MikroTik

Posted: **Fri Oct 12, 2018 11:38 am**

Hallo i am newbie
first, sorry for my english

i have a problem with my Mikrotik routers. some website can't access but i can ping. the error is "this site can't be reached"

whats the problem? with my firewall?

my config:
[Codebox= /ip firewall filter
add action=accept chain=forward comment="allow semua akses internet ke client" dst-address=ip_gateway in-interface=pppoe-out out-interface=bridge1
add action=accept chain=input comment="Allow remot winbox dari public" dst-port=8291 in-interface=pppoe-out protocol=tcp
add action=accept chain=input comment="Allow NTP traffic" in-interface=pppoe-out protocol=udp src-port=123
add action=accept chain=input comment="Allow DNS Traffic" in-interface=pppoe-out protocol=udp src-port=53
add action=accept chain=input comment="Allow ping traceroute trafic" in-interface=pppoe-out protocol=icmp
add action=add-src-to-address-list address-list=spam address-list-timeout=30m chain=input comment="Log IP yang ditolak" connection-state=new in-interface=\
pppoe-out
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward dst-port=1883 protocol=tcp
add action=accept chain=input dst-port=3000 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment=HTB-18SEP17 in-interface=bridge1 new-connection-mark=conn-new passthrough=yes
add action=mark-packet chain=forward connection-mark=conn-new new-packet-mark=packet-new passthrough=no
add action=mark-connection chain=prerouting comment=PING-TIME new-connection-mark=pingtime-conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=pingtime-conn new-packet-mark=Ping-Paket passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out
add action=masquerade chain=srcnat comment="NAT L2TP" out-interface=pppoe-out src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.90.0/24
add action=dst-nat chain=dstnat dst-address=182.253.31.154 in-interface=pppoe-out protocol=tcp to-addresses=192.168.11.71 to-ports=80
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp to-addresses=192.168.11.60 to-ports=3000
=Untitled.txt][/Codebox]

Please help me and give me the best answer
thanks

Posted: **Fri Oct 12, 2018 12:02 pm**

To me it looks like you are running into mtu issues. Depending on the encapsulation of your internet connection you may add a rule to clamp to pmtu via mangle

Posted: **Mon Oct 15, 2018 11:30 am**

can you give me the example of rule?
sorry hehe

Posted: **Mon Oct 15, 2018 1:27 pm**

how your DNS looks like?

Posted: **Mon Oct 15, 2018 1:41 pm**

how your DNS looks like?

my dns conf like this " /ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=5000KiB max-udp-packet-size=512"
i set DNS from ISP like dynamic DNS

Posted: **Mon Oct 15, 2018 6:55 pm**

Make max udp packet size 4096

Posted: **Mon Oct 15, 2018 9:35 pm**

set up dns, as i can see you dns looks like blank

Posted: **Mon Oct 15, 2018 9:54 pm**

Please send a screenshot, picture, or more detailed information about the error you are receiving:

For Example:

System Hardware
System OS
Browser Type
MT Router Type

Thanks and good luck, we are here to try and help!

Posted: **Mon Oct 15, 2018 10:20 pm**

It looks like you get your internet through PPPoE. In that case MTU varies between 1480 and 1492 normally. Also, try clamping your mss with your pmtu with a simple rule like this:

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface="WAN" passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=forward in-interface="WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535

Also - and this is just a recommendation - give your firewall some love. I saw a bunch of accept rules but no drop rules for the rest of the chain. This is basically the same thing as having no firewall at all.

Posted: **Tue Oct 16, 2018 6:22 am**

Make max udp packet size 4096

i have change but no effect, you have any solution?

Posted: **Tue Oct 16, 2018 6:24 am**

set up dns, as i can see you dns looks like blank

i have change and fill the blank with google DNS 8.8.8.8 , 8.8.4.4 but no effect, you have any solution?

Posted: **Tue Oct 16, 2018 7:07 am**

It looks like you get your internet through PPPoE. In that case MTU varies between 1480 and 1492 normally. Also, try clamping your mss with your pmtu with a simple rule like this:
Code: Select all
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface="WAN" passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=forward in-interface="WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1361-65535
Also - and this is just a recommendation - give your firewall some love. I saw a bunch of accept rules but no drop rules for the rest of the chain. This is basically the same thing as having no firewall at all.

i was try to add this rules but not effect too. for my drop rules i was disable because that can drop udp packet or port 39752 for request to IP cloud server. and than i can't use IP cloud cause was dropped

Posted: **Tue Oct 16, 2018 7:19 am**

Please send a screenshot, picture, or more detailed information about the error you are receiving:

For Example:

System Hardware
System OS
Browser Type
MT Router Type

Thanks and good luck, we are here to try and help!

OS : Windows 10
browser: chrome
MT router: RB2011 LS
i can't access one or any website. respone take to long. this site stay load and than
appear this eror code" this site can't be reached"

Posted: **Wed Oct 17, 2018 5:47 am**

sorry guys, i want to tell you about this problem. i was created vpn server in routerboard and then if i turn on VPN connection, all websites can open and load normaly. but if i turn off VPN, i dont open and load again
maybe this problem solved, but i not satisfied. i want to access the site normaly without VPN connection.
thanks, and i hope get solution again.

Posted: **Tue Nov 06, 2018 4:00 am**

Hallo i am newbie
first, sorry for my english

i have a problem with my Mikrotik routers. some website can't access but i can ping. the error is "this site can't be reached"

whats the problem? with my firewall?

my config:
[Codebox= /ip firewall filter
add action=accept chain=forward comment="allow semua akses internet ke client" dst-address=ip_gateway in-interface=pppoe-out out-interface=bridge1
add action=accept chain=input comment="Allow remot winbox dari public" dst-port=8291 in-interface=pppoe-out protocol=tcp
add action=accept chain=input comment="Allow NTP traffic" in-interface=pppoe-out protocol=udp src-port=123
add action=accept chain=input comment="Allow DNS Traffic" in-interface=pppoe-out protocol=udp src-port=53
add action=accept chain=input comment="Allow ping traceroute trafic" in-interface=pppoe-out protocol=icmp
add action=add-src-to-address-list address-list=spam address-list-timeout=30m chain=input comment="Log IP yang ditolak" connection-state=new in-interface=\
pppoe-out
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward dst-port=1883 protocol=tcp
add action=accept chain=input dst-port=3000 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment=HTB-18SEP17 in-interface=bridge1 new-connection-mark=conn-new passthrough=yes
add action=mark-packet chain=forward connection-mark=conn-new new-packet-mark=packet-new passthrough=no
add action=mark-connection chain=prerouting comment=PING-TIME new-connection-mark=pingtime-conn passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=pingtime-conn new-packet-mark=Ping-Paket passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out
add action=masquerade chain=srcnat comment="NAT L2TP" out-interface=pppoe-out src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.90.0/24
add action=dst-nat chain=dstnat dst-address=182.253.31.154 in-interface=pppoe-out protocol=tcp to-addresses=192.168.11.71 to-ports=80
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp to-addresses=192.168.11.60 to-ports=3000
=Untitled.txt][/Codebox]

Please help me and give me the best answer
thanks

anyone can help me. please i need help

MikroTik

[ASK]Can't access some website "this site can't be reached"

[ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"

Re: [ASK]Can't access some website "this site can't be reached"