Dear Community,
I'm bumping into an issue where I'm running dry in options to solve and turns to the community for options to progress.
On a site to site config, I can access all resources, except one web interface from one specific host.
Enclosed is the network diagram:
- 2 sites (A and B) inter-connected via wireguard and one rogue warrior which connects via wireguard
- site A (ie device A1) and roguewarrior (C1) can access site B (for example can ping and ssh devices B1 and B2). [conclusion: the wireguard tunnels operate as intended, and the routers on sites A and B do NAT properly]
- when A1 or C1 are connecting to hosts on site B, the traffic is natted and the host see the connection from the router B0 internal interface (eg: when ssh from A1 to B2, host B2 see connection from it's local router B0 address 192.168.34.254)
- BUT B1 has a web interface (port 80) and only B1 fails to properly access it: when connecting on http from A1 to B1, the connection establish but page-load times out when fetching the multiple .css and .js files (it manages to only fetch a single .js)
- however that same web interface of B1 can be accessed without any issue from C1 rogue warrior [conclusion: this would lead me to believe that the config on site B is OK, and the issue would be on the router of site A]
- B2 has also a web interface (port 80), also with css and javascript, and can be seamlessly accessed by both A1 and C1. [conclusion: other http resources from site B can be accessed, which isolates the issue on accessing the web interface of B1]
- I tried to swap devices A1 and C1, and I get the same result: when A1 connects as rogue warrior (ie: where C1 is connected), it can load the B1 web interface without issue; and when C1 connects to the LAN on site A (ie: where A1 is connected) it no longer can load the B1 web interface
- tests are run with cache disabled/purged
This lead me to believe that the setup on site B works properly, and the issue is on the router A0 from site A
- to troubleshoot, I created a firewall rule on top of the forward chain to allow any to any, but I still have the same behavior on loading the content of the web interface - code:- for routes on A0: route is made for 192.168.34.0/24 and 192.168.42.16/28 via wireguard site-to-site interface (which has address on A0 192.168.42.17) and successfully transit traffic inter sites (ping, ssh)
That A0 router is a Mikrotik router (tile), running routerOS v7.17
Any suggestion on where to investigate further?
Network diagram:
Web console output:
I'm bumping into an issue where I'm running dry in options to solve and turns to the community for options to progress.
On a site to site config, I can access all resources, except one web interface from one specific host.
Enclosed is the network diagram:
- 2 sites (A and B) inter-connected via wireguard and one rogue warrior which connects via wireguard
- site A (ie device A1) and roguewarrior (C1) can access site B (for example can ping and ssh devices B1 and B2). [conclusion: the wireguard tunnels operate as intended, and the routers on sites A and B do NAT properly]
- when A1 or C1 are connecting to hosts on site B, the traffic is natted and the host see the connection from the router B0 internal interface (eg: when ssh from A1 to B2, host B2 see connection from it's local router B0 address 192.168.34.254)
- BUT B1 has a web interface (port 80) and only B1 fails to properly access it: when connecting on http from A1 to B1, the connection establish but page-load times out when fetching the multiple .css and .js files (it manages to only fetch a single .js)
- however that same web interface of B1 can be accessed without any issue from C1 rogue warrior [conclusion: this would lead me to believe that the config on site B is OK, and the issue would be on the router of site A]
- B2 has also a web interface (port 80), also with css and javascript, and can be seamlessly accessed by both A1 and C1. [conclusion: other http resources from site B can be accessed, which isolates the issue on accessing the web interface of B1]
- I tried to swap devices A1 and C1, and I get the same result: when A1 connects as rogue warrior (ie: where C1 is connected), it can load the B1 web interface without issue; and when C1 connects to the LAN on site A (ie: where A1 is connected) it no longer can load the B1 web interface
- tests are run with cache disabled/purged
This lead me to believe that the setup on site B works properly, and the issue is on the router A0 from site A
- to troubleshoot, I created a firewall rule on top of the forward chain to allow any to any, but I still have the same behavior on loading the content of the web interface - code:
Code:
add action=accept chain=forward comment="DEBUG - enable fwd to ALL (eg: any to any)"That A0 router is a Mikrotik router (tile), running routerOS v7.17
Any suggestion on where to investigate further?
Network diagram:
Web console output:
Statistics: Posted by eguun — Wed Jan 29, 2025 9:56 am
