Community discussions

MikroTik App
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Help troubleshooting network - 443 - domain not reachable

Tue Aug 02, 2022 8:17 am

Sorry i was not sure what to type in the title.
Here is my issue, i was pulling my hairs all day long trying to understand whats going on.

I have 2 networks with Mikrotiks. Different locations, same city.
  • Shop network
  • Office network
On the shop network i setup an ubuntu server, plain. With nextcloud AIO, one single docker command sets everything up for you.
Installation went smooth in the shop network. I have ports 80/443 opened in the firewall and the Nextcloud server is alive and working fine from everywhere. I use a subdomain ex: (cloud.shopdomain.com).

In the Office network. I setup already 3 different servers, on VMs, and bare metal PC. Same thing, plain ubuntu server, and then run the docker install for nextcloud.
Office also has a subdomain pointing to the WAN ip. ex: (cloud.officedomain.com).
But here i have the following problems:

1. The nextcloud install fails to find port 443 open. It gives an error message telling you to go to portchecker.co and checking from there, but in my case, it shows the port is OPEN.
There is a switch (-e SKIP_DOMAIN_VALIDATION=true) for the docker command to bypass the error message, and then the installation continues and it actually gets set up but....

2. The subdomain cloud.officedomain.com CAN NOT be accessed from the LAN, but it can be accessed from a remote location (unreliably).

3. Access to the nextcloud instance is random. It may open the page right away, or it may get stuck loading for more than 30 seconds until it moves again fluidly... Sometimes the page also opens within the LAN, but it is extremely slow.

I tried running the installation on different servers as i mentioned, and changing IP addresses to no avail. I am setting up THE SAME as i did in the shop. There are no firewalls setup on any of the ubuntu servers until i get them to work.

The office's MikroTik router is connected to the WAN with a wire provided by the building, and i notice they are using 8.8.8.8 for the DNS, just in case that matters.
In the shop, i get a DNS provided by the ISP, and after searching for possible solutions, there is a mention of possible DNS issues so i am just guessing here.

Below i am posting both Mikrotik configurations.
I have them side by side, and i setup the fort forwarding the same, and i am pretty newbie here so please take a look and maybe you guys can see anything obvious i do not understand yet?

Office has an SSTP server. Shop connects to it as a client, on a different port, i am not using 443 for the SSTP.

I will try setting up the office router to defaults and just opening the ports for the server to rule out any miss configuration, but i wonder if the connection may be filtered by the ISP.
Is not completely blocked tho.. as i mentioned, sometimes the instance replies normally from a remote location once the page is loaded.

Thank you guys for any tips.

Shop router (the location that works with no issues)
# aug/01/2022 23:32:40 by RouterOS 6.49.6
# software id = Q0V4-43P8
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7XXXXX3DCB
/interface bridge
add admin-mac=CC:2D:E0:C4:52:49 auto-mac=no comment=defconf name=bridge
add name=bridge-loopback
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    default-forwarding=no disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=MIKRO80 station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=MIKRO80-5G station-roaming=enabled wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
add name=group.vpn.ike2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=profile.vpn.ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=2xx.xxx.xxx.xx2 name=peer2xx.xxx.xxx.xx2 \
    passive=yes profile=profile.vpn.ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    name=proposal.vpn.ike2 pfs-group=none
/ip kid-control
add name=mam
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=pool.vpn.ike2 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=pool.vpn.ike2 address-prefix-length=32 name=\
    modeconf.vpn.ike2 split-dns="" split-include=0.0.0.0/0 static-dns=\
    192.168.90.1 system-dns=no
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.88.1 \
    remote-address=dhcp
/interface sstp-client
add authentication=mschap2 connect-to=2xx.xxx.xxx.xx9:4430 disabled=no \
    http-proxy=0.0.0.0:4430 name=sstp-out1 pfs=yes profile=default-encryption \
    user=nctunelaxo
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 default-profile=default-encryption force-aes=yes \
    pfs=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.90.0/24 interface=bridge-loopback network=192.168.90.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=1:88:d7:f6:7a:de:e1 mac-address=\
    88:D7:F6:7A:DE:E1 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.10-192.168.88.255 list=client
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=forward comment="LUNA TABLET BLOCK" disabled=yes \
    src-mac-address=1C:93:D4:B4:AF:45
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="Client Isolation" disabled=yes \
    dst-address-list=client reject-with=icmp-network-unreachable \
    src-address-list=client
add action=drop chain=forward comment="Stop internet" disabled=yes hotspot="" \
    out-interface=!all-wireless time=\
    15h47m-15h48m,sun,mon,tue,wed,thu,fri,sat
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx2 dst-port=443 \
    protocol=tcp to-addresses=192.168.88.100 to-ports=443
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx2 dst-port=80 \
    protocol=tcp to-addresses=192.168.88.100 to-ports=80
add action=dst-nat chain=dstnat comment="Nextcloud Talk" dst-address=\
    2xx.xxx.xxx.xx2 dst-port=3478 protocol=tcp to-addresses=192.168.88.100 \
    to-ports=3478
add action=dst-nat chain=dstnat comment="Nextcloud Talk UDP" dst-address=\
    2xx.xxx.xxx.xx2 dst-port=3478 protocol=udp to-addresses=192.168.88.100 \
    to-ports=3478
add action=dst-nat chain=dstnat comment="xxx xxxx" dst-address=\
    2xx.xxx.xxx.xx2 dst-port=4000 protocol=tcp src-port="" to-addresses=\
    192.168.88.100 to-ports=4000
add action=dst-nat chain=dstnat comment="iperf tests" dst-address=\
    2xx.xxx.xxx.xx2 dst-port=5201 protocol=tcp to-addresses=192.168.88.100 \
    to-ports=5201
add action=dst-nat chain=dstnat comment="xxx xxxx" dst-address=\
    2xx.xxx.xxx.xx2 dst-port=4022 protocol=tcp to-addresses=192.168.88.100 \
    to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.88.0/24
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.89 to-ports=80
add action=dst-nat chain=dstnat comment=HTTP:80 disabled=yes dst-address=\
    2xx.xxx.xxx.xx2 dst-port=80 protocol=tcp src-port=80 to-addresses=\
    192.168.88.100 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS:443 disabled=yes dst-address=\
    2xx.xxx.xxx.xx2 dst-port=443 protocol=tcp src-port=443 to-addresses=\
    192.168.88.100 to-ports=443
/ip ipsec policy
add dst-address=192.168.90.0/24 group=group.vpn.ike2 proposal=\
    proposal.vpn.ike2 src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=sstp-out1
/ip service
set telnet disabled=yes
set www disabled=yes
/ip smb
set allow-guests=no domain=casaSSD
/ip smb users
add name=casa read-only=no
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Office router (location with the connection problems)
# aug/01/2022 23:33:40 by RouterOS 6.49.6
# software id = W0PA-KWSM
#
# model = CRS109-8G-1S-2HnD
# serial number = D5XXXXX4FXXX
/interface bridge
add arp=proxy-arp name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
    ssid=NCrout wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,3des
add enc-algorithm=aes-256 name=profile1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
    s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-\
    128-ctr,aes-128-gcm" lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.244
add name=l2tppool1 ranges=10.0.0.245-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.0.0.1 name=\
    vpn-prof remote-address=l2tppool1 use-upnp=no
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=\
    10.0.0.1 remote-address=l2tppool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 fast-leave=yes interface=*D
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=vpn-prof enabled=yes \
    one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=SERVER enabled=yes force-aes=yes pfs=\
    yes port=4430
/ip address
add address=10.0.0.1/8 interface=bridge1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10h10m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/8 gateway=10.0.0.1 netmask=8
/ip dns
set servers=10.0.0.1
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=80,8443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input disabled=yes dst-port=443 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp
add action=accept chain=input comment="SSTP server nancy 4430" dst-port=4430 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface-list=WAN \
    src-address-list=CountryIPBlocks
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=80 \
    protocol=tcp to-addresses=10.0.0.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=443 \
    protocol=tcp to-addresses=10.0.0.10 to-ports=443
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=3478 \
    protocol=tcp to-addresses=10.0.0.10 to-ports=3478
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=3478 \
    protocol=udp to-addresses=10.0.0.10 to-ports=3478
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=WEB disabled=yes dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.10 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.1 name=ncvpn profile=vpn-prof remote-address=\
    10.0.0.252 service=l2tp
add name=axtest profile=vpn-prof service=l2tp
add local-address=10.0.0.1 name=nctunelaxo remote-address=10.0.0.2 routes=\
    "192.168.88.0/24 10.0.0.2 1" service=sstp
add local-address=10.0.0.1 name=nctunelnancy remote-address=10.0.0.3 routes=\
    "192.168.90.0/24 10.0.0.3 1" service=sstp
/system clock
set time-zone-name=America/New_York
/system identity
set name=NCrout
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
Some screenshots:


Image

Image

Image

Image
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help troubleshooting network - 443 - domain not reachable

Tue Aug 02, 2022 9:40 am

First things first. I would create a certificate with SAN for both the public IP and for the DNS name, attach it to the www-ssl service of the router, disable the port forwarding rule, and enable the one in filter chain input that allows access to TCP port 443 on the router itself. Then, I'd access the router's web page from outside by the domain name - are those intermittent issues present? If yes, what if you access it using the IP number rather than FQDN?

In short, I would first want to know whether it is a connectivity issue between the internet and the router, a DNS issue, or something on the router and/or its LAN.
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help troubleshooting network - 443 - domain not reachable

Tue Aug 02, 2022 4:30 pm

In short, I would first want to know whether it is a connectivity issue between the internet and the router, a DNS issue, or something on the router and/or its LAN.
Thank you Sindy.

The connection in the office is always stable, it is fast (400+Mbit up and down), the SSTP link between the office and 2 clients connected to it has been very stable since i set it up a few weeks ago,
I Have not noticed anything wrong with the network, and the fact that i am doing pretty much the same on both sites (forwarding the ports to the internal server) is puzzling.
Let me add something else.
When i setup the SSTP link, i used the default port 443 and it was working good. Then i changed it to something else to leave 443 alone for the web server.
I will go to the office and try using a different router just to test, and also reset the Mikrotik to defaults and just open the ports needed, i posted the configuration, maybe you can spot anything there that might be interfeering.

Your ideas sound great, but i have no clue how to do any of that.
Im willing to try of course if you can post some instructions or a link to a guide somewhere.
Thank you!!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help troubleshooting network - 443 - domain not reachable

Tue Aug 02, 2022 4:45 pm

Please leave port and windows closed, otherwise it is useless to keep the air conditioning on, with 40°C outside...

Thank you.
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help troubleshooting network - 443 - domain not reachable

Tue Aug 02, 2022 9:07 pm

Please leave port and windows closed, otherwise it is useless to keep the air conditioning on, with 40°C outside...

Thank you.
???

Who is online

Users browsing this forum: 4l4R1, Amazon [Bot], bizarrity, GoogleOther [Bot], Guntis, h1ghrise, robertkjonesjr and 89 guests