Community discussions

MikroTik App
 
maximusdecimus
just joined
Topic Author
Posts: 8
Joined: Wed Oct 12, 2022 3:35 am

browser TLS error using Mikrotik hardware

Sat Nov 05, 2022 10:51 pm

Greetings

what am i doing wrong?
I have been using a mikrotik LHG 5 in the last 2 years as the main way to access the internet (PTMP). About 6 months ago I began receiving TLS errors on all my browsers on all websites (even google). and after 30 seconds to 5 minutes, it was ok and i had secure access to the websites. So, every now and then i needed to wait and refresh until I had the secure connection.
So, after logging into the LHG 5 (first experience with a mikrotik device) and spending a day or two tinkering in the GUI, I searched the default firewall and added the rules, and the problem went away for the next 3 months. After 3 months the problem was back.
I think i need to note that:
- All my windows devices have this problem.
- I use the same computer with ADSL and LTE internet with no TLS problems.
- yesterday I changed my ISP and now I'm connected to another tower, another direction and another ISP but same problem.
- while using a VPN (any protocol) on the computer, the problem goes away.
- since the ISP has the login credentials to the LHG 5, I added another router (hAP lite) between my devices and the LHG 5 but the problem still there.
- I turned off all of the IOT devices (smart lamps and plugs) for a while but the problem was there.
- my neighbor uses the same ISP with a LHG 5 and does not have this problem.
- syncing the computers time with NTP server does not help
- my ISP doesn't care to help; in my country this is normal. They told me to whenever this happens choose to continue with HTTP.

LHG 5 export:
# nov/05/2022 10:15:14 by RouterOS 6.49.7
# software id = BBPZ-T9Z2
#
# model = RouterBOARD LHG 5nD
# serial number = **********
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce country=no_country_set disabled=no frequency=5240 frequency-mode=superchannel mode=station-bridge scan-list=5240 ssid=\
    1009416CT11-**********
/interface pppoe-client
add add-default-route=yes disabled=no interface=wlan1 name=pppoe-out1 use-peer-dns=yes user=**********
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
/ip address
add address=10.10.1.10/24 interface=ether1 network=10.10.1.0
/ip cloud
set update-time=no
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tehran
/system identity
set name=**********
/tool mac-server
set allowed-interface-list=none
hAP lite export:
# nov/05/2022 22:32:09 by RouterOS 7.5
# software id = C4NI-PF5J
#
# model = RB941-2nD
# serial number = **********
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=08:55:31:A0:6A:7C auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="ISP1 _PTMP _LHG5"
set [ find default-name=ether2 ] comment="ISP2 _LTE _DWRM921"
set [ find default-name=ether3 ] comment="wAC _GWN7615"
set [ find default-name=ether4 ] comment="HomeA _RPI"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    ********** wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dpool ranges=10.10.10.100-10.10.10.200
add name=dhcp_pool2 ranges=10.10.1.1,10.10.1.11-10.10.1.254
add name=dhcp_pool3 ranges=10.10.10.100-10.10.10.199
/ip dhcp-server
add address-pool=dhcp_pool3 interface=bridge name=dhcp2
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=\
    ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=\
    pwr-line1
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=\
    wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.10.1.1/24 interface=ether1 network=10.10.1.0
add address=10.10.2.1/24 interface=ether2 network=10.10.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=9.9.9.9,5.200.200.200 gateway=10.10.1.10
add address=10.10.10.0/24 dns-server=9.9.9.9,5.200.200.200 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.10.1.10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=LTE disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.2.10 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tehran
/system identity
set name=Home
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
add disabled=yes down-script="/ip route disable [find comment=ISP1]" host=\
    8.8.8.8 http-codes="" interval=10s test-script="" timeout=1s type=icmp \
    up-script="/ip route enable [find comment=ISP1]"
add disabled=yes down-script="/ip route disable [find comment=LTE]" host=\
    8.8.4.4 http-codes="" interval=10s test-script="" timeout=1s type=icmp \
    up-script="/ip route enable [find comment=LTE]"
Thank you for your time
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: browser TLS error using Mikrotik hardware

Sun Nov 06, 2022 12:41 am

They told me to whenever this happens choose to continue with HTTP.
That's one really bad advice. The point of TLS is to make connection between you and server secure, to prevent anyone on the way from doing anything "funny" with it. When you get TLS errors (what exact errors do you get?), it means that something is wrong. And unless it was hacked and something hidden is now living inside it, it's not your LHG's fault, it's just forwarding packets and doesn't care what's inside them.
 
maximusdecimus
just joined
Topic Author
Posts: 8
Joined: Wed Oct 12, 2022 3:35 am

Re: browser TLS error using Mikrotik hardware

Sun Nov 06, 2022 8:06 am

They told me to whenever this happens choose to continue with HTTP.
(what exact errors do you get?)
Image

Thank you for your response. I don't know anything about networking yet somehow feel vulnerable roaming the net with HTTP.
something hidden is now living inside it
Is there a way to verify all the codes in the operating system of my LHG5 router?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: browser TLS error using Mikrotik hardware

Sun Nov 06, 2022 6:46 pm

Click on "NET::ERR_CERT_COMMON_NAME_INVALID" to see more details about the certificate, maybe it will show something useful.

You can't verify what's in your router, but you can reinstall the whole thing: https://help.mikrotik.com/docs/display/ROS/Netinstall
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: browser TLS error using Mikrotik hardware

Mon Nov 07, 2022 6:13 pm

Another possibility is that web browser started to reject wild-card certificates. The one, used by forum.mikrotik.com, has CN=mikrotik.com (doesn't fit forum web site) and "Certificate Subject Alternative Name" set to wildcard *.mikrotik.com. As @Sob suggested: click on that NET::ERR curse word and see what has web browser to say about it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: browser TLS error using Mikrotik hardware

Mon Nov 07, 2022 6:37 pm

.
.
- another ISP but same problem.
- while using a VPN (any protocol) on the computer, the problem goes away.
Guess why............

(Wow! @Sob, @mkx, didn't you notice it on the export???)

You live in Iran ... Now the Iranian "Government" filters anything and intercepts anything...................
What do you expect?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: browser TLS error using Mikrotik hardware

Mon Nov 07, 2022 7:19 pm


(Wow! @Sob, @mkx, didn't you notice it on the export???)
They didnt pass geography in high school and thus went to IT trade school vice university. ;-)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: browser TLS error using Mikrotik hardware

Mon Nov 07, 2022 7:39 pm

Well, I don't think so.
pic.jpeg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: browser TLS error using Mikrotik hardware

Mon Nov 07, 2022 8:34 pm

I did notice and I know that I wouldn't want to have same internet they have there. But certificate with non-matching CN seems too amateurish. Correct CN from untrusted CA wouldn't make it work either, but at least it would look better. I mean, shouldn't baddies have some standards too? ;)
 
maximusdecimus
just joined
Topic Author
Posts: 8
Joined: Wed Oct 12, 2022 3:35 am

Re: browser TLS error using Mikrotik hardware

Tue Nov 08, 2022 12:51 am

You live in Iran ... Now the Iranian "Government" filters anything and intercepts anything...................
Thank you for adding fuel to my paranoia. Hopefully the TLS does its job, which is guarantying me encrypted key exchange with whatever website I visit.

But this only happens on PTMP radio connections. I have ADSL and LTE services with no problems. Why would they only surveil PTMP?
Last edited by maximusdecimus on Tue Nov 08, 2022 1:50 am, edited 1 time in total.
 
maximusdecimus
just joined
Topic Author
Posts: 8
Joined: Wed Oct 12, 2022 3:35 am

Re: browser TLS error using Mikrotik hardware

Tue Nov 08, 2022 1:48 am

Click on "NET::ERR_CERT_COMMON_NAME_INVALID" to see more details about the certificate, maybe it will show something useful.
Image
You can't verify what's in your router, but you can reinstall the whole thing: https://help.mikrotik.com/docs/display/ROS/Netinstall
Thank you, I am going to try
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: browser TLS error using Mikrotik hardware

Tue Nov 08, 2022 3:32 am

That's perfectly valid certificate for www.bing.com, same one I see here. It looks like someone or something somewhere (ISP?) is redirecting your https connections to www.bing.com server. I assume that Microsoft didn't share certificate's private key with anyone, so it can't be used to spy on you (you still shouldn't accept it for other sites).
 
maximusdecimus
just joined
Topic Author
Posts: 8
Joined: Wed Oct 12, 2022 3:35 am

Re: browser TLS error using Mikrotik hardware

Tue Nov 08, 2022 2:34 pm

Thank you @sob and all the others for your time. I really appreciate it.

I might have found a solution. Last 12 hours was without any problems after having DoH on the router. I don't know how it was related to TLS errors that I was getting but I hope this was it.

Who is online

Users browsing this forum: No registered users and 32 guests