[Solved] Problem, not open, Gmail, youtube, Facebook

wallnas · January 15, 2012, 3:23pm

Good morning,

i have an RB 493G, but is slow to redirect to Gmail, Facebook, youtube and sometime pages can no open.

The version of routeros is 5.11

What error there is in my configuration ?

Configuration Filter:

add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" disabled=no dst-port=801 protocol=tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 protocol=udp

Tanks for your help

rodolfo · January 15, 2012, 4:40pm

the script is correct and it does not limit sites you specified
there are only unnecessary accept (in forward and input) because you do not have a defult drop (but this is unrelated to your problem)

tjc · January 15, 2012, 5:36pm

My first guess would be DNS. How is DNS configured for the router and machines behind it? Are you using the router as your local DNS server? Are you having any resolution problems with the upstream DNS servers?

The next thing would be to look at packet loss within your LAN. A relatively small % of loss can cause big performance problems. I just cleaned up some very annoying issues on my LAN, by tracking down and replacing a flaky unmanaged switch. Ping testing showed that it was “only” losing <5% of the packets, but that number went up with packet size (by 1500 bytes it was closer to 20%). If you see a packet loss problem with wireless connections check for noise and interference on the frequencies that you’re using.

wallnas · January 15, 2012, 7:00pm

sorry

the last instruction is

add action=drop chain=input comment=\
    "------------------  B L O C C A     T U T T O ---------------" disabled=\
    no

tanks

rodolfo · January 15, 2012, 7:25pm

ok, but this rule blocks only in input to the router, you need a similar rule in forward chain

wallnas · January 15, 2012, 7:31pm

i have correct the filter in:

add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" disabled=no dst-port=801 protocol=tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="------------------  B L O C C A     T U T T O ---------------" disabled=no
add action=drop chain=forward disabled=no

I have same problems, slow and sometime pages can no open

Tanks

tjc · January 15, 2012, 8:40pm

Firewall rules would generally block something completely. There would be no “slow” or “sometimes”. As a result it seems like you should be looking elsewhere for the problem.

cbrown · January 15, 2012, 10:18pm

Check your mtu on the wan port.

wallnas · January 17, 2012, 6:56pm

ping -s 1472 www.facebook.it
PING www.facebook.com (66.220.149.66) 1472(1500) bytes of data.

ping -s 1472 www.facebook.it
PING www.facebook.com (66.220.149.66) 1472(1500) bytes of data.

This is the date

wallnas · January 21, 2012, 6:48pm

If i reboot the router all ok for 1/2 hour

wallnas · January 21, 2012, 7:13pm

I check the ip filter because if i disable:

add action=drop chain=input comment="------------------  B L O C C A     T U T T O ---------------" disabled=no
add action=drop chain=forward disabled=no

is all ok.

tjc · January 21, 2012, 10:13pm

After cleaning up and reorganizing your firewall rules a couple things jumped out at me. Comments in-line below.

/ip firewall filter
add chain=input action=accept connection-state=established
add chain=input action=accept connection-state=related
#
# What about dropping invalid connections on the input chain?
#
add chain=input action=accept dst-port=8080 protocol=tcp comment="Web Proxy"
add chain=input action=accept dst-port=801 protocol=tcp comment="WebFig"
add chain=input action=accept dst-port=8291 protocol=tcp comment="WINBOX"
add chain=input action=accept dst-port=53 protocol=udp comment="DNS"
#
# What about allowing ICMP status responses? This could be part of your problem...
# Something like...
# add chain=input action=accept protocol=icmp comment="Allow ping and the like" disabled=no
#
add chain=input action=drop comment="Drop everything else"

add chain=forward action=accept connection-state=established comment="allow established connections"
add chain=forward action=accept connection-state=related comment="allow related connections"
add chain=forward action=drop   connection-state=invalid comment="drop invalid connections"
add chain=forward action=accept dst-port=80 protocol=tcp comment="HTTP"
add chain=forward action=accept dst-port=443 protocol=tcp comment="HTTPS"
add chain=forward action=accept dst-port=25 protocol=tcp comment="SMTP"
add chain=forward action=accept dst-port=110 protocol=tcp comment="POP3"
#
# This is a very, very constrained set of ports, and doesn't differentiate between inbound and outbound traffic.
# It also allows outside machines to get in as well as letting inside machines get out... Which can be a problem.
#
add chain=forward action=drop comment="Drop everything else"

For us to get the full story I’d recommend that you do an /ip firewall export and post the complete output. Based on the information you’ve given us so far, the ICMP issue or something wonky with your connection tracking or the proxy setup are my best guesses.

wallnas · January 22, 2012, 9:20am

Tanks tjc

My complete output of /ip firewall

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="allow established connections" \
    connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=\
    tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 \
    protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 \
    protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - POP3S" disabled=no \
    dst-port=995 protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - SMTPS" disabled=no \
    dst-port=465 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no \
    dst-port=8291 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" \
    disabled=no dst-port=801 protocol=tcp
add action=accept chain=input comment=\
    "Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 \
    protocol=udp
add action=accept chain=input comment="SSH for secure shell" disabled=yes \
    dst-port=22 protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=accept chain=forward comment="allow  - - ALL - -  ping" disabled=no \
    protocol=icmp
add action=accept chain=input comment=\
    "Allow limited  - -  limit=50/5s,2 - -   pings  " disabled=yes limit=50/5s,2 \
    protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes protocol=\
    icmp
add action=drop chain=input comment="------------------  B L O C C A     T U T T \
    O      I L    R E S T O  ---------------" disabled=no
add action=drop chain=forward disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Lan eth2 - Produzione" disabled=no \
    src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Lan eth3 - Test" disabled=no \
    src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="Lan Vlan1 - Wireless" disabled=no \
    src-address=192.168.97.0/24
add action=redirect chain=dstnat comment="Webproxy - redirect porta 80 a 8080" \
    disabled=no dst-port=80 protocol=tcp to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

/ip proxy

set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=none \
    max-client-connections=600 max-fresh-time=1d max-server-connections=\
    600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 \
    serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=no dst-host=*facebook* dst-port=""

tjc · January 22, 2012, 3:38pm

Just a quick note for now, If email continues to work and the web has problems after half an hour then your proxy server is the place to look.

wallnas · January 22, 2012, 5:16pm

I have check the proxy, it is correct

tjc · January 22, 2012, 6:50pm

Is something holding open connections and hitting the limit of 600?

wallnas · January 24, 2012, 6:08pm

I have solved the problem:

I have insert this filter

add action=accept chain=input comment=\
    "Accetta richieste dai PC della rete  al Server DNS" disabled=no \
    dst-port=53 protocol=udp
add action=accept chain=input disabled=no dst-port=53 protocol=tcp

Tanks for your help