Community discussions

MikroTik App
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Can't access one website

Tue Jan 02, 2018 4:00 pm

Hi, this is over my head. I can't access my own site, corsa-c.ro. It was ok for years until recently. It won't work in my LAN but on phone 3G works fine, so website looks good. On phone, on WiFi, also no connection, so can exclude the PC.

I run a Mikrotik RB493G as router, firewall, access point and capsman for wAP ac. Software version in both is 6.41.

The message I get from the browser is "The Connection has timed out". Traceroute from PC will eventually reach the website on IP 37.251.143.31, however, on hops 7,8,9,11,12,13 will time-out.
At Mikrotik, in IP, Firewall, Connections, I see for 37.251.143.31:80 syn sent and that's is, nothing else.

What I tried: access with PC directly the WAN, website works fine. Disable all firewall rules, reboot Mikrotik, it won't help. I don't know what else. I tried MTU on 1500 but Actual MTU automatically reverses to 1480.

Anybody an idea?

/ip firewall filter
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop DNS open resolver" dst-port=53 \
in-interface=KPN protocol=udp
add action=drop chain=input comment="Drop DNS open resolver" dst-port=53 \
in-interface=KPN protocol=tcp
add action=drop chain=input comment=\
"Allow internal LAN winbox access to router and deny anything else" \
dst-port=8291 protocol=tcp src-address=!192.168.1.0/24
add action=tarpit chain=input comment="Tarpit traffic from DOS list" \
log-prefix="\"\"" protocol=tcp src-address-list=DOS
add action=add-src-to-address-list address-list=DOS address-list-timeout=1d \
chain=input comment="Put address on DOS list" connection-limit=100,32 \
log-prefix="\"\"" protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=DOS address-list-timeout=1d \
chain=input comment="Put address on DOS list" connection-limit=100,32 \
log-prefix="\"\"" protocol=tcp src-address=!10.1.0.0/24
add action=drop chain=input comment="dropping port scanners" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward comment="allow related connections" \
connection-state=related
add action=accept chain=forward comment="allow established connections" \
connection-state=established

/ip firewall nat
add action=masquerade chain=srcnat out-interface=KPN
add action=src-nat chain=srcnat comment="exit to adsl modem" out-interface=\
ether1 src-address=192.168.1.0/24 to-addresses=10.0.0.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

IP Route print details
0 ADS dst-address=0.0.0.0/0 gateway=KPN gateway-status=KPN reachable distance=1 scope=30
target-scope=10
1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.2 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10
3 ADC dst-address=y.y.y.y/32 pref-src=x.x.x.x gateway=KPN
gateway-status=KPN reachable distance=0 scope=10

Thank you for your time.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can't access one website

Tue Jan 02, 2018 4:14 pm

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Tue Jan 02, 2018 5:24 pm

I've tried that workaround, however without results. Why would only one website be affected? Do I need to change my host? Is anything in my config wrong? I can ping 37.251.143.31 and get around 48ms reply. Sorry for so many questions.

I've logged above rule and got this:

forward: in: bridge1(wlan1) out:KPN, src-mac , proto TCP(SYN), 192.168.1.10:58130->37.251.143.31:80, len 52

and this repeats itself for a while together with this:
forward: in: bridge1(wlan1) out:KPN, src-mac , proto TCP(SYN), 192.168.1.10:58130->37.251.143.31:80, NAT (192.168.1.10:58131->my wan IP)->37.251.143.80, len 52.
Last edited by liviu2004 on Tue Jan 02, 2018 5:33 pm, edited 1 time in total.
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Tue Jan 02, 2018 5:40 pm

I've just tried that using google DNS but no result. What I find odd, with my laptop Win 10, with simple PPPoE interface, connected to internet provider, all works fine. So I would not suspect DNS trouble. I conclude something odd happens with my Mikrotik. I have an Cloud Core Router with older software, maybe I should try that one out ....
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Tue Jan 02, 2018 6:29 pm

With an CCR and simple config, it works just fine. Software 6.40.1.

Now, how do I explain this: without changing anything, while I was busy with the CCR, lets say 30 minutes, I plugged back the VDSL to Mikrotik RB493G and guess what, it works now. No reboot nothing. Problem is, this lasts a day or so then same problem.

I am very puzzled.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can't access one website

Tue Jan 02, 2018 7:23 pm

I see it is a forum. Maybe your IP has been blocked, or the subnet your IP is in.
Some forum operators arbitrarily block IP ranges when they feel they have been "attacked" or because of other abuse.
I have seen entire /16 networks of my provider being blocked (and other networks of the same provider not).
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Tue Jan 02, 2018 7:46 pm

Hi, thanks, it is my own forum. I've called the host company and they confirmed my IP is not blocked.
 
User avatar
alangregory
just joined
Posts: 9
Joined: Wed May 25, 2011 2:54 pm

Re: Can't access one website

Thu Jan 04, 2018 1:23 pm

Hi, thanks, it is my own forum. I've called the host company and they confirmed my IP is not blocked.
I'm having the same problem with 6.41, lower versions work fine.
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Fri Jan 05, 2018 9:53 pm

And its done, today no longer access. I'm not really fun of downgrade, it always goes wrong with me.
 
liviu2004
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jul 01, 2008 10:22 pm
Location: Rotterdam

Re: Can't access one website

Sun Jan 14, 2018 9:13 pm

I've downgraded to 6.40.5 and all fine. There is a problem with 6.41. I don't know what, but for me was bad.
 
derrickh
just joined
Posts: 3
Joined: Wed Jun 06, 2007 6:46 pm

Re: Can't access one website

Mon Jan 15, 2018 5:42 pm

Hi, We experienced the same problem, one or two websites could not be accessed by clients running 6.41. Downgraded them and it worked!
Before downgrading we changed IPs to totally different subnets also, to no avail. Configuring PPPoE on another router (not Mikrotik) and it works.
Definitely something wrong in 6.41.
 
mihailJl
newbie
Posts: 38
Joined: Thu Jun 22, 2017 9:06 am

Re: Can't access one website

Tue Aug 21, 2018 9:00 pm

A have no access to this two web sites: https://bazar.bg/ and http://www.speedtest.net/ ....!
My ISP is use PPPOE!
RB951 6.42
My options are:
1 bridge -> ether2,3,4 + wlan + EOIP
copy/pase this mange rule and everything is fine, THANKS pe1chl !!
But would you like to explain what exactly does it do?
This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
 
MockTurtle
just joined
Posts: 5
Joined: Fri Jun 15, 2018 10:18 pm

Re: Can't access one website

Tue Aug 28, 2018 10:42 pm

A have no access to this two web sites: https://bazar.bg/ and http://www.speedtest.net/ ....!
My ISP is use PPPOE!
RB951 6.42
My options are:
1 bridge -> ether2,3,4 + wlan + EOIP
copy/pase this mange rule and everything is fine, THANKS pe1chl !!
But would you like to explain what exactly does it do?
This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

whoa also a big thanks to pe1chl!!! was also going insane trying to figure out what the hell was going on with certain inaccessible sites! ...and now they work!
 
stickery
just joined
Posts: 11
Joined: Fri Mar 09, 2018 4:48 am

Re: Can't access one website

Wed Nov 14, 2018 4:52 am

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
Thank you for this, it works fine.
 
restuhanggara
just joined
Posts: 12
Joined: Wed Jul 26, 2017 9:54 am

Re: Can't access one website

Thu Dec 20, 2018 10:43 am

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
BIG THANKS pe1chl :D
 
User avatar
sever
newbie
Posts: 35
Joined: Sat Jul 10, 2004 10:43 pm
Location: Minneapolis, Minnesota USA
Contact:

Re: Can't access one website

Sat Apr 11, 2020 12:22 am

/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

Same trouble here accessing websites. Adding that chain to mangle made our nightmare go away.

THANK YOU!

J.
 
karimsameh
just joined
Posts: 1
Joined: Sun Jan 21, 2018 3:19 pm

Re: Can't access one website

Wed Apr 15, 2020 6:08 pm

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

the above is really working..
i have been troubleshooting for 3 days without luck..

thanks a million..

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 62 guests