Hi, this is over my head. I can't access my own site, corsa-c.ro. It was ok for years until recently. It won't work in my LAN but on phone 3G works fine, so website looks good. On phone, on WiFi, also no connection, so can exclude the PC.

I run a Mikrotik RB493G as router, firewall, access point and capsman for wAP ac. Software version in both is 6.41.

The message I get from the browser is "The Connection has timed out". Traceroute from PC will eventually reach the website on IP 37.251.143.31, however, on hops 7,8,9,11,12,13 will time-out.
At Mikrotik, in IP, Firewall, Connections, I see for 37.251.143.31:80 syn sent and that's is, nothing else.

What I tried: access with PC directly the WAN, website works fine. Disable all firewall rules, reboot Mikrotik, it won't help. I don't know what else. I tried MTU on 1500 but Actual MTU automatically reverses to 1480.

Anybody an idea?

/ip firewall filter
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop DNS open resolver" dst-port=53 \
in-interface=KPN protocol=udp
add action=drop chain=input comment="Drop DNS open resolver" dst-port=53 \
in-interface=KPN protocol=tcp
add action=drop chain=input comment=\
"Allow internal LAN winbox access to router and deny anything else" \
dst-port=8291 protocol=tcp src-address=!192.168.1.0/24
add action=tarpit chain=input comment="Tarpit traffic from DOS list" \
log-prefix="\"\"" protocol=tcp src-address-list=DOS
add action=add-src-to-address-list address-list=DOS address-list-timeout=1d \
chain=input comment="Put address on DOS list" connection-limit=100,32 \
log-prefix="\"\"" protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=DOS address-list-timeout=1d \
chain=input comment="Put address on DOS list" connection-limit=100,32 \
log-prefix="\"\"" protocol=tcp src-address=!10.1.0.0/24
add action=drop chain=input comment="dropping port scanners" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward comment="allow related connections" \
connection-state=related
add action=accept chain=forward comment="allow established connections" \
connection-state=established

/ip firewall nat
add action=masquerade chain=srcnat out-interface=KPN
add action=src-nat chain=srcnat comment="exit to adsl modem" out-interface=\
ether1 src-address=192.168.1.0/24 to-addresses=10.0.0.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

IP Route print details
0 ADS dst-address=0.0.0.0/0 gateway=KPN gateway-status=KPN reachable distance=1 scope=30
target-scope=10
1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.2 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10
3 ADC dst-address=y.y.y.y/32 pref-src=x.x.x.x gateway=KPN
gateway-status=KPN reachable distance=0 scope=10

Thank you for your time.

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:

I've tried that workaround, however without results. Why would only one website be affected? Do I need to change my host? Is anything in my config wrong? I can ping 37.251.143.31 and get around 48ms reply. Sorry for so many questions.

I've logged above rule and got this:

forward: in: bridge1(wlan1) out:KPN, src-mac , proto TCP(SYN), 192.168.1.10:58130->37.251.143.31:80, len 52

and this repeats itself for a while together with this:
forward: in: bridge1(wlan1) out:KPN, src-mac , proto TCP(SYN), 192.168.1.10:58130->37.251.143.31:80, NAT (192.168.1.10:58131->my wan IP)->37.251.143.80, len 52.

I've just tried that using google DNS but no result. What I find odd, with my laptop Win 10, with simple PPPoE interface, connected to internet provider, all works fine. So I would not suspect DNS trouble. I conclude something odd happens with my Mikrotik. I have an Cloud Core Router with older software, maybe I should try that one out ....

With an CCR and simple config, it works just fine. Software 6.40.1.

Now, how do I explain this: without changing anything, while I was busy with the CCR, lets say 30 minutes, I plugged back the VDSL to Mikrotik RB493G and guess what, it works now. No reboot nothing. Problem is, this lasts a day or so then same problem.

I am very puzzled.

I see it is a forum. Maybe your IP has been blocked, or the subnet your IP is in.
Some forum operators arbitrarily block IP ranges when they feel they have been "attacked" or because of other abuse.
I have seen entire /16 networks of my provider being blocked (and other networks of the same provider not).

Hi, thanks, it is my own forum. I've called the host company and they confirmed my IP is not blocked.

Hi, thanks, it is my own forum. I've called the host company and they confirmed my IP is not blocked.

I'm having the same problem with 6.41, lower versions work fine.

And its done, today no longer access. I'm not really fun of downgrade, it always goes wrong with me.

I've downgraded to 6.40.5 and all fine. There is a problem with 6.41. I don't know what, but for me was bad.

Hi, We experienced the same problem, one or two websites could not be accessed by clients running 6.41. Downgraded them and it worked!
Before downgrading we changed IPs to totally different subnets also, to no avail. Configuring PPPoE on another router (not Mikrotik) and it works.
Definitely something wrong in 6.41.

A have no access to this two web sites: https://bazar.bg/ and http://www.speedtest.net/ ....!
My ISP is use PPPOE!
RB951 6.42
My options are:
1 bridge -> ether2,3,4 + wlan + EOIP
copy/pase this mange rule and everything is fine, THANKS pe1chl !!
But would you like to explain what exactly does it do?

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:

Code: Select all

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

A have no access to this two web sites: https://bazar.bg/ and http://www.speedtest.net/ ....!
My ISP is use PPPOE!
RB951 6.42
My options are:
1 bridge -> ether2,3,4 + wlan + EOIP
copy/pase this mange rule and everything is fine, THANKS pe1chl !!
But would you like to explain what exactly does it do?

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:

Code: Select all

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

whoa also a big thanks to pe1chl!!! was also going insane trying to figure out what the hell was going on with certain inaccessible sites! ...and now they work!

This is normally caused by clueless operators on the path towards the website that have blocked ICMP, combined with your provider using PPPoE and no RFC4638.
(so you cannot set MTU 1500 on your PPPoE interface)

You can work around this problem by adding this to your configuration:

Code: Select all

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

Thank you for this, it works fine.

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

BIG THANKS pe1chl

/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

Same trouble here accessing websites. Adding that chain to mangle made our nightmare go away.

THANK YOU!

J.

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

the above is really working..
i have been troubleshooting for 3 days without luck..

thanks a million..