Page 1 of 1

cannot access https websites

Posted: Sun Mar 19, 2017 8:15 pm
by fdfdf
Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?

Re: cannot access https websites

Posted: Mon Mar 20, 2017 5:09 pm
by norocel
Maybe you have forwarded the https 443 port from wan to internal lan device ?
This will be just one cause

Re: cannot access https websites

Posted: Mon Mar 20, 2017 6:52 pm
by sjwrick
I have the same problem on some of my routers. Not all.
https sites like https://wellsfargo.com can not be rendered. Other sites like https://crucial.com are very slow to render.

I do not have a router workaround. The problem is exacerbated by some third party routers at the client location. Like a netgear. The DNS proxy does not seem to get information from the my Mikrotik main router and pass on to the client PC. I can ping to domain but cannot pass https:// site to the client.

My only solution has been to replace the client router (ex: netgear) with a mikrotik. I have 600 customers and cannot replace all their routers.

Is there a known issue with Mikrotik - ROS passing https data on to third party routers?

Re: cannot access https websites

Posted: Mon Mar 20, 2017 7:38 pm
by nikc
Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?
Do you have a drop invalid packets rule on the firewall ?

If you do how much data does it say its processed ?

Re: cannot access https websites

Posted: Tue Mar 21, 2017 12:41 am
by IntrusDave
Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.

Re: cannot access https websites

Posted: Thu Mar 23, 2017 4:42 pm
by sjwrick
Thank you for that insight about EOIP. I believe that may be the smoking gun in my case.
I have used eoip for various access situations and the scenario fits with my problems with https.

Much appreciated.

Rick

Re: cannot access https websites

Posted: Thu Mar 23, 2017 5:03 pm
by IntrusDave
Glad to have helped. It took me several days of looking at every little thing to figure that out.

Re: cannot access https websites

Posted: Wed Dec 13, 2017 12:40 am
by mladen074
I just wanted to say thank you, because I was looking into this same issue for days... Of course it was an eoip tunnel related. Btw, it was so difficult to even realize there was an issue, because some websites work normally and some don't (seemingly randomly). Anyway, thank you once again, your post was a life saver :)

Re: cannot access https websites

Posted: Mon Aug 27, 2018 7:10 pm
by davidarre
Thank you very much, I had the same problem and it was driving me crazy.
I had created an EoIP tunnel and this was the problem.
But the most curious thing is that it was disabled, and even then I had problems with https browsing.
I had to eliminate the tunnel, and now everything works perfect.
Thank you very much and greetings.

Re: cannot access https websites

Posted: Sun Jan 27, 2019 8:44 am
by Dalo
I just faced the same issue. The problem as you mentioned was related to EOIP tunnel MTU (1408), but in my case I fixed it only setting the value to 1500 in the Bridge at MTU field, before was empty and as mentioned, takes the lowest MTU of the LAN "Actual MTU 1408"(was the EOIP interface 1408). Now EOIP and TLS webs are working in parallel and currently "Actual MTU 1500".

Re: cannot access https websites

Posted: Mon Jul 29, 2019 6:51 pm
by Sparo90
Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.
Thnx for the great tip, I also created a EOIP interface in my bridge and it changed my MTU and it caused multiple problems.
After the change of the MTU on the EOIP interface it solved the problem.


Regards,

Sparo90

Re: cannot access https websites

Posted: Fri Nov 13, 2020 7:00 am
by Ferrograph
Thank you! Thank you! Thank you!

This has been driving me nuts for several days! I use eoip links to bring customers networks to my desk so I can work on things that require wire type access and I never noticed the change it was making to the bridge MTU.

I had two sites where for whatever reason this was really screwing up general internet access.

Note also to check any VLAN interfaces hanging off the bridge. They don't seem to update their MTU inline with the bridge until toggled.

Re: cannot access https websites

Posted: Tue Jan 05, 2021 7:21 pm
by Ferrograph
Just wanted to share this...

I had another site with really patchy internet and https, it also had the issue with a EoIP interface dropping the MTU which I fixed and expected everything to work again but it didn't which has had me scratching my head.

I exported the config verbose and went through it line by line and found that the routers IP was on ether2 and not the bridge which I hadn't noticed. Moved it to the bridge and all working normally!

Re: cannot access https websites

Posted: Wed Jan 06, 2021 11:18 am
by sindy
Great. It's the first time I've seen an example of an actual issue caused by attaching the IP configuration to a member port of a bridge rather than to the cpu-facing virtual port of that bridge.

Re: cannot access https websites

Posted: Wed Jan 06, 2021 1:02 pm
by Ferrograph
Yes, Ive found routers setup with the IP on a member port before and its not really seemed to caused a problem, although in all cases if I spot it I move it to the bridge.