Community discussions

just joined
Topic Author
Posts: 1
Joined: Tue Aug 22, 2017 12:16 pm

Help: IPv4 NAT - some https websites won't load

Tue Aug 22, 2017 12:59 pm

I have installed a CCR1016 as a router/firewall for student dormatories about a week ago, and I got a lot of complaints about certain websites not working. Investigation yielded some IPv4 TLS connections are affected. Opening a tcp connection via ipv4 works fine. Websites only reachable via IPv4 and HTTPS do not load beyond "establishing a secure connection"

trying to get an affected website via wget stalls after successfully opening the tcp connection on port 443.

* CCR is connected to Upstream via Fiber (sfp1), advertising a /28 IPv4 and /48 IPv6.
* Dorm clients each have a vlan with a natted /27 IPv4 and /64 IPv6. Connected via fiber to sfp5.

/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm1 to-addresses=x.y.z.1
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm2 to-addresses=x.y.z.2
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm3 to-addresses=x.y.z.3
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm4 to-addresses=x.y.z.4
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm5 to-addresses=x.y.z.5
add action=src-nat chain=srcnat comment="Default NAT" log-prefix=nat-def- out-interface=sfp1_uplink src-address-list=nat-private to-addresses=x.y.z.6
x.y.z.[1-6] are the public IPs advertised via bgp.
/ip firewall filter
add action=accept chain=input comment="Anti-lockout rule from mgmt network" in-interface=sfp12_wh-pf-mgmt log-prefix=mgmt-in
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=input comment="BGP" dst-address=x.y.z.10 dst-port=179 log=yes log-prefix=bgp- protocol=tcp src-address=x.y.z.11
add action=accept chain=input comment=basic protocol=icmp
add action=drop chain=input comment="Drop everything not established, related or permitted from upstream (internet)" connection-state=!established,related in-interface=sfp1_upstream log-prefix=drop-in-unsolicited
add action=accept chain=input comment="Allow broadcast for dhcp" dst-address-type=broadcast in-interface=!sfp1_upstream
add action=accept chain=forward comment="Allow unicast to dhcp servers" dst-address-list=dhcp-servers port=67,68 protocol=udp
add action=accept chain=forward dst-address-list=dhcp-servers protocol=icmp
add action=accept chain=forward comment="Allow APs to controllers" dst-address-list=wlan-controller in-interface=wh-pf-ap/1 log-prefix=allow-aps
add action=accept chain=forward comment="SNMP Traps" dst-address-list=snmp-monitoring dst-port=612 in-interface=wh-pf-ap/1 protocol=udp
add action=accept chain=forward comment="SNMP requests from Monitoring" dst-port=161 protocol=udp src-address-list=snmp-monitoring
add action=accept chain=forward comment="forward from mgmgt" src-address-list=wh-mgmt
add action=accept chain=forward in-interface=sfp12_wh-pf-mgmt src-address-list=wh-stuwe-mgmt
add action=reject chain=forward comment="Disallow residents to mgmt" dst-address-list=wh-mgmt log=yes log-prefix=drop-to-mgmt reject-with=icmp-network-unreachable
add action=reject chain=forward port=25,135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=reject chain=forward port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward dst-address=x.y.z.0/28 in-interface=sfp1_upstream
add action=drop chain=input connection-state=invalid in-interface=sfp1_upstream
add action=accept chain=input src-address= src-address-list=wh-stuwe-mgmt
add action=accept chain=input src-address=
add action=drop chain=forward comment="Drop eduroam to internal nets" disabled=yes dst-address-list=private in-interface=wh-pf-eduroam log=yes
add action=reject chain=forward comment="Drop from Bogons" log-prefix=drop-from-bogon reject-with=icmp-net-prohibited src-address-list=BOGONS
add action=reject chain=forward comment="Drop to Bogons" dst-address-list=BOGONS log-prefix=drop-to-bogon reject-with=icmp-net-prohibited
add action=drop chain=input comment=basic log-prefix=default-drop src-address-list=v4_wh
add action=accept chain=forward log=yes log-prefix="mgmt fwd in" src-address-list=wh-stuwe-mgmt
In the connection list I see around 30 active connections with traffic over https/IPv4 of around 2500 connections.

Does anyone have any idea what could be happening here?
just joined
Posts: 2
Joined: Tue Nov 14, 2017 8:07 pm

Re: Help: IPv4 NAT - some https websites won't load

Tue Nov 14, 2017 8:09 pm

Hello there, have you resolved it?
If you haven't, have you tried enable ssl service in : ip > services > www-ssl ?

If you have resolved it, can you tell us?
Posts: 389
Joined: Sat Nov 29, 2014 7:27 pm

Re: Help: IPv4 NAT - some https websites won't load

Mon Apr 01, 2019 10:55 pm

Hi guys,
have you resolved this problem at all? I´m in a simiilar Situation. Sometimes user cannot load https sites. Then after reloading the homepage it works.
Forum Veteran
Forum Veteran
Posts: 884
Joined: Sun Oct 01, 2006 11:44 pm

Re: Help: IPv4 NAT - some https websites won't load

Thu Apr 04, 2019 6:07 pm

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Help: IPv4 NAT - some https websites won't load

Sat Apr 06, 2019 6:10 pm

Not being able to load HTTPS sites is usually an MTU issue due to larger packets. Make sure you're clamping TCP MSS if you have a non-standard MTU and aren't blocking ICMP.

I second this. Although TCP MSS clamping isn't strictly required if MTU and path MTU discovery (largely an ICMP process) is functioning. Blocking ICMP carte blanche is a very dated security posture.

Who is online

Users browsing this forum: Google [Bot] and 23 guests