Community discussions

MikroTik App
 
Michele
newbie
Topic Author
Posts: 28
Joined: Thu Aug 04, 2016 12:35 pm

problem sending email and access some sites

Thu Mar 07, 2019 1:02 pm

Hi,
we replaced a broken RB750r2 with a new one with v. 6.43.8 and we set it up the same configuration with a client network connected in vpn to others via IPsec.
but now we have a very strange situation, I describe everything for clarity even if something might not have concern mikrotik:
in that network there are 3 WIN10 computers in domain which can't access some sites (timeout) e.g. https://bancopostaimpresaonline.poste.it/bpiol1/ , 2 of these clients can receive but can't send emails on Outlook, this only happens with one provider of which they can't even reach the webmail site https://webmail.aruba.it (timeout) but they can ping it, the 4th is an XP pc out of domain on which everything works.
all the machines have dynamic IP configuration and the same Outlook configuration.
I tried and using tor browser they can reach the sites, also if I connect the clients directly to the router of the IP provider bypassing the mikrotik everything works.
where should I look to resolve this?
Thanks
Last edited by Michele on Thu Mar 07, 2019 2:03 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8755
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: problem sending email and access some sites

Thu Mar 07, 2019 1:58 pm

Hi,
we replaced a broken RB750r2 with a new one with v. 6.43.8 and we set it up the same with a client network connected in vpn to others via IPsec.
but now we have a very strange situation, I describe everything for clarity even if something might not have concern mikrotik:
in that network there are 3 WIN10 computers in domain which can't access some sites (timeout) e.g. https://bancopostaimpresaonline.poste.it/bpiol1/ , 2 of these clients can receive but can't send emails on Outlook, this only happens with one provider of which they can't even reach the webmail site https://webmail.aruba.it (timeout) but they can ping it, the 4th is an XP pc out of domain on which everything works.
all the machines have dynamic IP configuration and the same Outlook configuration.
I tried and using tor browser they can reach the sites, also if I connect the clients directly to the router of the IP provider bypassing the mikrotik everything works.
where should I look to resolve this?
Thanks
The question and answer are in red.
Probably best to post your config
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Michele
newbie
Topic Author
Posts: 28
Joined: Thu Aug 04, 2016 12:35 pm

Re: problem sending email and access some sites

Thu Mar 07, 2019 2:10 pm

Here it is, I only hid public ip addresses:
# mar/05/2019 13:50:18 by RouterOS 6.43.8
# software id = TNTL-3CLS
#
# model = RouterBOARD 750 r2
# serial number = 67D20888227E
/interface bridge
add admin-mac=CC:2D:E0:3C:0C:0F auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mtu=1400
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mtu=1380 \
    name=ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_1 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.200
add name=BIBLIOTECA-pool ranges=192.168.3.2-192.168.3.200
/ip dhcp-server
add address-pool=dhcp interface=ether3 name=dhcp
add address-pool=BIBLIOTECA-pool disabled=no interface=bridge1 name=\
    BIBLIOTECA_dhcp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=m4gu4rd4tu!! use-ipsec=\
    required
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge1 network=\
    192.168.3.0
add address=xxx.xxx.xxx.218/29 interface=ether1 network=xxx.xxx.xxx.216
add address=192.168.2.1/24 disabled=yes interface=ether3 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.100.1,8.8.8.8 \
    gateway=192.168.2.1
add address=192.168.3.0/24 comment=defconf dns-server=192.168.100.1,8.8.8.8 \
    gateway=192.168.3.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=input src-address=192.168.100.0/24
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input connection-state="" dst-port=1701,500,4500 \
    in-interface=ether1 protocol=udp src-address=195.81.178.154
add action=accept chain=forward comment=forward connection-state="" \
    src-address=192.168.100.0/24
add action=accept chain=forward src-address=192.168.1.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=bridge1 \
    protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
    protocol=tcp src-address=xxx.xxx.xxx.40/29
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
    protocol=tcp src-address=192.168.100.0/24
add action=drop chain=input dst-port=80,22,23,2200,8291 in-interface=ether1 \
    protocol=tcp
add action=drop chain=input connection-state=!established,related disabled=\
    yes in-interface=ether1
add action=accept chain=forward connection-state=established,related \
    in-interface=ether1
add action=drop chain=forward disabled=yes
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes \
    in-interface=ether1
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=""
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat comment="VPN Municipio" dst-address=\
    192.168.100.0/24 src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=\
    192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
/ip ipsec peer
add address=195.81.178.154/32 exchange-mode=aggressive profile=profile_1 \
    secret=m4gu4rd4tu!!
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.100.0/24 proposal=proposal1 sa-dst-address=\
    195.81.178.154 sa-src-address=xxx.xxx.xxx.218 src-address=192.168.3.0/24 \
    tunnel=yes
add dst-address=192.168.1.0/24 proposal=proposal1 sa-dst-address=\
    195.81.178.154 sa-src-address=xxx.xxx.xxx.218 src-address=192.168.3.0/24 \
    tunnel=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.217
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address="192.168.100.0/24,192.168.3.0/24,192.168.2.0/24,192.168.1.0\
    /24,xxx.xxx.xxx.40/29"
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
Michele
newbie
Topic Author
Posts: 28
Joined: Thu Aug 04, 2016 12:35 pm

Re: problem sending email and access some sites

Thu Mar 14, 2019 6:02 pm

any idea?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8755
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: problem sending email and access some sites

Thu Mar 14, 2019 6:10 pm

I would say its your config. (operator error).
For example can you explain what each FW rule you have does
(input, forward and nat)? Or is this simply a copy from work someone else has done???

(I got lost trying to understand them as they are not standard)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Michele
newbie
Topic Author
Posts: 28
Joined: Thu Aug 04, 2016 12:35 pm

Re: problem sending email and access some sites

Thu Mar 14, 2019 7:05 pm

They were pre-configured but I tried disable all the deny rules and nothing changed
 
mkx
Forum Guru
Forum Guru
Posts: 6631
Joined: Thu Mar 03, 2016 10:23 pm

Re: problem sending email and access some sites

Thu Mar 14, 2019 9:31 pm

Any good reason for having set reduced MTU on some particular ether ports?
BR,
Metod
 
Michele
newbie
Topic Author
Posts: 28
Joined: Thu Aug 04, 2016 12:35 pm

Re: problem sending email and access some sites

Fri Mar 15, 2019 10:10 am

we low it trying to improve the packets retransmission, if it is wrong I'll reset it to the default 1500 but the problem was there before.
I'm installing Wireshark to see what is blocked
 
Essilaia
just joined
Posts: 2
Joined: Thu Jun 10, 2021 9:07 pm

Re: problem sending email and access some sites

Mon Oct 11, 2021 3:51 pm

Well, I think it's a matter of incorrect configuration settings. Firstly, there is one rule: when something works stably, do not dare to climb to improve it because you will only make it worse. It is necessary to change when the time comes, and there is no need to rush. Try changing your email address. If you had Outlook mail, then try yahoo or gmail. These emails are much more stable and reliable, the more so for the USA and Europe. However, there is still an alternative. You can try to use this service https://tempmail.dev/. Here, you can create temporary emails and use them. Not so difficult, but quite practical and reliable.

Who is online

Users browsing this forum: Bing [Bot] and 31 guests