sites not showing up (sync sent)

olivier56 · April 11, 2023, 7:44am

Good morning,
how is it that some sites are not accessible with a sync sent?
when I test on a router other than my MKT it works fine.
do you have an idea
THANKS

mkt system
6.49.7

mkx · April 11, 2023, 8:06am

Without seeing pretty much complete setup of Mikrotik router (which blocks some sites) it’s impossible to say what might be the reason. Also write which sites in particular you have trouble connecting to and which protocol/service is it.

olivier56 · April 11, 2023, 8:40am

hi
http://www.vflit.fr
https://dsnval.net-entreprises.fr/dsnval/autocontrole-dsn-val_2022.exe

olivier56 · April 11, 2023, 8:44am

apr/11/2023 10:41:38 by RouterOS 6.49.7

software id = L35K-T8TG

model = RB962UiGS-5HacT2HnT

serial number = BEC60B5E56A0

/ip firewall filter
add action=drop chain=input comment=winboxwan dst-port=8058 in-interface=
ether1 in-interface-list=WAN log=yes log-prefix=“drop winbowlan”
protocol=tcp
add action=drop chain=input comment=winboxwan dst-port=8056 in-interface=
ether1 in-interface-list=WAN log=yes log-prefix=“drop webinterface”
protocol=tcp src-address-list=“”
add action=accept chain=input comment=“sstp mkt” dst-port=42444 log=yes
log-prefix=“sstp mkt” protocol=tcp
add action=accept chain=input comment=
“liste access interfcace web authoriser” dst-port=8056 protocol=tcp
src-address-list=Acces-routeur
add action=accept chain=input comment=“accept WINBOX adresse liste winboxok”
dst-port=8058 log-prefix=“winboox acces valide” protocol=tcp
src-address-list=Acces-routeur
add action=drop chain=input comment=“Winbox black list final” dst-port=8058
limit=1,5:packet protocol=tcp src-address-list="winbox blacklist " time=
0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="winbox blacklist "
address-list-timeout=1w3d5h1m chain=input comment=“Winbox black list 2”
dst-port=8058 limit=1,5:packet protocol=tcp src-address-list=
“winbox blacklist 4”
add action=add-src-to-address-list address-list=“winbox blacklist 4”
address-list-timeout=1m chain=input comment=“Winbox black list 2”
dst-port=8058 limit=1,5:packet protocol=tcp src-address-list=
“winbox blacklist 3”
add action=add-src-to-address-list address-list=“winbox blacklist 3”
address-list-timeout=1m chain=input comment=“Winbox black list 2”
dst-port=8058 limit=1,5:packet protocol=tcp src-address-list=
“winbox blacklist 2”
add action=add-src-to-address-list address-list=“winbox blacklist 2”
address-list-timeout=1m chain=input comment=“Winbox black list 2”
dst-port=8058 limit=1,5:packet protocol=tcp src-address-list=
“winbox blacklist 1”
add action=add-src-to-address-list address-list=“winbox blacklist 1”
address-list-timeout=1m chain=input comment=“Winbox black list” dst-port=
8058 limit=1,5:packet protocol=tcp
add action=drop chain=input comment=“brute force webinterfcace final”
dst-limit=1,5,dst-address/1m40s dst-port=8056 limit=1,5:packet protocol=
tcp src-address-list=Web-acces time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=Web-acces
address-list-timeout=1w3d chain=input comment=
“brute force webinterfcace 5” connection-state=new dst-port=8056
protocol=tcp src-address-list=Web-acces4
add action=add-src-to-address-list address-list=Web-acces4
address-list-timeout=1m chain=input comment=“brute force webinterfcace 4”
connection-state=new dst-port=8056 protocol=tcp src-address-list=
Web-acces3
add action=add-src-to-address-list address-list=Web-acces3
address-list-timeout=1m chain=input comment=“brute force webinterfcace 3”
connection-state=new dst-port=8056 protocol=tcp src-address-list=
Web-acces2
add action=add-src-to-address-list address-list=Web-acces2
address-list-timeout=1m chain=input comment=“brute force webinterfcace 2”
connection-state=new dst-port=8056 protocol=tcp src-address-list=
Web-acces1
add action=add-src-to-address-list address-list=Web-acces1
address-list-timeout=1m chain=input comment=“brute force webinterfcace 1”
connection-state=new dst-port=8056 protocol=tcp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid log-prefix=“drop invalide”
add action=accept chain=input comment=“defconf: accept ICMP” log-prefix=icmp
protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN log-prefix=“not lan”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related,new
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

olivier56 · April 11, 2023, 8:50am

wireshark capture

mkx · April 11, 2023, 8:57am

Two things:

I was asking for complete config, not only for firewall filter config.
Having had a look at firewall filter rules and screenshot of wireshark capture I’m suspecting wrong or missing SRC NAT rules, but, again, without seeing everything it’s impossible to tell. So post complete configuration (with sensitive data, such as public IP address, obfuscated but erased).
you were messing with default firewall rules. This one is weird:

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related> ,new

The highlited part is definitely not “defconf” … and is very probably messing things. Perhaps it’s not the reason for what you reported in initial post, but can mess things.

olivier56 · April 11, 2023, 9:33am

hi

i have only nat

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

olivier56 · April 11, 2023, 9:35am

hi

my ip public dont ping my local adresse , you can see that on wireshark capture

for my tests I disabled the firewall rules and it didn’t change anything.
the sites are not accessible.

THANKS

mkx · April 11, 2023, 12:43pm

If you have a linux LAN host, what does

tcptraceroute dsnval.net-entreprises.fr 443

show? If it stops (and it should because you can see appropriate ICMP packet going in opposite direction in wireshark), where does it stop? Does it stop on your router or it stops some hops further?

I’m done with guess work here since you don’t want to provide full config even though I kindly asked for it already two times (this is the third time). It’s waste of my time.