Client unable to access ONE website since switching to MikroTik Router

allaccesstech · Fri Feb 26, 2016 5:27 am

Hello all and thank you in advance to anyone who can help me with this. It's most likely simple but sadly the extent of my knowledge on what to change on the MikroTik for my client isn't as good as I'd like it to be.

Since we changed out their router from a dying SonicWall to an RB750GL, they can no longer access this website:

https://lex.quikq.com:13303/SaaS/core/login

The web browser just times and out and cant connect to the page. From the mobile devices not on the wired and wireless network.... they can connect just fine. I can connect to it from my house on a different router.

HELP! They need this for business and Im completely baffled as to what i need to change. I am welcome to any help you can toss my way.

Thank you very much!

bommi · Fri Feb 26, 2016 2:22 pm

Hi,

could you show us the output of:

/ip firewall filter export

and

/ip firewall nat export

Regards
bommi

allaccesstech · Fri Feb 26, 2016 5:45 pm

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\
established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-gateway

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-gateway protocol=tcp to-addresses=\
192.168.19.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=\
192.168.19.15 to-ports=8080

Fri Feb 26, 2016 6:13 pm

Everything looks good in your configuration.
The port # is strange, so it's possible that the remote device communicates in a way that might be getting caught by the forward filter rule which drops connection-state=invalid....

It's a stretch, but what happens if you disable that rule?

You could also try adding a whitelist rule:
/ip firewall filter add chain=forward src-address=IP.OF.SITE action=accept

and place this rule earlier in the forward chain than the drop invalid and drop !dstnat rules....

These are just guesses, though, because in general I'd say your rules should work just fine. The hostname doesn't resolve to something inside your LAN does it? Double check the IP that the lan-connected hosts are trying to connect to, and possibly make sure this didn't end up in your Mikrotik's IP > DNS static entries somehow with the wrong IP there...

allaccesstech · Fri Feb 26, 2016 7:24 pm

I've tried both of your suggestions and unfortunately the issue remains. The hostname is a website outside of our network. If we plug into any other router, it works just fine.....so its something inside this MikroTik thats blocking it. Id hate to switch to something else, but if this doesnt get fixed, we may have to. Any other suggestions?

Fri Feb 26, 2016 7:46 pm

The only other things I can think of are:

Something on this site uses port 8080 or 3389 in its functionality - would it hurt anything to temporarily disable these nat pinholes for a quick test without them?

Maybe there's an MTU issue? Mikrotik shouldn't be blocking path mtu discovery though... you could try setting the MTU lower on your test computer just to see if that makes any difference (or using the mangle forward chain to clamp-mss to something silly like 1200)

Are there any static routes in the Mikrotik with the dst=site's IP address?

allaccesstech · Fri Feb 26, 2016 7:51 pm

Well the 8080 is what the camera system in the building uses to view offsite. 3389 is for me to RDP to the server. I am administering most of this remotely so if I disable 3389, i will lock myself out. I just tried disabling the 8080 port rule and got the same result of no access to that website.

This is most frustrating as they need to get to that website.

Just not sure what the problem is because if i plug in a netgear router to their network using the same IPs and equipment.... website loads just fine. *sigh*

Ive also tried building a static route for the site's IP....to no avail.

Fri Feb 26, 2016 8:02 pm

Ive also tried building a static route for the site's IP....to no avail.

Actually, there shouldn't be such a static route - I was just trying to think of every little cubbyhole that could affect this.

You could "disable" the remote desktop rule by adding src-address=your current IP (check ipchicken.com) as a criteria to the pinhole rule...

You could actually just disable the rule because it only applies to new connections, but if you got kicked out while the rule was disabled, you wouldn't be able to get in again, so using your IP as the source address is a safer way to "disable" it from the perspective of the internet in general.

Does this site cause a java app or some other secondary connections to happen? Does the site start to load and then fail? The unusual port number tells me that something unusual happens with this site.

Plnt · Fri Feb 26, 2016 8:13 pm

I would suggest to try to telnet to that webpage directly from the MikroTik router to see if the port opens. There are couple things which can happen.

1) Host is not resolved in DNS

[admin@MikroTik] > /system telnet lex.quikq.com 13303
invalid value for argument address:
    while resolving ip-address: name does not exist
    invalid value for argument addr

2) Port doesn't open

[admin@MikroTik] > /system telnet lex.quikq.com 13303
Trying 67.217.243.90...

3) Port opens correctly

[admin@MikroTik] > /system telnet lex.quikq.com 13303
Trying 67.217.243.90...
Escape character is '^]'.

What you can use this for is to find out if the DNS broken (1st variant), if you're blocked by the forward chain in firewall, routing, etc. (the 3nd variant) or if it's something broken even on different level (the 2st variant).

Alternatively you can use fetch tool on the MikroTik router.

[admin@MikroTik] > /tool fetch url="https://lex.quikq.com:13303/SaaS/core/login" mode=https dst-path="test.txt"

Plnt · Fri Feb 26, 2016 8:25 pm

Also what I would suggest to try is to check your routing table if you don't have some network containing that particular IP in there by accident.

[admin@MikroTik] > /ip route print

You can try to do traceroute to that host, compare it with other locations and check if it's not ending somewhere where it shouldn't.

[admin@MikroTik] > /tool traceroute lex.quikq.com

Fri Feb 26, 2016 9:30 pm

You can try to do traceroute to that host, compare it with other locations and check if it's not ending somewhere where it shouldn't.
Code: Select all
[admin@MikroTik] > /tool traceroute lex.quikq.com

How did I forget to suggest this? D'oh!

allaccesstech · Fri Feb 26, 2016 9:33 pm

Traceroute makes it all the way to the second to last hop and then times out. Never makes it to the destination IP.

darkprocess · Sat Feb 27, 2016 12:50 am

Mss shaping to implement?