problem with opening web site please help

Hi All
i have a problem when i try to open specific web site via mikrotik.
if i try to open it via normal router it opens.
this site is www.arabseed.com
the main site open but if you try to open any of it’s link for example
http://www.arabseed.com/refresh-21886
it give me in internet explorer a blank page please mikrotik team help me to get rid of this error

i am using mikrotik 4.15 on pc with hotspot enableing cache

this problem is general problem not in just my mikrotik it is in all mikrotik you can test it in your routers

please help
Thanks

Works perfectly fine for me here in the office behind a MikroTik. A router does not care what web site you are going to or what DNS name you have (baring configuring it to care with filtering traffic to certain IP addresses or using the proxy), it routes packets and doesn’t care where they are headed. We will need your configuration to see if there is any problems with that.

Please post the results of the following commands in a code bracket.

/ip firewall export
/ip route print detail
/ip proxy export
/ip hotspot export

Thanks for replay
here is setting export what you asked for. kindly find it attahced

/ip firewall export
# dec/15/2010 17:56:25 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=5s tcp-close-timeout=5s \
    tcp-close-wait-timeout=5s tcp-established-timeout=10m \
    tcp-fin-wait-timeout=5s tcp-last-ack-timeout=5s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=5s \
    udp-stream-timeout=3m udp-timeout=5s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=return chain=forward comment="Ping Replay Rule" disabled=no \
    protocol=icmp
add action=accept chain=forward comment="Yoville Game" disabled=no dst-port=\
    843 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=9339 \
    protocol=tcp
add action=drop chain=forward comment="Block P2P Traffic" disabled=no p2p=\
    all-p2p
add action=add-src-to-address-list address-list="ARP Users" \
    address-list-timeout=0s chain=forward comment=\
    "Add to Net Cut Address list" disabled=yes dst-address-type=unicast \
    dst-port=137 protocol=udp src-address=10.10.10.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Ping Rule" disabled=no \
    new-packet-mark=Ping passthrough=yes protocol=icmp
add action=mark-packet chain=output comment="Cache Packets Rule" disabled=no \
    dscp=4 new-packet-mark=Cache_Packets out-interface=LAN passthrough=no
/ip firewall nat
add action=accept chain=dstnat comment="Arab seed" disabled=no \
    dst-address-list=Arabseed dst-port=80 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=10.10.10.0/23
add action=redirect chain=dstnat comment="Transparent Web Proxy Forward" \
    disabled=no dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Samir RDP" disabled=no dst-address=\
    10.0.0.1 dst-port=3389 protocol=tcp to-addresses=10.10.10.240
add action=netmap chain=srcnat comment="VPN Rule" disabled=no src-address=\
    10.10.10.0/23 to-addresses=10.0.0.1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
[Admin@MikroTik Maadi Server] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=10.0.0.138 
        gateway-status=10.0.0.138 reachable WAN distance=1 scope=255 
        target-scope=10 

 1 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=WAN 
        gateway-status=WAN reachable distance=0 scope=10 

 2 ADC  dst-address=10.10.10.0/23 pref-src=10.10.10.250 gateway=LAN 
        gateway-status=LAN reachable distance=0 scope=10 
[Admin@MikroTik Maadi Server] > /ip proxy export
# dec/15/2010 17:56:26 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip proxy
set always-from-cache=yes cache-administrator="" cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=1w max-server-connections=5000 \
    parent-proxy=95.211.133.181 parent-proxy-port=80 port=8080 \
    serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
    dst-port=23-25
add action=deny comment="Deny access from WAN to Web Proxy " disabled=no \
    src-address=!10.10.10.0/23
add action=deny comment="Block All Banners" disabled=no dst-host=\
    *yieldmanager* redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*googlesyndication.com* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*doubleclick.net* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*megaclick.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*loading321.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*fe.brandreachsys.com* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*.advertising.com* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*at.atwola.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=\
    *adserving.cpxinteractive.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*server.cpmstar.com* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*adserver.adtech.de* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*www.linkonlineworld.com* \
    redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*clk.atdmt.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ads.*.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ad.*.com* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ads.*.net* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ad.*.net* redirect-to=\
    img31.imageshack.us/img31/4692/88153829.jpg
/ip proxy cache
add action=deny comment="" disabled=no path=*.zip
add action=deny comment="" disabled=no path=*.rar
add action=deny comment="" disabled=yes path=*.mp3
add action=deny comment="" disabled=yes path=*.pdf
add action=deny comment="" disabled=no path=*.wav
add action=deny comment="" disabled=yes path=*.flv
add action=deny comment="" disabled=no path=*.iso
/ip proxy direct
add action=allow comment="" disabled=no dst-address=10.10.10.0/23
add action=allow comment="" disabled=no dst-host=*student.guc.edu.eg*
add action=allow comment="" disabled=no dst-host=www.google.com
add action=allow comment="" disabled=no dst-host=*www.yahoo.com*
add action=allow comment="" disabled=no dst-host=www.msn.com
[Admin@MikroTik Maadi Server] > /ip hotspot export
# dec/15/2010 17:56:29 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
    http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
    name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=no
add dns-name=www.wi-fi-internet.com hotspot-address=10.10.10.250 \
    html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap name=\
    Hotspot_Profile rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=no
/ip hotspot
add address-pool=Hotspot_Pool addresses-per-mac=1 disabled=no idle-timeout=5m \
    interface=LAN keepalive-timeout=none name=hotspot1 profile=\
    Hotspot_Profile
/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=1m name=default \
    open-status-page=http-login rate-limit=\
    "128K/416K 2M/4M 128K/416K \t120/120" shared-users=1 status-autorefresh=\
    10m transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21

/ip hotspot walled-garden
add action=allow comment="" disabled=no dst-host=www.tvquran.com
add action=allow comment="" disabled=no dst-host=www.islamway.com
add action=allow comment="" disabled=no dst-host=www.way2allah.com
add action=allow comment="" disabled=no dst-host=www.mazameer.com
add action=allow comment="" disabled=no dst-host=www.alheweny.org
add action=allow comment="" disabled=no dst-host=www.quranflash.com
add action=allow comment="" disabled=no dst-host=www.dorar.net
add action=allow comment="" disabled=yes dst-host=ia331410.us.archive.org
add action=allow comment="" disabled=no dst-host=www.archive.org
add action=allow comment="" disabled=yes dst-host=ia331411.us.archive.org
add action=allow comment="" disabled=no dst-host=*.us.archive.org
[Admin@MikroTik Maadi Server] >

sorry about miss understanding

Well you have two things in your proxy rule that won’t do anything there, they are better placed in the firewall filter:

add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
    dst-port=23-25
add action=deny comment="Deny access from WAN to Web Proxy " disabled=no \
    src-address=!10.10.10.0/23

The proxies only works for HTTP, not telnet or SMTP, so having those rules there is meaningless. Also I believe it will take fewer resources to block proxy requests from address you don’t want in the firewall filter than in the proxy itself.

As for why you cannot access that website, I didn’t see anything in your firewall to prevent it, so I’m guessing it’s tied to the proxy itself. Try setting always-from-cache=yes to no, and test. If that doesn’t work, disable the transparent proxy rule, and disable it in the hotspot profile and sign back in and see what happens. If it works then, re-enable the proxy and disable all of the deny rules, try again, if it works, enable the rules one by one until you run across the one causing your problem.

This may be the problem.

/ip firewall nat
(snip)
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=10.10.10.0/23

Add this rule:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

If ether1 is not your wan interface, then change that.
Then remove the masquerade with the src-address.
It will masquerade your localnet, but when you go through the proxy, it is not masquerading the proxy server (127.0.0.1). At least that is what I have discovered.

thank you both for your replays

For this error i had fixed it but nothing changed it is the same.


i discovered that when i disable the proxy at all, the site works normally (i discover this after i tried working with proxy but disabling all rules and cache (also does not work)) please Feklar try to open this links with enabling proxy in Mikrotik you will find that it won’t work as i did.

now i need to know why Mikrotik not opening this site while enabling proxy.

for solution i did found one (by putting site ip addresses before Proxy Rule in nat section and accept it) but it is not logical to do this for every site does not work

Is the parent proxy working? Have you tired it without the parent proxy?

/ip proxy
set always-from-cache=yes cache-administrator=“” cache-hit-dscp=4
cache-on-disk=yes enabled=yes max-cache-size=unlimited
max-client-connections=600 max-fresh-time=1w max-server-connections=5000
parent-proxy=95.211.133.181 parent-proxy-port=80 > port=8080
serialize-connections=no src-address=0.0.0.0

yes i did (i try with pure proxy setting (default also without cache))

also there is a strange thing happen with the parent proxy. parent proxy can not retrieve this link for me also (give me error from apache proxy server). it maybe a problem from the site but i think Mikrotik router need to solve this problem for such sites in web proxy.

if parent proxy cannot open the page, neither will proxy in the RouterOS. Check if anything else is working properly, also note that RouterOS proxy works with HTTP and does NOT with HTTPS.

There are challenges with the webpages also. This is the only code returned by http://www.arabseed.com/refresh-21886

The php code has challenges also. There are and tags in the document body. ??

This mean that mikrotik proxy does not suport this kind of pages??

Not only mikrotik. Most proxy servers face similar issues with such pages.

I don’t use meta refresh to redirect because it is a bit unreliable. But I use this when I do:

<html>
<head>
<meta http-equiv='refresh' content='0; url=http://forum.arabseed.com/showthread.php?p=857400'>
</head>
</html>

Last I checked, the proxy won’t cache dynamic pages. And that dynamic page is loaded with warnings and a couple errors, according to my Firefox error console.

Then what i did is most good solution or there is best one??

How many sites don’t work besides the one you listed in your original post? How about http://www.yahoo.com? Or http://www.google.com? Do they work? They are both dynamic pages.

ADD: Have you tried going to the forum webpage direct without the meta refresh?
http://forum.arabseed.com/showthread.php?p=857400

I agree with you no doubt that Mikrotik is a very high performance server.

but if the two sites is dynamic pages why mikrotik didn’t open the one we have problem with? (sorry if i have weak knowledge for understanding the previous posts)

Try going direct to the forum site. Does it work without the meta refresh page?
http://forum.arabseed.com/showthread.php?p=857400

No it did not work the same
i tried the same link you give me
http://forum.arabseed.com/showthread.php?p=857400

but the main site work

http://www.arabseed.com/

Try this:

/ip proxy direct
add action=allow dst-host=forum.arabseed.com

And you are certain you are not blocking anything on that page with the proxy, by either domain name or file type? I noticed a Flash Player app running on that page.

You might try a simple php page in that same server.

<html><body>Test Page</body></html>

Save as “test.php” on forum.arabseed.com website.
http://forum.arabseed.com/test.php
If it says “Test Page”, then it must be something on your showthread.php page causing the fail.