Community discussions

MikroTik App
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

Can't open government webistes

Sun Jan 23, 2022 12:37 am

Hi,

Well, this is strange because I only can't open/resolve government websites from my country e.g gov.si. I have tried directly ISPs modem > laptop = websites opens/resolves...
ISPs modem > router > laptop = does not.
First I thought it's Piholes problem, I whitelisted it and everything I could think of but Pihole is resolving the domain correctly.
Jan 22 22:43:36 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:36 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:36 dnsmasq[32208]: reply gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[A] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: cached gov.si is 84.39.211.243
Jan 22 22:43:37 dnsmasq[32208]: query[AAAA] gov.si from 10.6.0.4
Jan 22 22:43:37 dnsmasq[32208]: forwarded gov.si to 127.0.0.1
Jan 22 22:43:37 dnsmasq[32208]: reply gov.si is 2a00:d440:7777:7777::5427:d3f3
And now I am investigating on the router side and there's where the problem lies but I can't think of solution...
Traceroute websites IP of gov.si
[admin@Dan'sTik] > /tool traceroute 
address: 84.39.211.243
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 188.230.128.1                      0%    2   3.3ms     3.5     3.3     3.6
 2 84.255.209.161                     0%    2   3.7ms     3.5     3.2     3.7
 3 84.255.211.82                      0%    2   2.2ms     2.1       2     2.2
 4 91.220.194.102                     0%    2   3.2ms     3.3     3.2     3.3
 5 88.200.2.183                       0%    2   8.5ms     6.1     3.7     8.5
 6                                  100%    2 timeout
 7                                  100%    1 timeout
 8                                  100%    1 timeout
 9                                  100%    1 timeout
10                                  100%    1 timeout
And here is the config If it might help...
# jan/22/2022 23:31:33 by RouterOS 6.49.2
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add admin-mac=48:8F:5A:CC:E7:E4 auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=DE2Ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=slovenia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=DE5GHz wireless-protocol=\
    802.11
/interface vlan
add comment="RaspberryPi VLAN" interface=ether5 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=vpn_pool ranges=192.168.2.192-192.168.2.250
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool10 disabled=no interface=vlan10 name=vlan10
/ppp profile
add local-address=192.168.2.1 name=vpn_profile remote-address=vpn_pool
set *FFFFFFFE dns-server=10.0.1.1 local-address=192.168.89.1 remote-address=\
    vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=Manage
add interface=vlan10 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
add address=89.212.52.216/16 interface=ether1 network=89.212.0.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.10.5 gateway=10.0.1.1 \
    netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.5 gateway=10.0.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.10.5 use-doh-server=\
    https://dns.nextdns.io/f4efa2 verify-doh-cert=yes
/ip dns static
add address=10.0.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.1.10 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.0.1.5-10.0.1.254 list=allowed_to_16bit.mk
add address=192.168.89.2-192.168.89-254 list=allowed_vpn_to_router
add address=10.0.10.5 list=allowed_to_router_from_vpn
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="disallow public ip for router use" \
    dst-address=89.212.52.216 dst-port=8080 protocol=tcp
add action=accept chain=input comment="admin allowed to router" \
    connection-state=established,related src-address-list=allowed_to_router
add action=accept chain=input comment="allow openvpn" dst-port=1194 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward in-interface=vlan10 out-interface=ether1 \
    protocol=tcp src-port=9090
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Malina2 HTTP" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=80
add action=dst-nat chain=dstnat comment="Malina2 HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=443
add action=dst-nat chain=dstnat comment="Malina HTTP" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="Malina HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="Malina TorDir" dst-port=9030 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9030
add action=dst-nat chain=dstnat comment="Malina Tor Relay " dst-port=9090 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9090
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10050 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.6 to-ports=10051
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=51820
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-port=51820 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=51820
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=89.212.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes port=2222
set www-ssl address=0.0.0.0/0
set api disabled=yes
set winbox address=10.0.1.0/24,192.168.89.0/24,10.0.10.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add local-address=10.0.1.1 name=daniel profile=vpn_profile remote-address=\
    192.168.2.192 service=ovpn
add name=vpn
/snmp
set contact=nikoloskid@protonmail.com enabled=yes location="Vojkova cesta 30"
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Dan'sTik"
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Manage
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't open government webistes

Sun Jan 23, 2022 12:08 pm

As traceroute shows quite a few hops before getting lost, this proves there's nothing wrong with your configuration, the problem lies within government network.

Details in Slovenian ... they're not really of general interest ...

Kot kaže, MJU izvaja velike spremembe v svojem omrežju, pri tem seveda delajo napake in deli omrežja niso dostopni ... in to je celo odvisno od tega, pri katerem ponudniku interneta si. Pred tedni je bila podobna težava, takrat eden od DNS strežnikov ni bil dostopen iz Telekomovega omrežja, iz T-2 omrežja pa je bil. Pri tem je traceroute v obeh primerih šel preko nekaterih skupnih usmerjevalnikov v MJU omrežju. Pa razumi če moreš.
Saj bo ... :wink:
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

Re: Can't open government webistes

Mon Jan 24, 2022 12:40 pm

mkx, hvala za odgovor ...
Upam da bojo zrihtali ...

Who is online

Users browsing this forum: Amazon [Bot], stef70 and 78 guests