Well, this is strange because I only can't open/resolve government websites from my country e.g gov.si. I have tried directly ISPs modem > laptop = websites opens/resolves...
ISPs modem > router > laptop = does not.
First I thought it's Piholes problem, I whitelisted it and everything I could think of but Pihole is resolving the domain correctly.
Code: Select all
Jan 22 22:43:36 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:36 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:36 dnsmasq[32208]: reply gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: cached gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[AAAA] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:37 dnsmasq[32208]: reply gov.si is 2a00:d440:7777:7777::5427:d3f3
Traceroute websites IP of gov.si
Code: Select all
[admin@Dan'sTik] > /tool traceroute
address: 84.39.211.243
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 188.230.128.1 0% 2 3.3ms 3.5 3.3 3.6
2 84.255.209.161 0% 2 3.7ms 3.5 3.2 3.7
3 84.255.211.82 0% 2 2.2ms 2.1 2 2.2
4 91.220.194.102 0% 2 3.2ms 3.3 3.2 3.3
5 88.200.2.183 0% 2 8.5ms 6.1 3.7 8.5
6 100% 2 timeout
7 100% 1 timeout
8 100% 1 timeout
9 100% 1 timeout
10 100% 1 timeout
Code: Select all
# jan/22/2022 23:31:33 by RouterOS 6.49.2
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add admin-mac=48:8F:5A:CC:E7:E4 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=slovenia disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=DE2Ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=slovenia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=DE5GHz wireless-protocol=\
802.11
/interface vlan
add comment="RaspberryPi VLAN" interface=ether5 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=vpn_pool ranges=192.168.2.192-192.168.2.250
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool10 disabled=no interface=vlan10 name=vlan10
/ppp profile
add local-address=192.168.2.1 name=vpn_profile remote-address=vpn_pool
set *FFFFFFFE dns-server=10.0.1.1 local-address=192.168.89.1 remote-address=\
vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=Manage
add interface=vlan10 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes \
require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
add address=89.212.52.216/16 interface=ether1 network=89.212.0.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.10.5 gateway=10.0.1.1 \
netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.5 gateway=10.0.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.10.5 use-doh-server=\
https://dns.nextdns.io/f4efa2 verify-doh-cert=yes
/ip dns static
add address=10.0.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.1.10 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=10.0.1.5-10.0.1.254 list=allowed_to_16bit.mk
add address=192.168.89.2-192.168.89-254 list=allowed_vpn_to_router
add address=10.0.10.5 list=allowed_to_router_from_vpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="disallow public ip for router use" \
dst-address=89.212.52.216 dst-port=8080 protocol=tcp
add action=accept chain=input comment="admin allowed to router" \
connection-state=established,related src-address-list=allowed_to_router
add action=accept chain=input comment="allow openvpn" dst-port=1194 protocol=\
udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward in-interface=vlan10 out-interface=ether1 \
protocol=tcp src-port=9090
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Malina2 HTTP" dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=80
add action=dst-nat chain=dstnat comment="Malina2 HTTPS" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=443
add action=dst-nat chain=dstnat comment="Malina HTTP" dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="Malina HTTPS" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="Malina TorDir" dst-port=9030 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9030
add action=dst-nat chain=dstnat comment="Malina Tor Relay " dst-port=9090 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9090
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10051
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=51820
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=51820
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=89.212.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes port=2222
set www-ssl address=0.0.0.0/0
set api disabled=yes
set winbox address=10.0.1.0/24,192.168.89.0/24,10.0.10.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add local-address=10.0.1.1 name=daniel profile=vpn_profile remote-address=\
192.168.2.192 service=ovpn
add name=vpn
/snmp
set contact=nikoloskid@protonmail.com enabled=yes location="Vojkova cesta 30"
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Dan'sTik"
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Manage