Troubles with Google Play - apps not downloading

I’m trying to configure a specific setup: two wan interfaces (one dynamic [eth1] one static [eth10]), all the rest are bridged in LAN.
All the outgoing traffic is routed to eth1, eth10 accepts only incoming OpenVPN, i also allow multicast IPTV on dynamic.

Everything works as expected, a have web access on LAN, the only problem is with Google Play. It woks as expected, lists available apps and data about them, but when I try to download the app, the download simply times out. The MK config somehow blocks Google Play and I can’t figure out, which packages are being dropped, to allow them.
Any help appreciated,
B.

Firewall is configured like that:
add action=drop chain=input comment=
“default configuration/drop invalid/ state = invalid”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate connection-state=invalid
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=no log-prefix=“” !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority !protocol !psd
!random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
add action=accept chain=input comment=“default configuration/allow established, related” !connection-bytes
!connection-limit !connection-mark !connection-nat-state !connection-rate
connection-state=established,related !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit
!dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix=“”
!nth !out-bridge-port !out-bridge-port-list !out-interface
!out-interface-list !packet-mark !packet-size !per-connection-classifier
!port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address
!src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input comment=
“allow input from local bridge” !connection-bytes
!connection-limit !connection-mark !connection-nat-state !connection-rate
!connection-state !connection-type !content disabled=no !dscp
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list
in-interface=LAN-bridge !in-interface-list !ingress-priority
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix=“”
!nth !out-bridge-port !out-bridge-port-list !out-interface
!out-interface-list !packet-mark !packet-size !per-connection-classifier
!port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address
!src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input comment=“T2-iptv: Allow Broadcast Traffic for iptv”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
dst-address-type=broadcast !dst-limit !dst-port !fragment !hotspot
!icmp-options !in-bridge-port !in-bridge-port-list in-interface=
ether1-WAN-dyn !in-interface-list !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=yes log-prefix=
“T2-iptv-allow broadcast traffic” !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority !protocol !psd
!random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
add action=accept chain=input comment=“T2-iptv: Allow IGMP” !connection-bytes
!connection-limit !connection-mark !connection-nat-state !connection-rate
!connection-state !connection-type !content disabled=no !dscp
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list
in-interface=ether1-WAN-dyn !in-interface-list !ingress-priority
!ipsec-policy !ipv4-options !layer7-protocol !limit log=yes log-prefix=
“T2-iptv- allow IGMP” !nth !out-bridge-port !out-bridge-port-list
!out-interface !out-interface-list !packet-mark !packet-size
!per-connection-classifier !port !priority protocol=igmp !psd !random
!routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
add action=accept chain=input comment=“T2-Iptv: Allow T-2 IPtv”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options
!in-bridge-port !in-bridge-port-list in-interface=ether1-WAN-dyn
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=yes log-prefix=iptv-t2 !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority protocol=udp !psd
!random !routing-mark !routing-table src-address=172.16.0.0/12
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=accept chain=input comment=“OpenVPN”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
!dst-address-type !dst-limit dst-port=1194 !fragment !hotspot
!icmp-options !in-bridge-port !in-bridge-port-list in-interface=
ether10-WAN-stat !in-interface-list !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=yes log-prefix=“vpn povezave”
!nth !out-bridge-port !out-bridge-port-list !out-interface
!out-interface-list !packet-mark !packet-size !per-connection-classifier
!port !priority protocol=tcp !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address
!src-port !tcp-flags !tcp-mss !time !ttl
add action=drop chain=input comment=“drop all other input”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit
log=yes log-prefix=“doped input” !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority !protocol !psd
!random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
add action=fasttrack-connection chain=forward comment=
“established in fastrack”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate connection-state=
established,related !connection-type !content disabled=no !dscp
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list
!in-interface !in-interface-list !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=no log-prefix=“” !nth
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list
!packet-mark !packet-size !per-connection-classifier !port !priority
!protocol !psd !random !routing-mark !routing-table !src-address
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=accept chain=forward comment=
“accept Established, Related”
connection-state=established,related
add action=drop chain=forward comment=
“drop invalid”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate connection-state=invalid
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=yes log-prefix=invalid !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority !protocol !psd
!random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
add action=drop chain=forward comment=“drop not nated or marked as iptv”
!connection-bytes !connection-limit !connection-mark
connection-nat-state=!dstnat !connection-rate connection-state=new
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=
ether1-WAN-dyn !in-interface-list !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=yes log-prefix=!NAT !nth
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list
packet-mark=!iptv !packet-size !per-connection-classifier !port !priority
!protocol !psd !random !routing-mark !routing-table !src-address
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=drop chain=forward comment=
“drop all not nated on static WAN”
!connection-bytes !connection-limit !connection-mark
connection-nat-state=!dstnat !connection-rate connection-state=new
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=
ether10-WAN-stat in-interface-list=all !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=yes log-prefix=!NAT !nth
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list
!packet-mark !packet-size !per-connection-classifier !port !priority
!protocol !psd !random !routing-mark !routing-table !src-address
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=drop chain=forward comment=“drop form local ip on WAN”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options
!in-bridge-port !in-bridge-port-list in-interface=ether1-WAN-dyn
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=yes log-prefix=!public !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list packet-mark=
!iptv !packet-size !per-connection-classifier !port !priority !protocol
!psd !random !routing-mark !routing-table !src-address src-address-list=
not_in_internet !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=drop chain=forward comment=
“drop from WAN wihout public IP”
!connection-bytes !connection-limit !connection-mark
!connection-nat-state !connection-rate !connection-state !connection-type
!content disabled=no !dscp !dst-address !dst-address-list
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options
!in-bridge-port !in-bridge-port-list in-interface=ether10-WAN-stat
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=yes log-prefix=!public !nth !out-bridge-port
!out-bridge-port-list !out-interface !out-interface-list !packet-mark
!packet-size !per-connection-classifier !port !priority !protocol !psd
!random !routing-mark !routing-table !src-address src-address-list=
not_in_internet !src-address-type !src-mac-address !src-port !tcp-flags
!tcp-mss !time !ttl
add action=drop chain=forward comment=
“drop all from lAN without private address”
in-interface=LAN-bridge log=yes log-prefix=“LAN ki ni LAN” src-address=
!10.10.10.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting !connection-bytes !connection-limit
!connection-mark !connection-nat-state !connection-rate !connection-state
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=
ether1-WAN-dyn !in-interface-list !ingress-priority !ipsec-policy
!ipv4-options !layer7-protocol !limit log=yes log-prefix=markiram
new-packet-mark=iptv !nth !out-bridge-port !out-bridge-port-list
!out-interface !out-interface-list !packet-mark !packet-size passthrough=
yes !per-connection-classifier !port !priority protocol=udp !psd !random
!routing-mark !routing-table src-address=172.16.0.0/12 !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time
!ttl
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
!connection-bytes !connection-limit !connection-mark !connection-rate
!connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options
!layer7-protocol !limit log=no log-prefix=“” !nth !out-bridge-port
!out-bridge-port-list out-interface=ether1-WAN-dyn !out-interface-list
!packet-mark !packet-size !per-connection-classifier !port !priority
!protocol !psd !random !routing-mark !routing-table !src-address
!src-address-list !src-address-type !src-mac-address !src-port !tcp-mss
!time !to-addresses !to-ports !ttl

Hello omarino,

I would recommend opening firewall filter rules in winbox and watching for which rule is increasing its bytes when you are trying to download from google play.

If you can’t isolate which rule is the problem, can you try reposting your rules here with “export compact” so we can read them. (Your rules are really hard to read with all those !'s all over the place)

Thanks for your suggestions, I’ve checked the action and nothing on various drop rules changed while downloading kept timing out.
My rules condensed look like this:
/ip firewall filter
add action=drop chain=input comment=
“default configuration dropping invalid
connection-state=invalid log=yes log-prefix=“ukinjam invalid -1rule”
add action=accept chain=input comment=“default configuration/ accept established, related” / state = established, related” connection-state=
established,related
add action=accept chain=input comment=
“allow input form local network” in-interface=
LAN-bridge
add action=accept chain=input comment=“T2-iptv: Allow Broadcast Traffic”
dst-address-type=broadcast in-interface=ether1-WAN-dyn log=yes
log-prefix=“T2-iptv-allow broadcast traffiv”
add action=accept chain=input comment=“T2-iptv: Allow IGMP” in-interface=
ether1-WAN-dyn log=yes log-prefix=“T2-iptv- allow IGMP” protocol=igmp
add action=accept chain=input comment=“T2-Iptv: Allow T-2 IPtv” in-interface=
ether1-WAN-dyn log=yes log-prefix=iptv-t2 protocol=udp src-address=
172.16.0.0/12
add action=accept chain=input comment=“OpenVPN”
dst-port=1194 in-interface=ether10-WAN-stat log=yes log-prefix=
“vpn povezave” protocol=tcp
add action=drop chain=input comment=“drop all the rest” log=yes
log-prefix=“xxx”
add action=fasttrack-connection chain=forward comment=
“forward - fastrack established connection”
connection-state=established,related
add action=accept chain=forward comment=
“forward Established, Related”
connection-state=established,related
add action=drop chain=forward comment=
“forward -drop invalid "
connection-state=invalid log=yes log-prefix=”"
add action=drop chain=forward comment=“drop everything not nated and not marked as iptv”
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-WAN-dyn log=yes log-prefix=“!NAT mecem, kar ni oznaceno kot iptv”
packet-mark=!iptv
add action=drop chain=forward comment=
“forward pomecemo vse iz staticnega neta, nar ni "natted"”
connection-nat-state=!dstnat connection-state=new in-interface=
ether10-WAN-stat in-interface-list=all log=yes log-prefix=
“mecem, kar ni nated”
add action=drop chain=forward comment=“forward - pomecemo pakete iz dinamicneg
a neta, ki nimajo javnega ip-ja ali z manglom markirano kot "iptv"”
in-interface=ether1-WAN-dyn log=yes log-prefix=“mecem, kar ni lokalnp”
packet-mark=!iptv src-address-list=not_in_internet
add action=drop chain=forward comment=
“forward - pomecemo pakete iz staticnega neta, ki nimajo javnega ip-ja”
in-interface=ether10-WAN-stat log=yes log-prefix=
“!public mecem, kar ni javno” src-address-list=not_in_internet
add action=drop chain=forward comment=
“forward - pomecemo pakete iz LANa, ki nimajo lokalnega naslova”
in-interface=LAN-bridge log=yes log-prefix=“LAN ki ni LAN” src-address=
!10.10.10.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether1-WAN-dyn
log-prefix=markiram new-packet-mark=iptv passthrough=yes protocol=udp
src-address=172.16.0.0/12
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=ether1-WAN-dyn
Even with the drop rules disabled the downloads keep timing out, but the play normally retrieves images, app details and everything else. I’m really baffled …

Can you try adding these two rules to the end of your forward chain and see if it’s fixed?

add action=accept chain=forward comment="Accept new packets from LAN" connection-state=new in-interface=LAN-bridge
add action=drop chain=forward comment="Drop the rest"

Thank you for the suggestion, tried it, sadly it does not change the situation … weird thin is, all the rest of GP’s communications work, I get notifications about app updates and stuff, just the download is somehow blocked? Any other ideas?

When I have a weird problem I will add some logging rules around to try to narrow down the problem.
Maybe start with something like this to try to see if traffic is happening when you try to download apps.

/ip firewall raw
add action=log chain=prerouting dst-address=192.168.0.2

change dst-address=192.168.0.2 to your local ip thats having the problem.

It looks like my phone connects to port 443 when downloading apps, try adding this rule to see if you get any hits…

add action=log chain=forward port=443 protocol=tcp src-address=192.168.0.2

Hopefully this will help you narrow down what is happening.

Thanks again, it’s weird … i get no data on ether of the added rules,
i get logged data if I monitor src adress of my client, e.g.

/ip firewall raw
add action=log chain=prerouting src-address=10.10.10.100

but not with client as a dst-adr.
The second rule

dd action=log chain=forward port=443 protocol=tcp src-address=10.10.10.100

gives nothing …
I’m relly lost

I’m only guessing but maybe since you have 2 WANs your client is trying to route its traffic through the wrong interface? Can you run a traceroute on your client and or maybe try messing with the routeros packet sniffer or torch. If someone else has any suggestions feel free to post them.

I believe you’ve pointed me in the right direction … if I disable the WAN2 interface downloads start, but i’m affraid I can’t figure out the exact problem by my self.
Why would the app download all the images and data, but not the app file itself …

May 2 WANs are set as follows:
WAN 1 (dynamic which is the default internet gateway) in set via DHCP, it auto adds the default route,
WAN 2 (static) has no special route added, it is used for incoming OpenVPN connection.

/ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          93.103.0.1                1
 1 ADC  10.10.10.0/24      10.10.10.1      LAN-bridge                0
 2 ADC  89.212.0.0/16      89.212.110.44    ether10-WAN-stat          0
 3 ADC  93.103.0.0/16      93.103.244.151  ether1-WAN-dyn            0

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1-WAN-dyn log=no 
      log-prefix=""

I’ really cant figure it out, why everything else works, im’ currently working around the problem simply by periodically disabling ether10-WAN-stat interface for the android clients tu install/update their software, but I sure would like to know what carouses the problem …

I’ve finally figured it out. My provider uses google cache servers in the same range as my static address. Configuring static address ads default route for the address /16 range, so the requests were routed via static WAN, all other traffic went via dynamic. Changing the static address range to /24 forced the google.cache request via dynamic WAN and now everything works as it should.
Thanks again, easynice, for pointing me in the right direction,
O.