Page 1 of 1

cannot access https websites

Posted: Sun Mar 19, 2017 8:15 pm
by fdfdf
Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?

Re: cannot access https websites

Posted: Mon Mar 20, 2017 5:09 pm
by norocel
Maybe you have forwarded the https 443 port from wan to internal lan device ?
This will be just one cause

Re: cannot access https websites

Posted: Mon Mar 20, 2017 6:52 pm
by sjwrick
I have the same problem on some of my routers. Not all.
https sites like https://wellsfargo.com can not be rendered. Other sites like https://crucial.com are very slow to render.

I do not have a router workaround. The problem is exacerbated by some third party routers at the client location. Like a netgear. The DNS proxy does not seem to get information from the my Mikrotik main router and pass on to the client PC. I can ping to domain but cannot pass https:// site to the client.

My only solution has been to replace the client router (ex: netgear) with a mikrotik. I have 600 customers and cannot replace all their routers.

Is there a known issue with Mikrotik - ROS passing https data on to third party routers?

Re: cannot access https websites

Posted: Mon Mar 20, 2017 7:38 pm
by nikc
Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?
Do you have a drop invalid packets rule on the firewall ?

If you do how much data does it say its processed ?

Re: cannot access https websites

Posted: Tue Mar 21, 2017 12:41 am
by IntrusDave
Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.

Re: cannot access https websites

Posted: Thu Mar 23, 2017 4:42 pm
by sjwrick
Thank you for that insight about EOIP. I believe that may be the smoking gun in my case.
I have used eoip for various access situations and the scenario fits with my problems with https.

Much appreciated.

Rick

Re: cannot access https websites

Posted: Thu Mar 23, 2017 5:03 pm
by IntrusDave
Glad to have helped. It took me several days of looking at every little thing to figure that out.

Re: cannot access https websites

Posted: Wed Dec 13, 2017 12:40 am
by mladen074
I just wanted to say thank you, because I was looking into this same issue for days... Of course it was an eoip tunnel related. Btw, it was so difficult to even realize there was an issue, because some websites work normally and some don't (seemingly randomly). Anyway, thank you once again, your post was a life saver :)

Re: cannot access https websites

Posted: Mon Aug 27, 2018 7:10 pm
by davidarre
Thank you very much, I had the same problem and it was driving me crazy.
I had created an EoIP tunnel and this was the problem.
But the most curious thing is that it was disabled, and even then I had problems with https browsing.
I had to eliminate the tunnel, and now everything works perfect.
Thank you very much and greetings.

Re: cannot access https websites

Posted: Sun Jan 27, 2019 8:44 am
by Dalo
I just faced the same issue. The problem as you mentioned was related to EOIP tunnel MTU (1408), but in my case I fixed it only setting the value to 1500 in the Bridge at MTU field, before was empty and as mentioned, takes the lowest MTU of the LAN "Actual MTU 1408"(was the EOIP interface 1408). Now EOIP and TLS webs are working in parallel and currently "Actual MTU 1500".

Re: cannot access https websites

Posted: Mon Jul 29, 2019 6:51 pm
by Sparo90
Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.
Thnx for the great tip, I also created a EOIP interface in my bridge and it changed my MTU and it caused multiple problems.
After the change of the MTU on the EOIP interface it solved the problem.


Regards,

Sparo90