Community discussions

 
jacksjk
just joined
Topic Author
Posts: 3
Joined: Mon Apr 15, 2019 6:08 pm

One website blocked

Mon Apr 15, 2019 6:58 pm

Hello everyone, I have a problem accessing one website.
It is https://mysmarthome.eaton.com
It is the only one that I cannot reach.

When I ping the website I get the following ip http://192.104.67.65 but no reply, also when i try this from the router there is no reply.
The local network is 172.16.0.250 Netmask 255.255.255.0/24
DHCP 172.16.0.100 - 240
NAT is enabled

The internet side (isp) is 192.168.2.2 Netmask 255.0.0.0/8 Gateway 192.168.2.254

The most firewall rules are basic rules and some NAT rules to allow traffic from outside.
All other https sites are working perfectly and also http sites.

I tried to monitor what is happening with the website traffic but I did not really succeed.
How can I see why this website is unreachable?
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: One website blocked

Tue Apr 16, 2019 4:19 pm

First of all, you are right - they don't respond to a ping. However that proves absolutely nothing since some network admins drop pings as some people consider it a security hole.

If it really is on your end, please post your config, so we can see what you have.

In order to export your config, follow these instructions that forum user anav posted to another thread.
To get a copy of the config you simply go to the left hand menu 'new terminal' icon in winbox and type in
/export hide-sensitive file=yourconfig (any name you wish)
Then to go the left hand menu 'files' icon and you will see the file there saved.
Right click and download to your desktop.
I use notepad ++ to open up config files.

Then simply copy and paste into the thread here. The only thing you should do is ensure that your ISP WAN address and ISP gateway address are not being shown.
Check ISP client setting and perhaps IP route settings for that.

To make the code appear elegant use the text bar above where bold is and highlight the code and then apply the icon that is a black square with white square brackets inside it.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
jacksjk
just joined
Topic Author
Posts: 3
Joined: Mon Apr 15, 2019 6:08 pm

Re: One website blocked

Tue Apr 16, 2019 5:53 pm

As requested below my config.
Thanks for helping.
# apr/16/2019 16:37:52 by RouterOS 6.44.2
# software id = U7MU-3YII
#
# model = RouterBOARD 750G r3
# serial number = 6F380861DF5C
/interface bridge
add name=bridge-internet
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] name=ether2-internet
set [ find default-name=ether3 ] name=ether3-internet speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_1
/ip ipsec peer
# This entry is unreachable
add name=peer2 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=172.16.0.100-172.16.0.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-internet name=los
/ppp profile
add change-tcp-mss=yes dns-server=172.16.0.250 local-address=172.16.0.250 name=\
    client-VPN remote-address=vpn use-compression=no use-encryption=required \
    use-mpls=yes
/interface bridge port
add bridge=bridge-internet interface=ether2-internet
add bridge=bridge-internet interface=ether3-internet
/ip firewall connection tracking
set tcp-established-timeout=1h30m
/interface l2tp-server server
set authentication=mschap2 default-profile=client-VPN enabled=yes max-mru=1460 \
    max-mtu=1460 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge-internet list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=172.16.0.250/24 interface=ether2-internet network=172.16.0.0
add address=192.168.2.2/8 interface=ether1 network=192.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.2,172.16.0.250,172.16.0.9 \
    gateway=172.16.0.250
/ip dns
set allow-remote-requests=yes servers=172.16.0.2,8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need \
    this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    Bogons
/ip firewall filter
add action=drop chain=forward disabled=yes log=yes src-address=192.111.139.146
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=inv-
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=fw-
add action=drop chain=forward comment=\
    "Drop voip calls niet komend van Redworks" disabled=yes dst-port=5060 log=\
    yes protocol=udp src-address=!185.158.144.0/22 src-mac-address=\
    7C:39:53:C1:66:8A
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons log=yes log-prefix=bogon-
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" connection-state=new \
    dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=ether1 log=yes log-prefix=sstp-
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Webserver Ceresys" dst-address=\
    192.168.2.2 dst-port=80 log=yes log-prefix=http- protocol=tcp to-addresses=\
    172.16.0.11 to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="RDP mgmt pc" dst-address=192.168.2.2 \
    dst-port=7000 log=yes log-prefix=rdp:: protocol=tcp src-address=\
    5.132.101.54 to-addresses=172.16.0.2 to-ports=7000
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=7000 log=yes \
    log-prefix=rdp:: protocol=tcp src-address=90.145.228.242 to-addresses=\
    172.16.0.2 to-ports=7000
add action=dst-nat chain=dstnat comment="Redworks Telefonie" dst-address=\
    192.168.2.2 dst-port=5059-5062 log=yes log-prefix=tel1- protocol=udp \
    to-addresses=172.16.0.30-172.16.0.40 to-ports=5059-5062
add action=dst-nat chain=dstnat comment="Redworks Telefonie" dst-address=\
    192.168.2.2 dst-port=10000-39999 log=yes log-prefix=tel2- protocol=udp \
    to-addresses=172.16.0.30-172.16.0.40 to-ports=10000-39999
add action=dst-nat chain=dstnat comment=RedBeeMedia dst-address=192.168.2.2 \
    dst-port=40000-40200 log=yes log-prefix=rbm- protocol=udp to-addresses=\
    172.16.0.106 to-ports=40000-40200
add action=dst-nat chain=dstnat comment="Luci 1" dst-address=192.168.2.2 \
    dst-port=5004 log=yes protocol=udp to-addresses=172.16.0.104 to-ports=5004
add action=dst-nat chain=dstnat comment="Luci 2" dst-address=192.168.2.2 \
    dst-port=5005 log=yes protocol=udp to-addresses=172.16.0.104 to-ports=5005
add action=dst-nat chain=dstnat comment=Alarm dst-address=192.168.2.2 dst-port=\
    10001-10006 protocol=tcp to-addresses=172.16.0.3 to-ports=10001-10006
add action=dst-nat chain=dstnat comment=FTP dst-address=192.168.2.2 dst-port=\
    2054 log=yes log-prefix=ftp- protocol=tcp to-addresses=172.16.0.2 to-ports=\
    2054
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=8080 log=yes \
    log-prefix=8080- protocol=tcp to-addresses=172.16.0.2 to-ports=8080
add action=dst-nat chain=dstnat comment=wordpress dst-address=192.168.2.2 \
    dst-port=404 protocol=tcp to-addresses=172.16.0.2 to-ports=404
/ip ipsec identity
add generate-policy=port-override peer=peer2 remote-id=ignore
/ip route
add distance=1 gateway=192.168.2.254
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Studionet
/system ntp client
set enabled=yes primary-ntp=194.109.22.18 secondary-ntp=194.109.20.18
/system resource irq rps
set ether1 disabled=no
set ether2-internet disabled=no
set ether3-internet disabled=no
 
Sob
Forum Guru
Forum Guru
Posts: 4657
Joined: Mon Apr 20, 2009 9:11 pm

Re: One website blocked

Tue Apr 16, 2019 6:39 pm

The internet side (isp) is 192.168.2.2 Netmask 255.0.0.0/8 Gateway 192.168.2.254
Netmask is wrong. With /8, 192.104.67.65 is part of local subnet, which it definitely isn't. Correct mask is most likely /24.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
jacksjk
just joined
Topic Author
Posts: 3
Joined: Mon Apr 15, 2019 6:08 pm

Re: One website blocked

Wed Apr 17, 2019 3:33 pm

Changed the Netmask to /24 and that fixed the problem.
Thanks for the help

Who is online

Users browsing this forum: No registered users and 33 guests