Community discussions

MikroTik App
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Help with 1 website, can't access

Tue Feb 06, 2018 3:09 am

Hi, I have an RB2011 (routeros 6.41) with two ISP: 1 is Cable (primary, 25MB always running) and another is pppoe but managed by ISP modem (secondary 3MB, using it just as backup) *
I have a problem with only 1 website: http://186.153.139.115/siat/gde/Adminis ... nicializar
It's a town site for taxes and such.
I can ping and traceroute (second and third hops are failing)
I can't access, I get ERR_CONNECTION_TIMED_OUT on Chrome

I've tried mss shaping:
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn tcp-mss=1361-65535 action=change-mss new-mss=1360 disabled=no

I've tried static route (before drop rules):
/ip firewall filter add chain=forward src-address=186.153.139.115 action=accept

I've tried clearing DNS cache.
Tried changing MTU on ethernet port (ether1)
/tool traceroute 186.153.139.115
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 190.7.24.1                         0%  742  10.7ms    17.2       7   354.1
 2 10.6.48.97                       14..  742  23.8ms      16     5.7   304.4
 3 192.168.240.37                   99..  742 timeout      21    17.2    24.4
 4 192.168.254.182                    0%  741  24.5ms    20.3    12.1   431.9
 5 200.63.150.181                   0.4%  741  20.2ms    22.7    13.2     482
 6 200.3.34.1                       0.7%  741    24ms    24.3    15.3   325.5
 7 200.117.126.18                   0.7%  741  40.5ms    27.9    17.5     335
 8 186.108.59.130                   0.4%  741  26.2ms    28.3    19.6   339.6
 9 186.153.139.115                  0.3%  741  28.1ms    27.3    19.4   355.9
Any hint would be appretiated. Thanks in advance

EDIT:
* secondary ISP provides modem, and I just can get a 192.168.1.0/24 IP for my ether2 port, so my gateway for ether2 is 192.168.1.1
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 631
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Help with 1 website, can't access

Tue Feb 06, 2018 3:20 am

Hello,

Why do you think it's your fault IF it's only this one web site?

It's normal that certain hops on a traceroute don't respond. Not all ISPs reply to that.

As for your filter, taken out of context, it doesn't tell us anything. But if your fw is properly built, you shouldn't need it. You normally accept return forward traffic that's "established"or "related".

Have you tried from another network to see if the site responds?

Regards,


Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Re: Help with 1 website, can't access

Tue Feb 06, 2018 4:19 am

Thanks Alain.
This site is part of town government. All citizen can access through main site: http://www.parana1.com.ar/afim/ (under SIAT, opens a new tab)
Oddly I can access from same ISP (different service 8MB) and other ISP. I can access from my home. Any time. So, that IP is online always.

I'll post firewall rules(I'm not there right now), but they're ok... I think.

I have three guesses:
1. I misconfigured router
2. ISP is blocking traffic to Target IP
3. Target IP is blocking access from my IP
 
p3rad0x
Long time Member
Long time Member
Posts: 606
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: Help with 1 website, can't access

Tue Feb 06, 2018 9:57 am

Its most probably your IP being blacklisted by them.

If it was more then one site we could say maybe MTU related issue.
There you go then you touched something ;-) : it only takes a change in wind direction to screw with your nat :-)
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Re: Help with 1 website, can't access

Tue Feb 06, 2018 1:32 pm

Here are original fw rules (I XXX the forwarded ports), I disabled changes for mtu and mss:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-wan1
add action=drop chain=input comment="drop all from WAN2" in-interface=ether2-wan2
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward disabled=yes src-address=186.153.139.115
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan1
add action=drop chain=forward comment="drop all from WAN2not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether2-wan2
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1361-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-wan1
add action=masquerade chain=srcnat out-interface=ether2-wan2
add action=dst-nat chain=dstnat dst-port=XXXXX log=yes protocol=tcp to-addresses=10.0.0.23 to-ports=XXXXX
add action=dst-nat chain=dstnat dst-port=XXXXX protocol=tcp to-addresses=10.0.0.22 to-ports=XXXX
Today I'm calling to helpdesk on target site for this issue.
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Re: Help with 1 website, can't access

Tue Feb 06, 2018 5:30 pm

Something really, really, REALLY ODD is happening.
Connected to Wifi, from my Android phone using Chrome App I CAN ACCESS this f***ing site.
But I can't access from any laptop Linux/Chromium; Linux/Firefox; Windows/Chrome; Windows/Firefox; Windows/Edge; Windows/IExplorer; neither from a wired server.
:?
 
Grickos
newbie
Posts: 32
Joined: Thu Aug 06, 2015 2:57 am

Re: Help with 1 website, can't access

Tue Feb 06, 2018 5:38 pm

Upgrade Ros to 6.41.1.
6.41 has bugs with pppoe mss connection.
*) ppp - fixed change-mss functionality in some specific traffic (introduced in v6.41);
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Re: Help with 1 website, can't access  [SOLVED]

Wed Feb 07, 2018 2:08 am

Upgrade Ros to 6.41.1.
6.41 has bugs with pppoe mss connection.
*) ppp - fixed change-mss functionality in some specific traffic (introduced in v6.41);
Just upgraded to 6.41.1.
No changes... still can't access website.

Making a last test, I used an anonymous proxy: https://us.hidester.com
Bingo! I can access the website.

Obviously there is a problem with my IP (or our ISP) and the website.
I first thought that was my fault, as I'm not an expert with ROS.

Thanks to all.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1699
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Help with 1 website, can't access

Wed Feb 07, 2018 2:08 pm

...

Obviously there is a problem with my IP (or our ISP) and the website.
I first thought that was my fault, as I'm not an expert with ROS.

Thanks to all.
But earlier you said you could access the website from your phone on wifi?
Might have to dig a bit deeper in your config before throwing the problem to ISP
MTCNA, MTCTCE, MTCRE & MTCINE
 
dragonauta
just joined
Topic Author
Posts: 23
Joined: Thu Feb 02, 2017 12:50 am

Re: Help with 1 website, can't access

Wed Feb 07, 2018 7:00 pm

@CZFan Yeah... but I can access ONLY from my phone (a Xiaomi Redmi Note 4).
Can't access from any other device (laptops, PC or phones of any brand)

I have a very basic config on a really simple network (10.0.0.0/24 with 54 devices), no vlans, posted firewall rules.
The website started to fail in january, coincidentally after I upgraded firmware to 6.41.

But If everything works as expected except THAT website and apparently the culprit is THAT website
I just could "fix it" using an anonymous proxy extension for browser.
You see, it's just one person in whole company that access that website and once per month.

I think it's not worth it if I can solve it in another way.
If I start to register any other issue, then yes, it would dig deeper or maybe make a fresh config.
 
frantoloto
just joined
Posts: 1
Joined: Fri Mar 16, 2018 11:09 am

Re: Help with 1 website, can't access

Fri Mar 16, 2018 11:13 am

Hello,

I would suggest you to use a web proxy it works for me as suggested above. Example : https://anonymster.com/proxy

Who is online

Users browsing this forum: Bing [Bot], emulemodes, ithierack, peecis99, sindy and 98 guests