Community discussions

MikroTik App
 
punx
newbie
Topic Author
Posts: 36
Joined: Sun Jun 30, 2013 3:37 am

Randomly resets and can't open some webpages

Sat Sep 18, 2021 3:14 pm

Hello,

I have LHG LTE6 (RBLHGR&R11e-LTE6) that resets itself at least once every day. I don't know what the reason is.

Also, some websites cannot open. On an old Huawei router with same operator SIM card I could open all the pages. Since I switched to this router, I can no longer open some pages (eg bank webpages, some webshops ...)

How to solve these problems?

Thank you!

My configuration:
# sep/18/2021 14:01:55 by RouterOS 6.48.4
# software id = EY57-RVL0
#
# model = RBLHGR
# serial number = XXX
/interface lte
set [ find ] allow-roaming=no name=lte1 network-mode=3g,lte
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=XXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.12-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 lease-time=2h name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether1 network=\
    192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
    8282 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=DVR dst-port=80 protocol=tcp \
    to-addresses=192.168.0.11 to-ports=80
add action=dst-nat chain=dstnat comment=DVR dst-port=80 protocol=udp \
    to-addresses=192.168.0.11 to-ports=80
add action=dst-nat chain=dstnat comment=DVR dst-port=37777 log=yes protocol=\
    tcp to-addresses=192.168.0.11 to-ports=37777
add action=dst-nat chain=dstnat comment=DVR dst-port=37778 protocol=udp \
    to-addresses=192.168.0.11 to-ports=37778
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8282
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=XXX service=pptp
add disabled=yes name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=XXX
/system logging
add disabled=yes topics=lte
add action=papertrail topics=!async
/system ntp client
set enabled=yes primary-ntp=161.53.30.170 secondary-ntp=161.53.123.5
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Randomly resets and can't open some webpages

Sat Sep 18, 2021 4:07 pm

/ip pool
add name=dhcp ranges=192.168.0.12-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Randomly resets and can't open some webpages

Sat Sep 18, 2021 4:30 pm

This rule in interface list members should be removed, it does nothing or at least nothing good.
add list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Randomly resets and can't open some webpages

Sat Sep 18, 2021 4:32 pm

This rule is WRONG or at least VERY DANGEROUS
Do not open up winbox to the internet.
From
/ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
8282 protocol=tcp
TO
/ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
8282 protocol=tcp in-interface-list=LAN

Further ONLY the admin needs access to the router, regardless of the port, so this is better.
add action=accept chain=input comment="WinBox Wan Administration" \
in-interface-list=LAN source-address-list=adminaccess

where firewall address list is --->
add ip of admin desktop list=adminaccess
add ip of admin laptop' list=adminaccess
add ip of admin ipad list=adminaccess
add ip of admin smartphone list=adminaccess

The only services LAN users need and thus only access to the router itself is for DNS services normally so add this too --->
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp


Finally at the end of the input chain, once you have admin access established
Get rid of this rule and replace it with the better rule
From
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
TO
add action=drop chain=input comment="drop all else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Randomly resets and can't open some webpages

Sat Sep 18, 2021 4:43 pm

NAT RULES
(1) Dst nat format missing !!!
Ex.
From
add action=dst-nat chain=dstnat comment=DVR dst-port=80 protocol=tcp \
to-addresses=192.168.0.11 to-ports=80
TO
add action=dst-nat chain=dstnat comment=DVR dst-port=80 protocol=tcp \
to-addresses=192.168.0.11 in-interface-list=WAN

(Note: To ports not required if same as dst-port.)

(2) Not sure why you are masquerading outbound vpn traffic ????
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
VPN is usually for incoming traffic hence the input chain rules allowing initial establishment of a connection.
After that traffic is handled via
input rule if you want to allow incoming vpn to access the router for config purposes (aka the admin, and thus add vpn address to adminaccess firewall address)
forward rule if you want to allowing incoming vpn to access LAN resources
IP ROUTE if you want to move vpn traffic incoming out your WANIP for internet access via your wanip..
 
punx
newbie
Topic Author
Posts: 36
Joined: Sun Jun 30, 2013 3:37 am

Re: Randomly resets and can't open some webpages

Sun Sep 19, 2021 1:34 pm

Thank you for all this.
But this not solving the problem with resets and open pages.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Randomly resets and can't open some webpages

Sun Sep 19, 2021 7:59 pm

Random reset is usually power related. Check power supply voltage and output power, make sure cable length is not too long.

Webpages not opening may be due to incorrect MSS, need more diagnostics (ping, trace, etc) to confirm.

Who is online

Users browsing this forum: Bing [Bot], TeWe and 79 guests