Community discussions

 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

[Solved] Problem, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 5:23 pm

Good morning,

i have an RB 493G, but is slow to redirect to Gmail, Facebook, youtube and sometime pages can no open.

The version of routeros is 5.11

What error there is in my configuration ?

Configuration Filter:
add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" disabled=no dst-port=801 protocol=tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 protocol=udp
Tanks for your help
Last edited by wallnas on Tue Jan 24, 2012 8:08 pm, edited 2 times in total.
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: Problen, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 6:40 pm

the script is correct and it does not limit sites you specified
there are only unnecessary accept (in forward and input) because you do not have a defult drop (but this is unrelated to your problem)
rodolfo
IZ0UQV
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: Problen, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 7:36 pm

My first guess would be DNS. How is DNS configured for the router and machines behind it? Are you using the router as your local DNS server? Are you having any resolution problems with the upstream DNS servers?

The next thing would be to look at packet loss within your LAN. A relatively small % of loss can cause big performance problems. I just cleaned up some very annoying issues on my LAN, by tracking down and replacing a flaky unmanaged switch. Ping testing showed that it was "only" losing <5% of the packets, but that number went up with packet size (by 1500 bytes it was closer to 20%). If you see a packet loss problem with wireless connections check for noise and interference on the frequencies that you're using.
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problen, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 9:00 pm

the script is correct and it does not limit sites you specified
there are only unnecessary accept (in forward and input) because you do not have a defult drop (but this is unrelated to your problem)

sorry :(

the last instruction is
add action=drop chain=input comment=\
    "------------------  B L O C C A     T U T T O ---------------" disabled=\
    no
tanks
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 9:25 pm

ok, but this rule blocks only in input to the router, you need a similar rule in forward chain
rodolfo
IZ0UQV
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 9:31 pm

ok, but this rule blocks only in input to the router, you need a similar rule in forward chain
i have correct the filter in:
add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" disabled=no dst-port=801 protocol=tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="------------------  B L O C C A     T U T T O ---------------" disabled=no
add action=drop chain=forward disabled=no

I have same problems, slow and sometime pages can no open :(

Tanks
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 15, 2012 10:40 pm

Firewall rules would generally block something completely. There would be no "slow" or "sometimes". As a result it seems like you should be looking elsewhere for the problem.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Problem, not open, Gmail, youtube, Facebook

Mon Jan 16, 2012 12:18 am

Check your mtu on the wan port.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Tue Jan 17, 2012 8:56 pm

Check your mtu on the wan port.
ping -s 1472 www.facebook.it
PING www.facebook.com (66.220.149.66) 1472(1500) bytes of data.
ping -s 1472 www.facebook.it
PING www.facebook.com (66.220.149.66) 1472(1500) bytes of data.
This is the date :(
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Sat Jan 21, 2012 8:48 pm

If i reboot the router all ok for 1/2 hour :(
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Sat Jan 21, 2012 9:13 pm

Firewall rules would generally block something completely. There would be no "slow" or "sometimes". As a result it seems like you should be looking elsewhere for the problem.

I check the ip filter because if i disable:
add action=drop chain=input comment="------------------  B L O C C A     T U T T O ---------------" disabled=no
add action=drop chain=forward disabled=no
is all ok.
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 22, 2012 12:13 am

After cleaning up and reorganizing your firewall rules a couple things jumped out at me. Comments in-line below.
/ip firewall filter
add chain=input action=accept connection-state=established
add chain=input action=accept connection-state=related
#
# What about dropping invalid connections on the input chain?
#
add chain=input action=accept dst-port=8080 protocol=tcp comment="Web Proxy"
add chain=input action=accept dst-port=801 protocol=tcp comment="WebFig"
add chain=input action=accept dst-port=8291 protocol=tcp comment="WINBOX"
add chain=input action=accept dst-port=53 protocol=udp comment="DNS"
#
# What about allowing ICMP status responses? This could be part of your problem...
# Something like...
# add chain=input action=accept protocol=icmp comment="Allow ping and the like" disabled=no
#
add chain=input action=drop comment="Drop everything else"

add chain=forward action=accept connection-state=established comment="allow established connections"
add chain=forward action=accept connection-state=related comment="allow related connections"
add chain=forward action=drop   connection-state=invalid comment="drop invalid connections"
add chain=forward action=accept dst-port=80 protocol=tcp comment="HTTP"
add chain=forward action=accept dst-port=443 protocol=tcp comment="HTTPS"
add chain=forward action=accept dst-port=25 protocol=tcp comment="SMTP"
add chain=forward action=accept dst-port=110 protocol=tcp comment="POP3"
#
# This is a very, very constrained set of ports, and doesn't differentiate between inbound and outbound traffic.
# It also allows outside machines to get in as well as letting inside machines get out... Which can be a problem.
#
add chain=forward action=drop comment="Drop everything else"
For us to get the full story I'd recommend that you do an /ip firewall export and post the complete output. Based on the information you've given us so far, the ICMP issue or something wonky with your connection tracking or the proxy setup are my best guesses.
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 22, 2012 11:20 am

After cleaning up and reorganizing your firewall rules a couple things jumped out at me. Comments in-line below.
....

Tanks tjc

My complete output of /ip firewall
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="allow established connections" \
    connection-state=established disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=forward comment="Permette HTTP" disabled=no dst-port=80 \
    protocol=tcp
add action=accept chain=input disabled=no dst-port=8080 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=\
    tcp
add action=accept chain=forward comment="Permette SMTP" disabled=no dst-port=25 \
    protocol=tcp
add action=accept chain=forward comment="Permette POP3" disabled=no dst-port=110 \
    protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - POP3S" disabled=no \
    dst-port=995 protocol=tcp
add action=accept chain=forward comment="Permette Posta PEC - SMTPS" disabled=no \
    dst-port=465 protocol=tcp
add action=accept chain=input comment="Accetta accesso x WINBOX" disabled=no \
    dst-port=8291 protocol=tcp
add action=accept chain=input comment="per far accedere WebFig su porta 801" \
    disabled=no dst-port=801 protocol=tcp
add action=accept chain=input comment=\
    "Accetta richieste dai PC della rete  al Server DNS" disabled=no dst-port=53 \
    protocol=udp
add action=accept chain=input comment="SSH for secure shell" disabled=yes \
    dst-port=22 protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=accept chain=forward comment="allow  - - ALL - -  ping" disabled=no \
    protocol=icmp
add action=accept chain=input comment=\
    "Allow limited  - -  limit=50/5s,2 - -   pings  " disabled=yes limit=50/5s,2 \
    protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes protocol=\
    icmp
add action=drop chain=input comment="------------------  B L O C C A     T U T T \
    O      I L    R E S T O  ---------------" disabled=no
add action=drop chain=forward disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Lan eth2 - Produzione" disabled=no \
    src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Lan eth3 - Test" disabled=no \
    src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="Lan Vlan1 - Wireless" disabled=no \
    src-address=192.168.97.0/24
add action=redirect chain=dstnat comment="Webproxy - redirect porta 80 a 8080" \
    disabled=no dst-port=80 protocol=tcp to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

/ip proxy
set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=none \
    max-client-connections=600 max-fresh-time=1d max-server-connections=\
    600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 \
    serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=no dst-host=*facebook* dst-port=""
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 22, 2012 5:38 pm

Just a quick note for now, If email continues to work and the web has problems after half an hour then your proxy server is the place to look.
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 22, 2012 7:16 pm

Just a quick note for now, If email continues to work and the web has problems after half an hour then your proxy server is the place to look.

I have check the proxy, it is correct :(
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: Problem, not open, Gmail, youtube, Facebook

Sun Jan 22, 2012 8:50 pm

Is something holding open connections and hitting the limit of 600?
 
wallnas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Aug 27, 2009 5:08 pm
Location: Italy

Re: Problem, not open, Gmail, youtube, Facebook

Tue Jan 24, 2012 8:08 pm

I have solved the problem:

I have insert this filter
add action=accept chain=input comment=\
    "Accetta richieste dai PC della rete  al Server DNS" disabled=no \
    dst-port=53 protocol=udp
add action=accept chain=input disabled=no dst-port=53 protocol=tcp

Tanks for your help

Who is online

Users browsing this forum: No registered users and 118 guests