i am quite new in that, so i would appreciate some help from professionals. One our customer called me, that one website is not reachable, it ending on ERR_CONNECTION_TIMED_OUT. I tried ping that site and its pingable and resolving IP address. I dont understand, why only one website is not working and i cant find any settings which could resolve this problem.
Site : https://www.profilzadavatele-vz.cz/ (i can reach it from anywhere, but only from that customer local network it getting connection timeoed out)
Code: Select all
# mar/19/2024 15:07:13 by RouterOS 6.48.4
# software id = **ELIDED**
#
# model = RB3011UiAS
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=\
"Lokalni sit eth2->eth10+stp1" name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] comment="Privod od T-mobile" name=ether1-WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-LAN name=defconf
/snmp community
add addresses=**ELIDED** name=arit
/user group
add name=backup policy="ssh,ftp,read,sensitive,!local,!telnet,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether3
add bridge=bridge-LAN comment=defconf interface=ether4
add bridge=bridge-LAN comment=defconf interface=ether5
add bridge=bridge-LAN comment=defconf interface=ether6
add bridge=bridge-LAN comment=defconf interface=ether7
add bridge=bridge-LAN comment=defconf interface=ether8
add bridge=bridge-LAN comment=defconf interface=ether9
add bridge=bridge-LAN comment=defconf interface=ether10
add bridge=bridge-LAN comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=Servisni-subnet interface=bridge-LAN \
network=192.168.88.0
add address=89.24.124.234/24 comment="Staticka od T-Mobile" interface=\
ether1-WAN network=89.24.124.0
add address=192.168.2.254/24 comment="Lokalni rozsah" interface=bridge-LAN \
network=192.168.2.0
add address=192.168.3.254/24 comment="Guests rozsah" interface=bridge-LAN \
network=192.168.3.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=62.168.51.253 list=arit
add address=62.168.51.250 list=arit
add address=84.42.204.102 comment=mk list=arit
add address=193.165.167.74 list="IIS Tabor"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=Winbox,SSH dst-port=8291,1313,23 \
protocol=tcp src-address-list=arit
add action=accept chain=input comment=Winbox,SSH dst-port=161 protocol=udp \
src-address-list=arit
add action=accept chain=input in-interface=bridge-LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow LAN" in-interface=bridge-LAN
add action=accept chain=forward comment="rekolin NAGIOS, SSH" dst-address=\
192.168.2.251 dst-port=5666,1300 protocol=tcp
add action=accept chain=forward comment="rekoad RDP - 3390" dst-address=\
192.168.2.252 dst-port=3389 log=yes log-prefix=_3390f protocol=tcp
add action=accept chain=forward comment="rekoad NAGIOS - 5667" dst-address=\
192.168.2.252 dst-port=5666 protocol=tcp
add action=accept chain=forward comment="rekois NAGIOS - 5668" dst-address=\
192.168.2.249 dst-port=5666 protocol=tcp
add action=accept chain=forward comment="rekois RDP - 3391" dst-address=\
192.168.2.249 dst-port=3389 protocol=tcp
add action=accept chain=forward comment="rekois SQL IIS Tabor - 9998" \
dst-address=192.168.2.249 dst-port=9998 protocol=tcp
add action=accept chain=forward comment="rekois SQL - 1433" dst-address=\
192.168.2.249 dst-port=1433 protocol=tcp
add action=accept chain=forward comment="rekovpn SSH - 1301" dst-address=\
192.168.2.248 dst-port=1300 protocol=tcp
add action=accept chain=forward comment="rekovpn NAGIOS - 5669" dst-address=\
192.168.2.248 dst-port=5666 protocol=tcp
add action=accept chain=forward comment="rekovpn OPENVPN - 1194" dst-address=\
192.168.2.248 dst-port=1194 protocol=udp
add action=accept chain=forward comment="rekovpn OPENVPN - 1194" dst-address=\
192.168.2.248 dst-port=1194 protocol=tcp
add action=accept chain=forward comment="rekovpn OPENVPN - test" disabled=yes \
dst-address=192.168.2.248 dst-port=443 protocol=tcp
add action=accept chain=forward comment="rekosmb SSH - 1302" dst-address=\
192.168.2.247 dst-port=1300 log-prefix=fw-1300-2.247- protocol=tcp
add action=accept chain=forward comment="rekosmb - 5670" dst-address=\
192.168.2.247 dst-port=5666 protocol=tcp
add action=accept chain=forward comment="rekounifi SSH - 1303" dst-address=\
192.168.2.246 dst-port=22 log-prefix=fw-1300-2.246- protocol=tcp
add action=accept chain=forward comment="w10 - 3392" dst-address=\
192.168.2.243 dst-port=3389 log=yes log-prefix=_3392f protocol=tcp
add action=drop chain=forward comment="VSE CO JE NAD POVOLENO, JINAK DROP" \
log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade dst-address-list="" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="rekolin NAGIOS" dst-port=5666 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.251 to-ports=5666
add action=dst-nat chain=dstnat comment="rekolin SSH" dst-port=1300 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.251 to-ports=1300
add action=dst-nat chain=dstnat comment="rekoad NAGIOS" dst-port=5667 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.252 to-ports=5666
add action=dst-nat chain=dstnat comment="rekoad RDP" dst-port=3390 \
in-interface=ether1-WAN log=yes log-prefix=_3390 protocol=tcp \
src-address-list=arit to-addresses=192.168.2.252 to-ports=3389
add action=dst-nat chain=dstnat comment="rekois NAGIOS" dst-port=5668 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.249 to-ports=5666
add action=dst-nat chain=dstnat comment="rekois RDP" dst-port=3391 \
in-interface=ether1-WAN log=yes log-prefix=_3391 protocol=tcp \
src-address-list=arit to-addresses=192.168.2.249 to-ports=3389
add action=dst-nat chain=dstnat comment="rekois RDP" dst-port=3391 \
in-interface=ether1-WAN log=yes log-prefix=_3391 protocol=tcp \
src-address-list="IIS Tabor" to-addresses=192.168.2.249 to-ports=3389
add action=dst-nat chain=dstnat comment="rekois SQL primo z IIS Tabor" \
dst-port=9998 in-interface=ether1-WAN log=yes log-prefix=_9998 protocol=\
tcp src-address-list="IIS Tabor" to-addresses=192.168.2.249 to-ports=1433
add action=dst-nat chain=dstnat comment="rekois SQL primo z Aritu" dst-port=\
9998 in-interface=ether1-WAN log=yes log-prefix=_9998 protocol=tcp \
src-address-list=arit to-addresses=192.168.2.249 to-ports=1433
add action=dst-nat chain=dstnat comment="rekois SQL primo z Aritu" dst-port=\
9999 in-interface=ether1-WAN log=yes log-prefix=_9999 protocol=tcp \
src-address-list=arit to-addresses=192.168.2.249 to-ports=1434
add action=dst-nat chain=dstnat comment="rekovpn NAGIOS" dst-port=5669 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.248 to-ports=5666
add action=dst-nat chain=dstnat comment="rekovpn SSH" dst-port=1301 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.248 to-ports=1300
add action=dst-nat chain=dstnat comment="rekovpn OPENVPN" dst-port=1194 \
in-interface=ether1-WAN protocol=udp to-addresses=192.168.2.248 to-ports=\
1194
add action=dst-nat chain=dstnat comment="rekovpn OPENVPN" dst-port=1194 \
in-interface=ether1-WAN protocol=tcp to-addresses=192.168.2.248 to-ports=\
1194
add action=dst-nat chain=dstnat comment=\
"rekovpn OPENVPN - testovano pro vpn, kdyz je port blokovan" disabled=yes \
dst-port=443 in-interface=ether1-WAN protocol=tcp to-addresses=\
192.168.2.248 to-ports=1194
add action=dst-nat chain=dstnat comment="rekosmb SSH" dst-port=1302 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.247 to-ports=1300
add action=dst-nat chain=dstnat comment=rekosmb dst-port=5670 in-interface=\
ether1-WAN protocol=tcp src-address-list=arit to-addresses=192.168.2.247 \
to-ports=5666
add action=dst-nat chain=dstnat comment="rekounifi SSH" dst-port=1303 \
in-interface=ether1-WAN protocol=tcp src-address-list=arit to-addresses=\
192.168.2.246 to-ports=22
add action=dst-nat chain=dstnat comment="servisni w10" dst-port=3392 \
in-interface=ether1-WAN log=yes log-prefix=_3392 protocol=tcp \
src-address-list=arit to-addresses=192.168.2.243 to-ports=3389
/ip route
add distance=1 gateway=**ELIDED**
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh port=1313
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=5m default-screen=stats read-only-mode=yes
/lcd interface
add interface=bridge-LAN
/snmp
set enabled=yes trap-community=arit
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=Reko-GW
/system ntp client
set enabled=yes primary-ntp=195.113.144.201
/system scheduler
add interval=4w2d name=schedule1 on-event=backup_script.rc policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/01/2021 start-time=15:13:23
/system script
add dont-require-permissions=no name=backup_script.rc owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local months (\"jan\",\"feb\",\"mar\",\"apr\",\"may\",\"jun\",\"jul\",\"au\
g\",\"sep\",\"oct\",\"nov\",\"dec\");:local date [/system clock get date];\
:local dd [:pick \$date 4 6];:local month [:pick \$date 0 3];:local yy [:p\
ick \$date 9 11];:local mm ([ :find \$months \$month -1 ] + 1);/export hid\
e-sensitive compact file=(\"backup/zaloha-\".[/system identity get name].\
\"-\".\$yy.\$mm.\$dd); /export hide-sensitive compact file=(\"/backup/zalo\
ha-aktualni\"); /system backup save name=zaloha-aktualni"
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank for any advice
