Community discussions

MUM Europe 2020
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

[ASK]Can't access some website "this site can't be reached"

Fri Oct 12, 2018 11:38 am

Hallo i am newbie
first, sorry for my english

i have a problem with my Mikrotik routers. some website can't access but i can ping. the error is "this site can't be reached"
Image
whats the problem? with my firewall?

my config:
[Codebox= /ip firewall filter
add action=accept chain=forward comment="allow semua akses internet ke client" dst-address=ip_gateway in-interface=pppoe-out out-interface=bridge1
add action=accept chain=input comment="Allow remot winbox dari public" dst-port=8291 in-interface=pppoe-out protocol=tcp
add action=accept chain=input comment="Allow NTP traffic" in-interface=pppoe-out protocol=udp src-port=123
add action=accept chain=input comment="Allow DNS Traffic" in-interface=pppoe-out protocol=udp src-port=53
add action=accept chain=input comment="Allow ping traceroute trafic" in-interface=pppoe-out protocol=icmp
add action=add-src-to-address-list address-list=spam address-list-timeout=30m chain=input comment="Log IP yang ditolak" connection-state=new in-interface=\
pppoe-out
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward dst-port=1883 protocol=tcp
add action=accept chain=input dst-port=3000 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment=HTB-18SEP17 in-interface=bridge1 new-connection-mark=conn-new passthrough=yes
add action=mark-packet chain=forward connection-mark=conn-new new-packet-mark=packet-new passthrough=no
add action=mark-connection chain=prerouting comment=PING-TIME new-connection-mark=pingtime-conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=pingtime-conn new-packet-mark=Ping-Paket passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out
add action=masquerade chain=srcnat comment="NAT L2TP" out-interface=pppoe-out src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.90.0/24
add action=dst-nat chain=dstnat dst-address=182.253.31.154 in-interface=pppoe-out protocol=tcp to-addresses=192.168.11.71 to-ports=80
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp to-addresses=192.168.11.60 to-ports=3000
=Untitled.txt][/Codebox]

Please help me and give me the best answer
thanks
 
vasilaos
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Aug 04, 2009 9:50 am

Re: [ASK]Can't access some website "this site can't be reached"

Fri Oct 12, 2018 12:02 pm

To me it looks like you are running into mtu issues. Depending on the encapsulation of your internet connection you may add a rule to clamp to pmtu via mangle
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 11:30 am

can you give me the example of rule?
sorry hehe
 
User avatar
nichky
Long time Member
Long time Member
Posts: 546
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 1:27 pm

how your DNS looks like?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 1:41 pm

how your DNS looks like?
my dns conf like this " /ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=5000KiB max-udp-packet-size=512"
i set DNS from ISP like dynamic DNS
 
vasilaos
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Aug 04, 2009 9:50 am

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 6:55 pm

Make max udp packet size 4096
 
User avatar
nichky
Long time Member
Long time Member
Posts: 546
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 9:35 pm

set up dns, as i can see you dns looks like blank
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
thasser
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon Sep 23, 2013 8:28 pm

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 9:54 pm

Please send a screenshot, picture, or more detailed information about the error you are receiving:

For Example:

System Hardware
System OS
Browser Type
MT Router Type

Thanks and good luck, we are here to try and help!
 
User avatar
victorsoares
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Feb 15, 2018 6:29 pm
Location: Ubatuba, São Paulo - Brazil
Contact:

Re: [ASK]Can't access some website "this site can't be reached"

Mon Oct 15, 2018 10:20 pm

It looks like you get your internet through PPPoE. In that case MTU varies between 1480 and 1492 normally. Also, try clamping your mss with your pmtu with a simple rule like this:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface="WAN" passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=forward in-interface="WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
Also - and this is just a recommendation - give your firewall some love. I saw a bunch of accept rules but no drop rules for the rest of the chain. This is basically the same thing as having no firewall at all.
MTCNA MTCRE
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Tue Oct 16, 2018 6:22 am

Make max udp packet size 4096
i have change but no effect, you have any solution?
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Tue Oct 16, 2018 6:24 am

set up dns, as i can see you dns looks like blank
i have change and fill the blank with google DNS 8.8.8.8 , 8.8.4.4 but no effect, you have any solution?
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Tue Oct 16, 2018 7:07 am

It looks like you get your internet through PPPoE. In that case MTU varies between 1480 and 1492 normally. Also, try clamping your mss with your pmtu with a simple rule like this:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface="WAN" passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=forward in-interface="WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
Also - and this is just a recommendation - give your firewall some love. I saw a bunch of accept rules but no drop rules for the rest of the chain. This is basically the same thing as having no firewall at all.
i was try to add this rules but not effect too. for my drop rules i was disable because that can drop udp packet or port 39752 for request to IP cloud server. and than i can't use IP cloud cause was dropped
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Tue Oct 16, 2018 7:19 am

Please send a screenshot, picture, or more detailed information about the error you are receiving:

For Example:

System Hardware
System OS
Browser Type
MT Router Type

Thanks and good luck, we are here to try and help!

Image

OS : Windows 10
browser: chrome
MT router: RB2011 LS
i can't access one or any website. respone take to long. this site stay load and than
appear this eror code" this site can't be reached"
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Wed Oct 17, 2018 5:47 am

sorry guys, i want to tell you about this problem. i was created vpn server in routerboard and then if i turn on VPN connection, all websites can open and load normaly. but if i turn off VPN, i dont open and load again
maybe this problem solved, but i not satisfied. i want to access the site normaly without VPN connection.
thanks, and i hope get solution again.
 
restuhanggara
just joined
Topic Author
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: [ASK]Can't access some website "this site can't be reached"

Tue Nov 06, 2018 4:00 am

Hallo i am newbie
first, sorry for my english

i have a problem with my Mikrotik routers. some website can't access but i can ping. the error is "this site can't be reached"
Image
whats the problem? with my firewall?

my config:
[Codebox= /ip firewall filter
add action=accept chain=forward comment="allow semua akses internet ke client" dst-address=ip_gateway in-interface=pppoe-out out-interface=bridge1
add action=accept chain=input comment="Allow remot winbox dari public" dst-port=8291 in-interface=pppoe-out protocol=tcp
add action=accept chain=input comment="Allow NTP traffic" in-interface=pppoe-out protocol=udp src-port=123
add action=accept chain=input comment="Allow DNS Traffic" in-interface=pppoe-out protocol=udp src-port=53
add action=accept chain=input comment="Allow ping traceroute trafic" in-interface=pppoe-out protocol=icmp
add action=add-src-to-address-list address-list=spam address-list-timeout=30m chain=input comment="Log IP yang ditolak" connection-state=new in-interface=\
pppoe-out
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward dst-port=1883 protocol=tcp
add action=accept chain=input dst-port=3000 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment=HTB-18SEP17 in-interface=bridge1 new-connection-mark=conn-new passthrough=yes
add action=mark-packet chain=forward connection-mark=conn-new new-packet-mark=packet-new passthrough=no
add action=mark-connection chain=prerouting comment=PING-TIME new-connection-mark=pingtime-conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=pingtime-conn new-packet-mark=Ping-Paket passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out
add action=masquerade chain=srcnat comment="NAT L2TP" out-interface=pppoe-out src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.90.0/24
add action=dst-nat chain=dstnat dst-address=182.253.31.154 in-interface=pppoe-out protocol=tcp to-addresses=192.168.11.71 to-ports=80
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp to-addresses=192.168.11.60 to-ports=3000
=Untitled.txt][/Codebox]

Please help me and give me the best answer
thanks
anyone can help me. please i need help

Who is online

Users browsing this forum: sindy and 64 guests