Community discussions

 
anttech
just joined
Topic Author
Posts: 1
Joined: Mon Jan 14, 2019 12:05 am

Whatsapp video being blocked

Mon Jan 14, 2019 12:18 am

Hi
I am having issues with WhatsApp being blocked. I have added all the ports it needs or what it seems it needs but still does not work.

Here is my config if anyone can see anything that looks wrong.

Thanks

Anthony


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=l2tp ranges=192.168.100.1-192.168.100.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.100.1 name=lt2p1 remote-address=l2tp
set *FFFFFFFE dns-server=192.168.1.100 local-address=dhcp remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=lt2p1 enabled=yes ipsec-secret+=@@@@@@@@@@ use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 - WAN" list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.100/24 comment=defconf interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface="ether1 - WAN"
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=208.67.222.123,208.67.220.123 gateway=192.168.1.100 netmask=24
add address=192.168.80.0/24 comment="VPN- dhcp" dns-server=192.168.1.100 gateway=192.168.1.100 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.100 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="HTTP WAN Admin" dst-port=80 protocol=tcp
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=forward comment="Whatsapp tcp" dst-port=443,4244,5222,5223,5228,5242,8443 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="whatsapp 2" dst-port=59234,50318 protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="whatsapp udp1" dst-port=59234,50318 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="whatsapp udp 2" dst-port=3478,45395 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=redirect chain=dstnat dst-address-type=!local dst-port=!53 protocol=udp to-addresses=0.0.0.0 to-ports=53
/system clock
set time-zone-name=Europe/London
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 786
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Whatsapp video being blocked

Mon Jan 14, 2019 8:31 am

I did have the same problem at my previous house. Whatsapp text and voice message worked fine, but no video call.
It was my ISP that did block something. Changing location, all ok.

Try to find what outging port that are needed. Some like this:
TCP Ports; 80, 443, 4244, 5222, 5223, 5228, 5242, 50318, 59234
UDP Ports: 34784, 45395, 50318, 59234
You can test them for TCP like this:
http://portquiz.net:80/
http://portquiz.net:5222/
It should respond some like this "You have reached this page on port 5222."
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
anav
Forum Guru
Forum Guru
Posts: 1299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Whatsapp video being blocked

Mon Jan 14, 2019 7:11 pm

Wrong, I use whatsapp all the time behind my mikrotik. It has to be your ISP.

Looking at your rules its hard to figure out what you are doing wrt to DNS but if it works for you great. :-)
I didnt realize 208.67.222.123 or 208.67.220.[flash=]123[/flash] were valid servers.........
I thought they were 208.67.220.220 and 208.67.222.222

Recommended to me that un-tracked is not required except for specific circumstances (tied in with specific raw rules).

These rules are not generally required. Assuming you have a basic LAN to WAN rule in there somewhere and a drop all else rule at the end, that traffic is not being blocked.
add action=accept chain=forward comment="Whatsapp tcp" dst-port=443,4244,5222,5223,5228,5242,8443 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="whatsapp 2" dst-port=59234,50318 protocol=tcp
add action=accept chain=forward comment="whatsapp udp1" dst-port=59234,50318 protocol=udp
add action=accept chain=forward comment="whatsapp udp 2" dst-port=3478,45395 protocol=udp

I don't see one so add this rule....
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN \
(If you only have one wan, then use out-interface=WAN)

What is the purpose of this Firewall rule???
add action=accept chain=input comment="HTTP WAN Admin" dst-port=80 protocol=tcp

This rule normally is made to allow admin access to the router so take this one
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp

and change it to this
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess
(you will need to identify which IPs or blocks or subnets you should be able to access the router from within your LANs and in this case I named the list 'adminaccess').
(By the way, now we all know which port your Winbox runs on........... I changed mine to a different number).

Change this rule as your last INPUT chain rule.....
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

To
add action=drop chain=input comment="DROP ALL ELSE"

Change this forward rule
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

To
add action=accept chain=forward comment=\
"Allow Port Forwarding" connection-nat-state=dstnat

and add a last rule to the forward chain
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic"

Who is online

Users browsing this forum: No registered users and 121 guests