Since yesterday I can not open more websites on my laptop, PC, smartphone, etc. After a lot of searching I have mikrotik RB2011-UIAs-2Hnd put back to factory settings. After the reset, I configured everything and I was able to open websites again. Today I can not open websites again. If I ping in the command prompt to www.google.nl I get an ip address back.
Can anyone help me so I can open websites again
This is my firewall export:
add chain=input in-interface=pppoe protocol=icmp
add chain=input connection-state=related
add chain=input connection-state=established
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="DROP EXTERNAL DNS" dst-port=53 \
in-interface=ether1-gateway protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=input comment="ICMP PINGS ALLOWD" protocol=icmp
add chain=input comment="Accept established connections" connection-state=\
established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment=UDP protocol=udp
add chain=input comment="SSH for secure shell" dst-port=55122 protocol=tcp
add chain=input comment=winbox dst-port=8291 protocol=tcp
add chain=input comment=web dst-port=80 protocol=tcp
add action=drop chain=input comment="Drop everything else"
add chain=forward comment="allow established connections" connection-state=\
established
add chain=forward comment="allow related connections" connection-state=\
related
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
add chain=forward comment="Allow HTTP" dst-port=80,443,10000 protocol=tcp
add chain=forward comment="allow TCP" protocol=tcp
add chain=forward comment="allow ping" protocol=icmp
add chain=forward comment="allow udp" protocol=udp
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=\
192.168.0.0/16 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=\
192.168.xx.xx to-ports=3389
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
192.168.xx.xx to-ports=80
add action=dst-nat chain=dstnat dst-port=21 protocol=tcp to-addresses=\
192.168.xx.xx to-ports=21
Re: Cannot open websites
try make a rule easier:
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=pppoe
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=pppoe
Re: Cannot open websites
I changed it but to bad its not working.try make a rule easier:
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=pppoe
Re: Cannot open websites
I would suggest using a simple configuration and complicate it gradually, step by step.
Code: Select all
/ip firewall address-list
add list=lan-ip address=192.168.XXX.XXX-192.168.XXX.XXX comment="All IP of my LAN"
/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets"
add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets"
add chain=input connection-state=established action=accept comment="Allow input established connections"
add chain=forward connection-state=established action=accept comment="Allow forward established connections"
add chain=input connection-state=related action=accept comment="Allow input related connections"
add chain=forward connection-state=related action=accept comment="Allow forward related connections"
add chain=input src-address-list=lan-ip action=accept comment="Allow all input for local net"
add chain=forward src-address-list=lan-ip action=accept comment="Allow all forward for local net"
add chain=input action=accept protocol=icmp comment="Allow input Ping"
add chain=forward action=accept protocol=icmp comment="Allow forward Ping"
add chain=input action=drop comment="All other inputs drop"
add chain=forward action=drop comment="All other forwards drop"
/ip firewall nat
add chain=srcnat out-interface=pppoe action=masquerade
/ip dns
set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yesRe: Cannot open websites
I changed my firewall rules, reboot the router try again to open a website. No luckI would suggest using a simple configuration and complicate it gradually, step by step.Code: Select all/ip firewall address-list add list=lan-ip address=192.168.XXX.XXX-192.168.XXX.XXX comment="All IP of my LAN" /ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets" add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets" add chain=input connection-state=established action=accept comment="Allow input established connections" add chain=forward connection-state=established action=accept comment="Allow forward established connections" add chain=input connection-state=related action=accept comment="Allow input related connections" add chain=forward connection-state=related action=accept comment="Allow forward related connections" add chain=input src-address-list=lan-ip action=accept comment="Allow all input for local net" add chain=forward src-address-list=lan-ip action=accept comment="Allow all forward for local net" add chain=input action=accept protocol=icmp comment="Allow input Ping" add chain=forward action=accept protocol=icmp comment="Allow forward Ping" add chain=input action=drop comment="All other inputs drop" add chain=forward action=drop comment="All other forwards drop" /ip firewall nat add chain=srcnat out-interface=pppoe action=masquerade /ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes
what is going on?? I ping to www.google.com and i get response. If i enter something in the search box of google chrome i get results but if i type something like: www.google.nl or www.mikrotik.com i get no website only a error no page to display something like that.Re: Cannot open websites
it's really strange.
try connect computer directly to ISP - open PPPoE session on computer without RB.
Maybe ISP has a problem.
try connect computer directly to ISP - open PPPoE session on computer without RB.
Maybe ISP has a problem.
Re: Cannot open websites
If i connect the official router from my ISP to my internet connection then i can connect to all of the websites.it's really strange.
try connect computer directly to ISP - open PPPoE session on computer without RB.
Maybe ISP has a problem.
Re: Cannot open websites
Ok. I think we need to do next:
1. Download firmware here http://download2.mikrotik.com/routeros/ ... be-6.6.npk
2. Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
3. Connect WinBox to RB via Mac-address (login:"admin" password:empty)
4. Copy Firmware to WinBox-Files
5. System-Reboot-Yes.
6. Again Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
7. WinBox-New Terminal
Paste this code:
Here you have to change "LOGIN"&"PASSWORD":
8. Connect ISP cable to port 1.
9. Change computer ip-settings to Auto takes ip/dns/etc.
10. Connect computer to port2 (directly, don't use any hub)
1. Download firmware here http://download2.mikrotik.com/routeros/ ... be-6.6.npk
2. Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
3. Connect WinBox to RB via Mac-address (login:"admin" password:empty)
4. Copy Firmware to WinBox-Files
5. System-Reboot-Yes.
6. Again Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
7. WinBox-New Terminal
Paste this code:
Code: Select all
/interface
set 0 name=”eth1-wan” disabled=no
set 1 name=”eth2-lan” disabled=no
/ip address
add address=192.168.1.1/24 interface=eth2-lan
/ ip pool
add name="dhcp-pool-local" ranges=192.168.1.10-192.168.1.254
/ ip dhcp-server
add name="dhcp-local" interface=eth2-lan address-pool=dhcp-pool-local disabled=no
/ ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yesCode: Select all
/interface pppoe-client
add name="pppoe" interface=eth1-wan user="LOGIN" password="PASSWORD" max-mtu=1492 max-mru=1492 add-default-route=yes use-peer-dns=yes disabled=noCode: Select all
/ip firewall address-list
add list=lan-ip address=192.168.1.1-192.168.1.254 comment="All IP of my LAN"
/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets"
add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets"
add chain=input connection-state=established action=accept comment="Allow input established connections"
add chain=forward connection-state=established action=accept comment="Allow forward established connections"
add chain=input connection-state=related action=accept comment="Allow input related connections"
add chain=forward connection-state=related action=accept comment="Allow forward related connections"
add chain=input src-address-list=lan-ip action=accept comment="Allow all input for local net"
add chain=forward src-address-list=lan-ip action=accept comment="Allow all forward for local net"
add chain=input action=accept protocol=icmp comment="Allow input Ping"
add chain=forward action=accept protocol=icmp comment="Allow forward Ping"
add chain=input action=drop comment="All other inputs drop"
add chain=forward action=drop comment="All other forwards drop"
/ip firewall nat
add chain=srcnat out-interface=pppoe action=masquerade9. Change computer ip-settings to Auto takes ip/dns/etc.
10. Connect computer to port2 (directly, don't use any hub)
Re: Cannot open websites
I FOUND THE PROBLEM!!!Ok. I think we need to do next:
1. Download firmware here http://download2.mikrotik.com/routeros/ ... be-6.6.npk
2. Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
3. Connect WinBox to RB via Mac-address (login:"admin" password:empty)
4. Copy Firmware to WinBox-Files
5. System-Reboot-Yes.
6. Again Restore RB to the Factory settings:
WinBox-System-Reset Configuration
- Keep User Configuration
+ No Default Configuration
+ Do Not Backup
Reset Configuration,Yes.
7. WinBox-New Terminal
Paste this code:Here you have to change "LOGIN"&"PASSWORD":Code: Select all/interface set 0 name=”eth1-wan” disabled=no set 1 name=”eth2-lan” disabled=no /ip address add address=192.168.1.1/24 interface=eth2-lan / ip pool add name="dhcp-pool-local" ranges=192.168.1.10-192.168.1.254 / ip dhcp-server add name="dhcp-local" interface=eth2-lan address-pool=dhcp-pool-local disabled=no / ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1 /ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yesCode: Select all/interface pppoe-client add name="pppoe" interface=eth1-wan user="LOGIN" password="PASSWORD" max-mtu=1492 max-mru=1492 add-default-route=yes use-peer-dns=yes disabled=no8. Connect ISP cable to port 1.Code: Select all/ip firewall address-list add list=lan-ip address=192.168.1.1-192.168.1.254 comment="All IP of my LAN" /ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets" add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets" add chain=input connection-state=established action=accept comment="Allow input established connections" add chain=forward connection-state=established action=accept comment="Allow forward established connections" add chain=input connection-state=related action=accept comment="Allow input related connections" add chain=forward connection-state=related action=accept comment="Allow forward related connections" add chain=input src-address-list=lan-ip action=accept comment="Allow all input for local net" add chain=forward src-address-list=lan-ip action=accept comment="Allow all forward for local net" add chain=input action=accept protocol=icmp comment="Allow input Ping" add chain=forward action=accept protocol=icmp comment="Allow forward Ping" add chain=input action=drop comment="All other inputs drop" add chain=forward action=drop comment="All other forwards drop" /ip firewall nat add chain=srcnat out-interface=pppoe action=masquerade
9. Change computer ip-settings to Auto takes ip/dns/etc.
10. Connect computer to port2 (directly, don't use any hub)
In my firewall i make a dst-nat rule:
chain=dstnat action=dst-nat to-addresses=192.168.xxxx to-ports=80 protocol=tcp dst-port=80
If i enable this rule my i cannot access websites anymore. If i disable this i van browse to websites. I have a webserver at home must i edit the rule so i can connect at port 80 to my webserver?
Re: Cannot open websites
Try add to this rule "in-interface=pppoe"chain=dstnat action=dst-nat to-addresses=192.168.xxxx to-ports=80 protocol=tcp dst-port=80
p.s. and do the same for all "dst-nat" rules.
Re: Cannot open websites
i've met the same problem too.nice post
Re: Cannot open websites
Problem solved for me thank you for all your help!
This topic can be closed
This topic can be closed