My HAP AC router browses the internet but there are some pages that do not load in the web browser but if ping responds I don't know the problem
I appreciate your help
# feb/03/2021 16:07:09 by RouterOS 6.48
# software id = 0TQI-SY35
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC4F0C699667
/interface bridge
add admin-mac=48:8F:5A:30:D4:DF auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=antel@adsl
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=uruguay disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=error! station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=uruguay disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=error!-5G station-roaming=\
enabled wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:30:D4:E4 master-interface=wlan2 name=\
wlan3 security-profile=profile ssid=Invitados-UCM station-roaming=enabled \
wps-mode=disabled
add disabled=no mac-address=4A:8F:5A:30:D4:E5 master-interface=wlan1 name=\
wlan4 security-profile=profile ssid=Invitados-UCM station-roaming=enabled \
wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.149.110-192.168.149.199
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=\
1w10m name=defconf
/system logging action
add disk-file-count=3 disk-file-name=Critical disk-lines-per-file=10000 name=\
CriticalDisk target=disk
add disk-file-count=3 disk-file-name=Error disk-lines-per-file=10000 name=\
ErrorDisk target=disk
add disk-file-count=3 disk-file-name=Info disk-lines-per-file=10000 name=\
InfoDisk target=disk
add disk-file-count=3 disk-file-name=Warning disk-lines-per-file=10000 name=\
WarningDisk target=disk
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.149.203/24 comment=defconf interface=bridge network=\
192.168.149.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.149.0/24 comment=defconf dns-server=192.168.149.203 \
gateway=192.168.149.203 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.149.203 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="DNS DE LA LAN" dst-port=53 \
in-interface=bridge protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Port Forwarding puerto 80" dst-port=80 \
protocol=tcp
add action=accept chain=input comment="Port Forwarding puerto 2222" dst-port=\
2222 protocol=tcp
add action=accept chain=input comment="Port Forwarding puerto 37777" \
dst-port=37777 protocol=tcp src-port=""
add action=accept chain=input comment="Port Forwarding puerto 37777 UDP" \
dst-port=37777 protocol=udp src-port=""
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment="DNS CACHE TRANSPARENTE" dst-port=53 \
protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="redireccion puerto 80 ip 200" \
dst-port=80 protocol=tcp to-addresses=192.168.149.200 to-ports=80
add action=dst-nat chain=dstnat comment="redireccion puerto 37777 ip 200" \
dst-port=37777 protocol=tcp to-addresses=192.168.149.200 to-ports=37777
add action=dst-nat chain=dstnat comment=\
"redireccion puerto 37777 UDP ip 200" dst-port=37777 protocol=udp \
to-addresses=192.168.149.200 to-ports=37777
add action=dst-nat chain=dstnat comment="redireccion puerto 2222 ip 83" \
dst-port=2222 protocol=tcp to-addresses=192.168.149.83 to-ports=22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.149.0/24 port=6622
set api disabled=yes
set winbox address=192.168.149.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Montevideo
/system identity
set name=MikroTik-UCM
/system logging
set 0 action=InfoDisk
set 1 action=ErrorDisk
set 2 action=WarningDisk
set 3 action=CriticalDisk
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
--------------------------------------------------------------------------------------------------------------------------------------------
Hello, thanks for all the answers, I answered the problem I had and that is that I had a port forwarding rule that affected all the websites that responded through port 80, I currently have a team that wants to respond through that port, how can I do to that the navigability does not affect me and redirect to that team without affecting the navigability
I pass on the rules that gave me the problem that I could navigate some teams and not others
and I appreciate your responses
I give them the rules that were the ones that gave me that problem
add action = accept chain = input comment = "Port Forwarding port 80" dst-port = 80 \
protocol = tcp
add action = dst-nat chain = dstnat comment = "redirect port 80 ip 200" \
dst-port = 80 protocol = tcp to-addresses = 192.168.149.200 to-ports = 80
website responds ping but does not navigate
Last edited by IgnacioAA on Thu Feb 04, 2021 4:08 pm, edited 2 times in total.
Re: website responds ping but does not navigate
ICMP doens't say anything about webserver (though the webserver could theoretically respond to the ICMP request).
Can you please share the websites you encounter problems.
Things that come to my mind:
Can you please share the websites you encounter problems.
Things that come to my mind:
- IPv6
- DNS
- Block
Re: website responds ping but does not navigate
At a guess and I stress guess because we don't have any config details or anything else this sounds like it could be an MTU issue. Since some sites work and others don't.
If you can share a diagram and also run the command this will export the configuration and should hide sensitive information such as passwords.
You can share the config here and we can get a better idea of what's going on.
Cheers
Mark
If you can share a diagram and also run the command
Code: Select all
/export hide-sensitiveYou can share the config here and we can get a better idea of what's going on.
Cheers
Mark
-
-
memelchenkov
Member Candidate
- Posts: 204
- Joined:
- Contact:
Re: website responds ping but does not navigate
It sounds like MTU/MSS issues, dig this way.
-
-
Jialireter
just joined
- Posts: 1
- Joined:
Re: website responds ping but does not navigate
I think the IP is blocked. I also encountered this problem before.
Re: website responds ping but does not navigate
hello I copy the exportAt a guess and I stress guess because we don't have any config details or anything else this sounds like it could be an MTU issue. Since some sites work and others don't.
If you can share a diagram and also run the commandthis will export the configuration and should hide sensitive information such as passwords.Code: Select all/export hide-sensitive
You can share the config here and we can get a better idea of what's going on.
Cheers
Mark
# feb/03/2021 16:07:09 by RouterOS 6.48
# software id = 0TQI-SY35
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC4F0C699667
/interface bridge
add admin-mac=48:8F:5A:30:D4:DF auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=antel@adsl
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=uruguay disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=error! station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=uruguay disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=error!-5G station-roaming=\
enabled wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:30:D4:E4 master-interface=wlan2 name=\
wlan3 security-profile=profile ssid=Invitados-UCM station-roaming=enabled \
wps-mode=disabled
add disabled=no mac-address=4A:8F:5A:30:D4:E5 master-interface=wlan1 name=\
wlan4 security-profile=profile ssid=Invitados-UCM station-roaming=enabled \
wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.149.110-192.168.149.199
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=\
1w10m name=defconf
/system logging action
add disk-file-count=3 disk-file-name=Critical disk-lines-per-file=10000 name=\
CriticalDisk target=disk
add disk-file-count=3 disk-file-name=Error disk-lines-per-file=10000 name=\
ErrorDisk target=disk
add disk-file-count=3 disk-file-name=Info disk-lines-per-file=10000 name=\
InfoDisk target=disk
add disk-file-count=3 disk-file-name=Warning disk-lines-per-file=10000 name=\
WarningDisk target=disk
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.149.203/24 comment=defconf interface=bridge network=\
192.168.149.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.149.0/24 comment=defconf dns-server=192.168.149.203 \
gateway=192.168.149.203 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.149.203 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="DNS DE LA LAN" dst-port=53 \
in-interface=bridge protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Port Forwarding puerto 80" dst-port=80 \
protocol=tcp
add action=accept chain=input comment="Port Forwarding puerto 2222" dst-port=\
2222 protocol=tcp
add action=accept chain=input comment="Port Forwarding puerto 37777" \
dst-port=37777 protocol=tcp src-port=""
add action=accept chain=input comment="Port Forwarding puerto 37777 UDP" \
dst-port=37777 protocol=udp src-port=""
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment="DNS CACHE TRANSPARENTE" dst-port=53 \
protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="redireccion puerto 80 ip 200" \
dst-port=80 protocol=tcp to-addresses=192.168.149.200 to-ports=80
add action=dst-nat chain=dstnat comment="redireccion puerto 37777 ip 200" \
dst-port=37777 protocol=tcp to-addresses=192.168.149.200 to-ports=37777
add action=dst-nat chain=dstnat comment=\
"redireccion puerto 37777 UDP ip 200" dst-port=37777 protocol=udp \
to-addresses=192.168.149.200 to-ports=37777
add action=dst-nat chain=dstnat comment="redireccion puerto 2222 ip 83" \
dst-port=2222 protocol=tcp to-addresses=192.168.149.83 to-ports=22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.149.0/24 port=6622
set api disabled=yes
set winbox address=192.168.149.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Montevideo
/system identity
set name=MikroTik-UCM
/system logging
set 0 action=InfoDisk
set 1 action=ErrorDisk
set 2 action=WarningDisk
set 3 action=CriticalDisk
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Re: website responds ping but does not navigate
Hey I don't see any mangle rule to correct the TCP MSS to allow for the smaller MTU of PPPoE.
assuming the MTU of the interface is 1492 - 1480 please add the following command
If the number is smaller than 1480 you'll need to change the "new-mss" size by the same amount so if the mtu is 1470 this 10 smaller than 1480 so make the new-mss=1430 in the command.
You'll also need to reduce the first number of tcp-mss=1440-1500 by the same amount so that will become tcp-mss=1430-1500
For this to take effect you may need to kill the tcp connections from your laptop/computer.
in winbox go to IP->Firewall, Then click the "Connections tab"
Use the filter to find all connections from your laptop/computer and remove them.
Then try accessing one of the websites which is broken for you.
I hope this helps
assuming the MTU of the interface is 1492 - 1480 please add the following command
Code: Select all
/ip firewall mangle
add action=change-mss chain=postrouting comment="TCP MSS Adjust" new-mss=1440 out-interface=pppoe-out1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1440-1500
You'll also need to reduce the first number of tcp-mss=1440-1500 by the same amount so that will become tcp-mss=1430-1500
For this to take effect you may need to kill the tcp connections from your laptop/computer.
in winbox go to IP->Firewall, Then click the "Connections tab"
Use the filter to find all connections from your laptop/computer and remove them.
Then try accessing one of the websites which is broken for you.
I hope this helps
Who is online
Users browsing this forum: FunTasTik, gigabyte091 and 89 guests