I try the 64.235.55.242 ip on the pc’s behind the router I don’t even get the virtual hosting page. I only get “Web Page is not Available”. When I use the laptop connected directly to the modem the ip brings me to the virtual hosting page and I am also able to access e107.org.
The nslookup shows (with the dns on the pc set to the Mikrotik router):
- C:\Users\kevin>nslookup e107.org
Server: UnKnown
Address: 192.168.15.1
Non-authoritative answer:
Name: e107.org
Address: 64.235.55.242
When I set the DNS on the pc to Google:
Non-authoritative answer:
Name: e107.org
Address: 64.235.55.242
Have you tried to ping the ip from the router ??
/ping 64.235.55.242I have before similar problem, with not reaching one specific ip.
My hair was on the floor. lol
It was my own netmask on the wan ip.
I can’t even ping e107.org or by the ip from anything behind the Mikrotik router. Once I bypass the router I can access the site and receive good ping/ traceroute results.
You use nat.
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0Are you see any traffic in the nat.
/ip firewall connection print where tcp-state=“established”
/ip firewall connection print
I ran the following code: /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway to-addresses=0.0.0.0
and then ran the following:
-
/ip firewall connection print where tcp-state="established"
Flags: S - seen reply, A - assured
PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 SA tcp 192.168.15.227:57263 192.168.15.1:8291 established 3m55s
1 SA tcp 192.168.15.227:57280 24.244.4.104:443 established 23h58m19s
2 SA tcp 192.168.15.45:57867 77.234.41.52:80 established 23h54m56s
3 SA tcp 192.168.15.227:57124 173.194.79.125:5222 established 23h58m34s
4 SA tcp 192.168.15.227:57278 74.125.129.95:443 established 23h58m37s
5 SA tcp 192.168.15.227:54180 173.194.79.125:5222 established 23h58m36s
6 SA tcp 192.168.15.227:54267 77.234.42.64:80 established 23h54m52s
7 SA tcp 192.168.15.227:54186 108.160.167.166:80 established 23h58m13s
8 SA tcp 192.168.15.227:57282 24.244.4.16:443 established 23h58m34s
9 SA tcp 192.168.15.227:57266 173.194.40.248:443 established 23h58m50s
10 SA tcp 192.168.15.45:58344 173.194.79.125:5222 established 23h58m37s
11 SA tcp 192.168.15.227:57265 24.244.4.94:443 established 23h58m14s
12 SA tcp 192.168.15.227:57262 98.139.199.205:80 established 23h58m35s
13 SA tcp 192.168.15.227:57101 74.125.20.188:5228 established 23h58m55s
14 SA tcp 192.168.15.227:57281 24.244.4.88:443 established 23h58m32s
[admin@bucketshots.ca] > /ip firewall connection print
Flags: S - seen reply, A - assured
PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 SA tcp 192.168.15.227:57263 192.168.15.1:8291 established 3m54s
1 SA tcp 192.168.15.227:57280 24.244.4.104:443 established 23h58m18s
2 SA tcp 192.168.15.45:57867 77.234.41.52:80 established 23h54m55s
3 SA tcp 192.168.15.227:57124 173.194.79.125:5222 established 23h58m33s
4 SA tcp 192.168.15.227:57278 74.125.129.95:443 established 23h58m36s
5 SA tcp 192.168.15.227:54180 173.194.79.125:5222 established 23h58m35s
6 SA tcp 192.168.15.227:54267 77.234.42.64:80 established 23h54m51s
7 SA tcp 192.168.15.227:54186 108.160.167.166:80 established 23h58m12s
8 SA tcp 192.168.15.227:57282 24.244.4.16:443 established 23h58m33s
9 SA tcp 192.168.15.227:57266 173.194.40.248:443 established 23h58m49s
10 SA tcp 192.168.15.45:58344 173.194.79.125:5222 established 23h58m36s
11 SA tcp 192.168.15.227:57265 24.244.4.94:443 established 23h58m13s
12 SA tcp 192.168.15.227:57262 98.139.199.205:80 established 23h58m34s
13 SA tcp 192.168.15.227:57101 74.125.20.188:5228 established 23h58m54s
14 SA tcp 192.168.15.227:57281 24.244.4.88:443 established 23h58m31s
15 udp 50.72.17.235:123 66.163.71.33:123 1s
16 tcp 192.168.15.227:57288 64.235.55.242:80 syn-sent 2s
17 tcp 192.168.15.227:57289 64.235.55.242:80 syn-sent 2s
18 tcp 192.168.15.227:57290 64.235.55.242:80 syn-sent 2s
Even though the router is showing an attempt to connect. I am still not able to access the page.
I want to thank everyone for their assistance. The issue has been resolved with the kind assistance of an e107 member.
And how you have solved the problem?
Sorry, forgot to include that bit of info. It wasn’t actually me or anything on the Mikrotik router. The person from the e107 site that help indicated that he would get my ip address unblocked. And now everything is working.
I have to say that between the e107 forums and the Mikrotik forums these are the best and most helpful people. The replies to my initial problems/ queries were prompt and relevant. Thank you to everyone.