Error while opening specific HTTPS page

thj · Mon Jun 29, 2015 10:46 am

I have two routers (Asus and Mikrotik) at home on same ISP connection. Both have different static IP address. If I am on wireless connection on Mikrotik then a specific https page doesn't open. If I try to open the same page when I am Asus wireless network it opens just fine. How can I debug and figure out why that page is not opening?

pukkita · Mon Jun 29, 2015 11:25 am

Do you have web-proxy or hotspot enabled??

thj · Mon Jun 29, 2015 11:31 am

No. Nothing. I did have hotspot enabled but it didn't work as I hoped it will so I restored setting that I save prior to hotspot initialization. I also made a Virtual AP for guest users but again found it not working properly so I removed it. Sometime in between the opening of specific https pages stopped working properly.

pukkita · Mon Jun 29, 2015 11:33 am

Can you post a New Terminal > /export (edit out passwords, etc)

thj · Mon Jun 29, 2015 11:39 am

Here it is:

# jun/29/2015 10:34:26 by RouterOS 6.29.1
# software id = CVIA-D4PS
#
/interface bridge
add arp=proxy-arp name=Bridge-Asus
add admin-mac=4C:5E:0C:F0:XX:X arp=proxy-arp auto-mac=no name=Bridge-LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=slovenia disabled=no \
    frequency=auto l2mtu=1600 mode=ap-bridge multicast-helper=full ssid=\
    MikroTik-hAP-Lite
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1600 name=ether1-WAN
/interface pptp-server
add name=<pptp-vpnak> user=username
/interface eoip
add arp=proxy-arp disabled=yes !keepalive local-address=192.168.8.1 \
    mac-address=02:77:16:CD:XX:XX name=EoIP-Doma remote-address=192.168.88.1 \
    tunnel-id=20
/ip neighbor discovery
set ether1-WAN discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=password wpa2-pre-shared-key=passsword
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=gostje supplicant-identity="" \
    wpa2-pre-shared-key=password
/ip pool
add name=dhcp ranges=192.168.8.100-192.168.8.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Bridge-LAN lease-time=1d name=\
    default
/ppp profile
set [ find name=default ] bridge=Bridge-LAN local-address=192.168.8.1 name=\
    default remote-address=dhcp use-encryption=yes
set [ find name=default-encryption ] bridge=Bridge-LAN local-address=\
    192.168.8.1 name=default-encryption remote-address=dhcp
/interface bridge port
add bridge=Bridge-LAN interface=ether2
add bridge=Bridge-LAN interface=wlan1
add bridge=Bridge-LAN interface=ether3
add bridge=Bridge-LAN interface=EoIP-Doma
add bridge=Bridge-Asus interface=ether4
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1500 max-mtu=\
    1500 mrru=1600
/ip address
add address=192.168.8.1/24 comment="default configuration" interface=ether2 \
    network=192.168.8.0
add address=20.20.20.1/24 comment="Stati\E8ni IP za EoIP tunel" interface=\
    EoIP-Doma network=20.20.20.0
add address=1.1.1.1/10 comment="WAN IP naslov" interface=ether1-WAN \
    network=84.192.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-WAN
add comment="Asus Router" dhcp-options=hostname,clientid disabled=no \
    interface=ether4
/ip dhcp-server network
add address=192.168.8.0/24 comment="default configuration" gateway=\
    192.168.8.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=84.255.209.79,84.255.210.79
/ip dns static
add address=192.168.8.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Default configuration" \
    connection-state=established,related
add action=drop chain=input comment="Open DNS blocker" dst-port=53 \
    in-interface=ether1-WAN protocol=udp
add action=drop chain=input comment="Open DNS blocker" dst-port=53 \
    in-interface=ether1-WAN protocol=tcp
add chain=input comment="Winbox remote access" dst-port=8291 protocol=tcp
add chain=input comment="HTTP WAN Admin" dst-port=80 protocol=tcp
add chain=input comment="Default configuration" protocol=icmp
add chain=input comment="Allow IGMP" protocol=igmp
add chain=input comment="Allow UDP" protocol=udp
add chain=forward protocol=udp
add chain=input comment="Default configuration" connection-state=\
    established,related
add chain=input comment="Allow pptp" dst-port=1723 protocol=tcp
add chain=forward comment="Default configuration" connection-state=\
    established,related
add action=drop chain=input comment="Default configuration" in-interface=\
    ether1-WAN
add action=drop chain=forward comment="Default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="Default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default configuration" \
    out-interface=ether1-WAN
add action=masquerade chain=srcnat comment="Za Asus bridge" out-interface=\
    Bridge-Asus src-address=192.168.8.0/24
add action=dst-nat chain=dstnat comment=Prodigy_SSH dst-port=2122 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.8.49 to-ports=\
    2022
add action=dst-nat chain=dstnat comment=RicohMP dst-port=1199 in-interface=\
    ether1-WAN protocol=tcp to-addresses=192.168.8.49 to-ports=80
/ip route
add distance=1 gateway=84.255.192.1
/ppp secret
add name=username password=password profile=default-encryption routes=\
    192.168.88.0/24 service=pptp
/routing igmp-proxy
set query-interval=50s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 comment="Upstream iz WAN porta" interface=\
    ether1-WAN upstream=yes
add comment="Dostop za vse naprave v LAN bridgu" interface=Bridge-LAN
add comment="Dostop preko PPTP povezave" interface=<pptp-vpnak>
add comment="Wireless dostop do Proxy stre\9Enika" interface=wlan1
/system clock
set time-zone-name=Europe/Ljubljana
/system ntp client
set enabled=yes primary-ntp=193.2.1.117 secondary-ntp=193.2.4.6
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool graphing interface
add interface=<pptp-vpnak>
add interface=Bridge-LAN
add interface=ether1-WAN
add interface=wlan1
add
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=wlan1
add interface=Bridge-LAN
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=wlan1
add interface=Bridge-LAN
/tool romon port
add disabled=no

Thank you.

pukkita · Mon Jun 29, 2015 11:50 am

When you use a bridge, you should set the ip on the bridge itself otherwise you'll have unpredictable results, fix the LAN IP address:

add address=192.168.8.1/24 comment="default configuration" interface=Bridge-LAN  network=192.168.8.0

change that reboot and test...

thj · Mon Jun 29, 2015 11:57 am

Done. I used this command to set IP to bridge and rebooted my Mikrotik:

/ip address add address=192.168.8.1/24 comment="default configuration" interface=Bridge-LAN  network=192.168.8.0

Currently I am at work so when I get home I will test this configuration. Is this suggestion about setting IP directly onto bridge documented? Maybe I can find some other suggestions that could help me while setting up my Mikrotik further.

Thank you very much for your help.

pukkita · Mon Jun 29, 2015 8:22 pm

It is common practice in networking. Have a look at http://wiki.mikrotik.com/wiki/Manual:IP/Address

It is possible to add multiple IP addresses to an interface or to leave the interface without any addresses assigned to it. In case of bridging or PPPoE connection, the physical interface may bot have any address assigned, yet be perfectly usable. Putting an IP address to a physical interface included in a bridge would mean actually putting it on the bridge interface itself. You can use /ip address print detail to see to which interface the address belongs to.

Same apply to switch groups, IP has to be set on master interface.

thj · Mon Jun 29, 2015 10:16 pm

Sadly this doesn't solve my problem with not opening specific HTTPS page. Any way to debug it?

mendocinoe · Wed Jul 01, 2015 9:56 am

I'm new to this, so maybe I'm wrong, but may I suggest that you check if the problem goes away with a firewall mangle rule to decrease the TCP-MSS? See the thread started by chintan1011 a few days back for suggestion from Normis.

thj · Wed Jul 01, 2015 10:01 am

I do not have PPPOE connection but I will try the mange command anyway. Will report back once I get home and test.

/ip firewall mangle 
add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1432 new-mss=1410

Error while opening specific HTTPS page

Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page

Re: Error while opening specific HTTPS page