Some http pages not loading (ACK, RST) w/ bridged modem

elmex · April 30, 2018, 6:33pm

Situation
I’m trying to set up something fairly simple I think. I am using a Technicolor cable modem to connect to the internet. I had to call my ISP to get it in bridge modem but that’s working fine now. The DHCP client on ether1 is getting a public IP now and I can access the internet. The thing is that some websites are not reachable through http(s). Which indicates something is wrong with my NAT/Firewall rules I think.

WAN <==> [Bridged technicolor cable modem] <==DHCP==> Mikrotik RB2011 <========> 192.168.0.1/24 & 10.0.0.1/24 (VLAN100)

Things I tried

Setting the MTU to a lower value (1400), didn’t work
Adding MSS mangle rules, didn’t work

Debugging
Wireshark does show (RST, ACK) flags being sent so at least I can see that something is wrong. It can’t be a DNS issue as I can ping all websites, it is just http communication. These are the relevant parts of the config (I think), I really do hope someone can help me.

DHCP Client

/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1 use-peer-ntp=no

Firewall

/ip firewall filter
add action=accept chain=input comment="accept established connection packets" \
    connection-state=established
add action=accept chain=input comment="accept related connection packets" \
    connection-state=related
add action=accept chain=input comment="Accept established related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN access to router and Internet" \
    in-interface=bridge-LAN
add action=accept chain=input comment="Allow ping ICMP from anywhere" protocol=\
    icmp
add action=accept chain=forward comment="Accept established related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment="Accept Port forwards" \
    connection-nat-state=dstnat in-interface=ether1
add action=drop chain=input comment="Drop all other input" log-prefix=input
add action=drop chain=forward comment="Drop all other forward" log-prefix=fwd
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn \
    tcp-mss=1361-65535
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=rpi dst-port=22 protocol=tcp \
    to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat comment="rpi admin" dst-port=2222 protocol=tcp \
    to-addresses=192.168.0.10 to-ports=22222
add action=masquerade chain=srcnat comment="TEMP " disabled=yes src-address=\
    10.0.0.0/24

Edit\ Could it have something to do with ARP perhaps?

elmex · April 30, 2018, 7:42pm

Ok solved, I feel quite stupid but maybe someone has the same problem. Thanks to turalo; http://forum.mikrotik.com/t/cannot-browse-all-websites/59967/1

Now I’m able to do much more, indeed the problem was in the setting of the firewall/nat, I had some ports forwarded, but didnot set the interface which to ignore the forwardings,
so all traffic with same traffic as in the forwarding was sent to internal servers and because gmail uses https, as soon as I clicked gmail it went to my internal mail server which also used https.