trying to get an affected website via wget stalls after successfully opening the tcp connection on port 443.
Topology:
* CCR is connected to Upstream via Fiber (sfp1), advertising a /28 IPv4 and /48 IPv6.
* Dorm clients each have a vlan with a natted /27 IPv4 and /64 IPv6. Connected via fiber to sfp5.
The
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm1 to-addresses=x.y.z.1
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm2 to-addresses=x.y.z.2
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm3 to-addresses=x.y.z.3
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm4 to-addresses=x.y.z.4
add action=src-nat chain=srcnat out-interface=sfp1_belwue src-address-list=ipv4-private-dorm5 to-addresses=x.y.z.5
add action=src-nat chain=srcnat comment="Default NAT" log-prefix=nat-def- out-interface=sfp1_uplink src-address-list=nat-private to-addresses=x.y.z.6
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Anti-lockout rule from mgmt network" in-interface=sfp12_wh-pf-mgmt log-prefix=mgmt-in
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=input comment="BGP" dst-address=x.y.z.10 dst-port=179 log=yes log-prefix=bgp- protocol=tcp src-address=x.y.z.11
add action=accept chain=input comment=basic protocol=icmp
add action=drop chain=input comment="Drop everything not established, related or permitted from upstream (internet)" connection-state=!established,related in-interface=sfp1_upstream log-prefix=drop-in-unsolicited
add action=accept chain=input comment="Allow broadcast for dhcp" dst-address-type=broadcast in-interface=!sfp1_upstream
add action=accept chain=forward comment="Allow unicast to dhcp servers" dst-address-list=dhcp-servers port=67,68 protocol=udp
add action=accept chain=forward dst-address-list=dhcp-servers protocol=icmp
add action=accept chain=forward comment="Allow APs to controllers" dst-address-list=wlan-controller in-interface=wh-pf-ap/1 log-prefix=allow-aps
add action=accept chain=forward comment="SNMP Traps" dst-address-list=snmp-monitoring dst-port=612 in-interface=wh-pf-ap/1 protocol=udp
add action=accept chain=forward comment="SNMP requests from Monitoring" dst-port=161 protocol=udp src-address-list=snmp-monitoring
add action=accept chain=forward comment="forward from mgmgt" src-address-list=wh-mgmt
add action=accept chain=forward in-interface=sfp12_wh-pf-mgmt src-address-list=wh-stuwe-mgmt
add action=reject chain=forward comment="Disallow residents to mgmt" dst-address-list=wh-mgmt log=yes log-prefix=drop-to-mgmt reject-with=icmp-network-unreachable
add action=reject chain=forward port=25,135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=reject chain=forward port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=input port=135,137,138,139,445 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward dst-address=x.y.z.0/28 in-interface=sfp1_upstream
add action=drop chain=input connection-state=invalid in-interface=sfp1_upstream
add action=accept chain=input src-address=172.19.3.0/26 src-address-list=wh-stuwe-mgmt
add action=accept chain=input src-address=172.19.2.3
add action=drop chain=forward comment="Drop eduroam to internal nets" disabled=yes dst-address-list=private in-interface=wh-pf-eduroam log=yes
add action=reject chain=forward comment="Drop from Bogons" log-prefix=drop-from-bogon reject-with=icmp-net-prohibited src-address-list=BOGONS
add action=reject chain=forward comment="Drop to Bogons" dst-address-list=BOGONS log-prefix=drop-to-bogon reject-with=icmp-net-prohibited
add action=drop chain=input comment=basic log-prefix=default-drop src-address-list=v4_wh
add action=accept chain=forward log=yes log-prefix="mgmt fwd in" src-address-list=wh-stuwe-mgmt
Does anyone have any idea what could be happening here?
