Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
345 posts

Ultimate Geek
+1 received by user: 281

Trusted
2degrees

  Reply # 2121896 7-Nov-2018 23:42
Send private message

I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?



10 posts

Wannabe Geek


  Reply # 2121897 7-Nov-2018 23:54
Send private message

fe31nz:

 

Your traceroute is pretty similar to mine, so I do not see any problem there:

 

[D:\]tracert services.ird.govt.nz

 

Tracing route to services.ir1.ird.govt.nz [222.153.202.43]
over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms erl.jsw.gen.nz [10.0.1.251]
2 1 ms 1 ms 1 ms 104.7.69.111.static.snap.net.nz [111.69.7.104]
3 14 ms 14 ms 13 ms 38.27.69.111.static.snap.net.nz [111.69.27.38]
4 13 ms 13 ms 13 ms 39.27.69.111.static.snap.net.nz [111.69.27.39]
5 14 ms 14 ms 14 ms ae9-44.akcr11.global-gateway.net.nz [122.56.127.209]
6 14 ms 14 ms 14 ms mdr-ip24-dom.msc.global-gateway.net.nz [122.56.116.10]
7 15 ms 15 ms 15 ms 222-153-223-166.sparkdigital.co.nz [222.153.223.166]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * ^C

 

The sparkdigital.co.nz routers seem to be blocking the traceroute, but I can connect fine to https://services.ird.govt.nz/irsso/newlogin?id=rightnav.

 

Tracetcp on the https port gets through all the way, as expected:

 

[d:\]tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 10.0.1.251 [erl.jsw.gen.nz]
2 3 ms 15 ms 2 ms 111.69.7.104 [104.7.69.111.static.snap.net.nz]
3 16 ms 56 ms 15 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz]
4 20 ms 14 ms 15 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz]
5 20 ms 17 ms 15 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.net.nz]
6 15 ms 15 ms 15 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway.net.nz]
7 16 ms 15 ms 16 ms 222.153.223.166 [222-153-223-166.sparkdigital.co.nz]
8 Destination Reached in 16 ms. Connection established to 222.153.202.43
Trace Complete.

 

Tracetcp is available from here: http://simulatedsimian.github.io/tracetcp.html

 

 

I've just tried the tracetcp and cannot get through, but you can.undecided

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

 

C:\tracetcp_v1.0.3>tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 192.168.60.1
2 3 ms 2 ms 19 ms 111.69.1.254 [111-69-1-254.core.snap.net.nz]
3 21 ms 44 ms 19 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz
]
4 21 ms 19 ms 21 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz
]
5 20 ms 19 ms 29 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.ne
t.nz]
6 19 ms 23 ms 22 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway
.net.nz]
7 30 ms 81 ms 19 ms 222.153.223.166 [222-153-223-166.sparkdigital.co
.nz]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace Complete.

 

C:\tracetcp_v1.0.3>


 
 
 
 




10 posts

Wannabe Geek


  Reply # 2121898 7-Nov-2018 23:57
Send private message

yitz: Is your router secured properly, why can I see a Mikrotik login page.

 

Good question. I believed it was secured properly but maybe not. The web ui should be disabled for external traffic. I'll get that looked at.




10 posts

Wannabe Geek


  Reply # 2121901 8-Nov-2018 00:00
Send private message

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.




10 posts

Wannabe Geek


  Reply # 2121903 8-Nov-2018 00:03
Send private message

lxsw20:

 

Yeah, what router are you using, is it doing any sort of L7 filtering or anything?

 

 

No L7 filtering


600 posts

Ultimate Geek
+1 received by user: 101


  Reply # 2121912 8-Nov-2018 06:20
Send private message

Given the web interface on the Mikrotik was exposed I would be highly suspect of something in the config on there causing your issue. Do you have another router you can test with?

Issues like this with HTTPS are usually caused by MTU or TCP MSS being set incorrectly somewhere, testing with another router would quickly confirm this.

345 posts

Ultimate Geek
+1 received by user: 281

Trusted
2degrees

  Reply # 2121931 8-Nov-2018 08:21
Send private message

dvanwijk:

 

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.

 

 

 

 

please update DNS to 202.37.101.1, 202.37.101.2, 202.37.101.3

 

 


345 posts

Ultimate Geek
+1 received by user: 281

Trusted
2degrees

  Reply # 2121932 8-Nov-2018 08:22
One person supports this post
Send private message

Kraven: Given the web interface on the Mikrotik was exposed I would be highly suspect of something in the config on there causing your issue. Do you have another router you can test with?

Issues like this with HTTPS are usually caused by MTU or TCP MSS being set incorrectly somewhere, testing with another router would quickly confirm this.

 

 

 

Based on the information supplied,I concur - I can access the ird website from multiple points on our network.


3520 posts

Uber Geek
+1 received by user: 1456

Subscriber

  Reply # 2121936 8-Nov-2018 08:34
Send private message

Those above linked IRD webpages work just fine on my 2degrees fibre connection. And I have a static IP as well.

Some earlier versions of Mikrotik firmware have security problems.

Paging @Sbiddle as he would be able to sort out your router, or would know someone who can.





3840 posts

Uber Geek
+1 received by user: 1555

Subscriber

  Reply # 2121937 8-Nov-2018 08:35
Send private message

NickMack:

 

dvanwijk:

 

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.

 

 

 

 

please update DNS to 202.37.101.1, 202.37.101.2, 202.37.101.3

 

 

 

 

/interface pppoe-client name="whatever your pppoe interfce to snap is" use-peer-dns=yes

 

And then make sure your MTU is set correctly across the pppoe interface and ethernet interface.


410 posts

Ultimate Geek
+1 received by user: 89


  Reply # 2122465 8-Nov-2018 22:37
Send private message

dvanwijk:

 

I've just tried the tracetcp and cannot get through, but you can.undecided

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

 

C:\tracetcp_v1.0.3>tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 192.168.60.1
2 3 ms 2 ms 19 ms 111.69.1.254 [111-69-1-254.core.snap.net.nz]
3 21 ms 44 ms 19 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz
]
4 21 ms 19 ms 21 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz
]
5 20 ms 19 ms 29 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.ne
t.nz]
6 19 ms 23 ms 22 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway
.net.nz]
7 30 ms 81 ms 19 ms 222.153.223.166 [222-153-223-166.sparkdigital.co
.nz]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace Complete.

 

C:\tracetcp_v1.0.3>

 

 

That suggests that the 222.153.202.43 device is blocking your specific IP address for some reason.  The rest of us can get through, but you can not.  It would be worthwhile running Wireshark to see if you are receiving any ICMP packets from 222.153.202.* that might tell you why you are being blocked.


27573 posts

Uber Geek
+1 received by user: 7034

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2122470 8-Nov-2018 22:55
Send private message

If you were running a vulnerable version of routeros it's highly likely to have been compromised.

Wouldn't surprise me if this issue could be a hacked router with the SOCKS proxy set which is sending all your traffic offsite.

27573 posts

Uber Geek
+1 received by user: 7034

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2122471 8-Nov-2018 22:55
Send private message

If you were running a vulnerable version of routeros it's highly likely to have been compromised.

Wouldn't surprise me if this issue could be a hacked router with the SOCKS proxy set which is sending all your traffic offsite.

435 posts

Ultimate Geek
+1 received by user: 144


  Reply # 2122530 9-Nov-2018 08:39
Send private message

fe31nz:

 

That suggests that the 222.153.202.43 device is blocking your specific IP address for some reason.  The rest of us can get through, but you can not.  It would be worthwhile running Wireshark to see if you are receiving any ICMP packets from 222.153.202.* that might tell you why you are being blocked.

 

 

Just because you cannot ping something doesn't mean you cannot get to it. Standard security practice is to turn off ICMP responses for internet facing servers/devices unless there is a specific requirement for it. Note that other peoples tracerts end at the same hop.

 

 


455 posts

Ultimate Geek
+1 received by user: 90


  Reply # 2122537 9-Nov-2018 08:49
One person supports this post
Send private message

I had this exact issue for a client on a different ISP. Couldn't sign in to E Services on the IRD site.

 

We also use the same ISP and had no issues, could use a proxy on the client end and connect okay so it appeared to be something at the IRD end.

 

Tried logging a fault with IRD, not actually possible to log this as an issue as it doesn't appear as a category in their system. It was informally passed through to IRD IT but nothing progressed. Many many follow up calls and I finally got a contact person in IT who I could deal with.

 

 

 

Turned out that the client was part of a shared office and other tenants had been accessing the IRD sites and had triggered a "suspicious" activity alert at the IRD end and the address was blocked. No warning or logging from the IRD end.

 

 

 

Matt.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon introduces new Kindle with adjustable front light
Posted 21-Mar-2019 20:14


A call from the companies providing internet access for the great majority of New Zealanders, to the companies with the greatest influence over social media content
Posted 19-Mar-2019 15:21


Two e-scooter companies selected for Wellington trial
Posted 15-Mar-2019 17:33


GeForce GTX 1660 available now
Posted 15-Mar-2019 08:47


Artificial Intelligence to double the rate of innovation in New Zealand by 2021
Posted 13-Mar-2019 14:47


LG demonstrates smart home concepts at LG InnoFest
Posted 13-Mar-2019 14:45


New Zealanders buying more expensive smartphones
Posted 11-Mar-2019 09:52


2degrees Offers Amazon Prime Video to Broadband Customers
Posted 8-Mar-2019 14:10


D-Link ANZ launches D-Fend AC2600 Wi-Fi Router Protected by McAfee
Posted 7-Mar-2019 11:09


Slingshot commissions celebrities to design new modems
Posted 5-Mar-2019 08:58


Symantec Annual Threat Report reveals more ambitious, destructive and stealthy attacks
Posted 28-Feb-2019 10:14


FUJIFILM launches high performing X-T30
Posted 28-Feb-2019 09:40


Netflix is killing content piracy says research
Posted 28-Feb-2019 09:33


Trend Micro finds shifting threats require kiwis to rethink security priorities
Posted 28-Feb-2019 09:27


Mainfreight uses Spark IoT Asset Tracking service
Posted 28-Feb-2019 09:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.