port 80 bloked issue - RB2011UiAS-2HnD-IN

aresmt · Sat Aug 02, 2014 6:28 pm

HI,

I have 2 RB2011UiAS-2HnD-IN router.

One of it is in a remote location which i don't have physicaly access very easy ,only remote connection.

This one, has an strange behavior, or maybe i don't know how to use it.

From time to time it starts to block port 80 when i try to connect from his lan on internet. HTTPS and other ports and protocols are ok, but not 80.

If i reset it to defauld configuration and restore the last backup config, it start to works, but only for a while. (jusrt restart dosen't fix the problem)
It has basic routing config and 3 port forward rules.

The second one i use it in my apartamnet, never had this issue.

I recently upgrade it to the last version 6.17

Any advices? ideea? suggestions?

Thanks in advance,

marizo · Sat Aug 02, 2014 6:43 pm

Maybe UPnP is on and some local service trying to use it?

aresmt · Sat Aug 02, 2014 6:46 pm

Maybe UPnP is on and some local service trying to use it?

Just checked, UPnP is not enabled.

Sat Aug 02, 2014 8:30 pm

What RouterOs?
Have you add firewall rules?

ParsagachkarDev · Sat Aug 02, 2014 11:05 pm

plz provide more info!

you mean blocked input 80 , forward 80 or both! (access to router with port 80 , access through router with that port or both)

are u using Firewall Rules ?????

/ip firewall filter print
/ip firewall nat print

aresmt · Sun Aug 03, 2014 12:38 am

What RouterOs?
Have you add firewall rules?

3.18
no rules than default rules which come with the default config

thanks

aresmt · Sun Aug 03, 2014 12:45 am

What RouterOs?
Have you add firewall rules?

3.18
no rules than default rules which come with the default config

thanks

sorry, it was 6.17, was specified in my first post.

Just upgraded to 6.18 now

Sun Aug 03, 2014 12:49 am

Post your export file in this forum then can we look what wrong if you can login.

aresmt · Sun Aug 03, 2014 12:56 am

even with 6.18 is the same

 root ~: ping forum.mikrotik.com
PING forum.mikrotik.com (159.148.147.201) 56(84) bytes of data.
64 bytes from tuncis.mt.lv (159.148.147.201): icmp_seq=1 ttl=57 time=71.8 ms
64 bytes from tuncis.mt.lv (159.148.147.201): icmp_seq=2 ttl=57 time=71.0 ms
64 bytes from tuncis.mt.lv (159.148.147.201): icmp_seq=3 ttl=57 time=71.4 ms
^C
--- forum.mikrotik.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2251ms
rtt min/avg/max/mdev = 71.069/71.463/71.899/0.459 ms

 root ~: telnet  forum.mikrotik.com 80
Trying 159.148.147.201...
^C

 root ~: telnet gmail.com 443
Trying 173.194.44.22...
Connected to gmail.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

 root ~: nslookup forum.mikrotik.com
Server:         192.168.10.110
Address:        192.168.10.110#53

Non-authoritative answer:
Name:   forum.mikrotik.com
Address: 159.148.147.201

 root ~: telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
Connection closed by foreign host.

aresmt · Sun Aug 03, 2014 1:55 pm

Post your export file in this forum then can we look what wrong if you can login.

doesn't that file contain users, passwords, and other sensitive info?

Sun Aug 03, 2014 2:14 pm

Sensitive data can't be readed.

aresmt · Sun Aug 03, 2014 3:19 pm

Sensitive data can't be readed.

sorry, can't do that. don't know who decided what is sensitive or not for a specific user

i can post specific outputs if you give me the commands.

Thanks,

Mon Aug 04, 2014 10:18 am

Go to terminal.

Type: "export"

That's it

aresmt · Wed Aug 06, 2014 9:25 pm

Go to terminal.

Type: "export"

That's it

another issue that i have is that when i try to access from INSIDE the lan xyz.mydomain.com it doesn't work, only from outside my network is working. can you also take a look at the firewall rules with port forward for 80

here is the output :

# aug/06/2014 21:02:50 by RouterOS 6.18
# software id = AJNU-VQUA
#
/interface bridge
add admin-mac=MAC:MAC:MAC:MAC:MAC auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC:MAC:MAC:MAC:MAC name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors l2mtu=2290 mode=ap-bridge ssid=MySID wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=MySID-pass wpa2-pre-shared-key=MySID-pass
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=10m name=default
/port
set 0 name=serial0
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert_2 cipher=blowfish128 connect-to=bla.bla.bla.com disabled=no mac-address=MAC:MAC:MAC:MAC:MAC max-mtu=1500 mode=ip name=\
    ovpn-to-dub password=hidden-pass port=10443 profile=default user=my-hidden-user
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=sfp1-gateway
/ip address
add address=192.168.10.1/24 comment="default configuration" interface=ether2 network=192.168.10.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.10.0/24 comment="default configuration" dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=8080 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.10.125 to-ports=80
add action=dst-nat chain=dstnat dst-port=10443 protocol=tcp to-addresses=192.168.10.128 to-ports=10443
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.10.126 to-ports=51413
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=Europe/xxx
/system identity
set name=my-router-name
/system ntp client
set enabled=yes primary-ntp=ip.ip.ip.ip secondary-ntp=ip.ip.ip.ip
/system scheduler
add comment=DynDNS interval=5m name=DynDNS on-event=DynDNS policy=reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=DynDNS policy=reboot,read,write,policy,test,password,sniff,sensitive source=":global ddnsuser \"my_dyndns-user\"\
    \n:global ddnspass \"hidden-pass\"\
    \n:global theinterface \"ether1-gateway\"\
    \n:global ddnshost bla.bla.bla.com\
    \n:global ipddns [:resolve \$ddnshost];\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n   :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n} else={\
    \n   :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n      :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n    :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n      } \
    \n}\
    \n \
    \n:if (\$ipddns != \$ipfresh) do={\
    \n    :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n    :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n   :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n   :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
    \n   /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\
    \n         password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
    \n    :delay 1\
    \n    :global str [/file find name=\"DynDNS.\$ddnshost\"];\
    \n    /file remove \$str\
    \n    :global ipddns \$ipfresh\
    \n  :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n    } else={\
    \n     :log info \"DynDNS: dont need changes\";\
    \n    }\
    \n} \
    \n"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=wlan1
add interface=bridge-local

aresmt · Fri Aug 08, 2014 3:18 pm

any ideas guys?

Thanks

joegoldman · Sat Aug 09, 2014 5:31 am

ros code

add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.10.125 to-ports=80

Pretty sure this rule - without defining an 'In' interface or dst-address, will be catching ALL your NAT port 80 attempts and trying to port forward you internally.

Remove this rule as a test and see if it helps.

aresmt · Sat Aug 09, 2014 1:13 pm

ros code
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.10.125 to-ports=80
Pretty sure this rule - without defining an 'In' interface or dst-address, will be catching ALL your NAT port 80 attempts and trying to port forward you internally.

Remove this rule as a test and see if it helps.

Thanks,

Is working now.

Can you also help me with the other issue please?

When i point my browser to my domain bla.example.com which has that port forwarding rule 192.168.10.125:80, i get an error message like "The page is not available."
But from internet the rule is working.

Thanks,

joegoldman · Sat Aug 09, 2014 3:08 pm

You will need Hairpin NAT, or in some cases I simply add the same domain as a static DNS if your using the Mikrotik as a DNS server for your LAN clients, and point it to the web server internally only.

http://wiki.mikrotik.com/wiki/Hairpin_NAT