Community discussions

MikroTik App
 
fdfdf
just joined
Topic Author
Posts: 1
Joined: Sun Mar 19, 2017 8:09 pm

cannot access https websites

Sun Mar 19, 2017 8:15 pm

Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?
 
norocel
newbie
Posts: 29
Joined: Mon Sep 04, 2006 12:03 am

Re: cannot access https websites

Mon Mar 20, 2017 5:09 pm

Maybe you have forwarded the https 443 port from wan to internal lan device ?
This will be just one cause
 
User avatar
sjwrick
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Tue Jul 25, 2006 10:12 pm

Re: cannot access https websites

Mon Mar 20, 2017 6:52 pm

I have the same problem on some of my routers. Not all.
https sites like https://wellsfargo.com can not be rendered. Other sites like https://crucial.com are very slow to render.

I do not have a router workaround. The problem is exacerbated by some third party routers at the client location. Like a netgear. The DNS proxy does not seem to get information from the my Mikrotik main router and pass on to the client PC. I can ping to domain but cannot pass https:// site to the client.

My only solution has been to replace the client router (ex: netgear) with a mikrotik. I have 600 customers and cannot replace all their routers.

Is there a known issue with Mikrotik - ROS passing https data on to third party routers?
 
nikc
Member Candidate
Member Candidate
Posts: 208
Joined: Wed Jul 13, 2016 6:05 pm

Re: cannot access https websites

Mon Mar 20, 2017 7:38 pm

Hello,

I've a mikrotik RB2011UiAS-2HnD. Since yesterday I cannot access HTTPS websites anymore.
all other things still work like, vpn, incoming https traffic (port forwarding), vpn tunnels http traffic.
I can access all http sites but when they get redirected to https is stops working.

I've looked at all firewall rules and also added a rule allow any any, but it won't work.

Does somebody has suggestions?
Do you have a drop invalid packets rule on the firewall ?

If you do how much data does it say its processed ?
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: cannot access https websites

Tue Mar 21, 2017 12:41 am

Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.
 
User avatar
sjwrick
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Tue Jul 25, 2006 10:12 pm

Re: cannot access https websites

Thu Mar 23, 2017 4:42 pm

Thank you for that insight about EOIP. I believe that may be the smoking gun in my case.
I have used eoip for various access situations and the scenario fits with my problems with https.

Much appreciated.

Rick
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: cannot access https websites

Thu Mar 23, 2017 5:03 pm

Glad to have helped. It took me several days of looking at every little thing to figure that out.
 
mladen074
just joined
Posts: 8
Joined: Mon Nov 27, 2017 3:54 pm

Re: cannot access https websites

Wed Dec 13, 2017 12:40 am

I just wanted to say thank you, because I was looking into this same issue for days... Of course it was an eoip tunnel related. Btw, it was so difficult to even realize there was an issue, because some websites work normally and some don't (seemingly randomly). Anyway, thank you once again, your post was a life saver :)
 
davidarre
just joined
Posts: 1
Joined: Mon Aug 27, 2018 6:30 pm

Re: cannot access https websites

Mon Aug 27, 2018 7:10 pm

Thank you very much, I had the same problem and it was driving me crazy.
I had created an EoIP tunnel and this was the problem.
But the most curious thing is that it was disabled, and even then I had problems with https browsing.
I had to eliminate the tunnel, and now everything works perfect.
Thank you very much and greetings.
 
Dalo
just joined
Posts: 5
Joined: Thu Jan 11, 2018 11:14 pm

Re: cannot access https websites

Sun Jan 27, 2019 8:44 am

I just faced the same issue. The problem as you mentioned was related to EOIP tunnel MTU (1408), but in my case I fixed it only setting the value to 1500 in the Bridge at MTU field, before was empty and as mentioned, takes the lowest MTU of the LAN "Actual MTU 1408"(was the EOIP interface 1408). Now EOIP and TLS webs are working in parallel and currently "Actual MTU 1500".
 
Sparo90
just joined
Posts: 1
Joined: Wed Dec 27, 2017 9:17 pm

Re: cannot access https websites

Mon Jul 29, 2019 6:51 pm

Any chance that you have a ppp or epio interface in a bridge?
Everytime that I have seen this issue, it has been an MTU problem.
When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HTTPS.
Thnx for the great tip, I also created a EOIP interface in my bridge and it changed my MTU and it caused multiple problems.
After the change of the MTU on the EOIP interface it solved the problem.


Regards,

Sparo90
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: cannot access https websites

Fri Nov 13, 2020 7:00 am

Thank you! Thank you! Thank you!

This has been driving me nuts for several days! I use eoip links to bring customers networks to my desk so I can work on things that require wire type access and I never noticed the change it was making to the bridge MTU.

I had two sites where for whatever reason this was really screwing up general internet access.

Note also to check any VLAN interfaces hanging off the bridge. They don't seem to update their MTU inline with the bridge until toggled.
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: cannot access https websites

Tue Jan 05, 2021 7:21 pm

Just wanted to share this...

I had another site with really patchy internet and https, it also had the issue with a EoIP interface dropping the MTU which I fixed and expected everything to work again but it didn't which has had me scratching my head.

I exported the config verbose and went through it line by line and found that the routers IP was on ether2 and not the bridge which I hadn't noticed. Moved it to the bridge and all working normally!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: cannot access https websites

Wed Jan 06, 2021 11:18 am

Great. It's the first time I've seen an example of an actual issue caused by attaching the IP configuration to a member port of a bridge rather than to the cpu-facing virtual port of that bridge.
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: cannot access https websites

Wed Jan 06, 2021 1:02 pm

Yes, Ive found routers setup with the IP on a member port before and its not really seemed to caused a problem, although in all cases if I spot it I move it to the bridge.
 
pranza
just joined
Posts: 1
Joined: Mon Jan 16, 2023 9:07 pm
Contact:

Re: cannot access https websites

Tue Jan 17, 2023 12:02 am

Maybe you have forwarded the https 443 port from wan to internal lan device ?
This will be just one cause
that was my issue! it worked with cisco router but not mikrotik! thanks!!!!!!
 
serafin
newbie
Posts: 32
Joined: Mon Nov 14, 2011 9:07 pm

Re: cannot access https websites

Thu Mar 07, 2024 6:03 pm

Hi,

I faced the issue recently with SOME websites not opening via HTTPS protocol correctly. The behavior was:
$ curl -i -v https://web.site
*   Trying 185.xx.xx.xx:443...
* Connected to web.site (185.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
it was for SOME websites only and only in SOME locations - the same device was passing traffic correctly in one network but was failing in the other network (ISP INEA). Configuration was fairly simple - just basic routing with masquerade.

It was narrowed down to MTU issue and removing EOIP tunnel from bridge was the solution. I haven't tried to force MTU at the bridge level as suggested earlier.

leaving this post here as it was second time I was struggling with such issue within last 3 years, so I have reference in the future

Ser@fin

Who is online

Users browsing this forum: Ahrefs [Bot], GoogleOther [Bot], johnson73, mbovenka, rplant and 91 guests