Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
255 posts

Ultimate Geek
+1 received by user: 207

Trusted
2degrees

  Reply # 2121896 7-Nov-2018 23:42
Send private message quote this post

I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?



10 posts

Wannabe Geek


  Reply # 2121897 7-Nov-2018 23:54
Send private message quote this post

fe31nz:

 

Your traceroute is pretty similar to mine, so I do not see any problem there:

 

[D:\]tracert services.ird.govt.nz

 

Tracing route to services.ir1.ird.govt.nz [222.153.202.43]
over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms erl.jsw.gen.nz [10.0.1.251]
2 1 ms 1 ms 1 ms 104.7.69.111.static.snap.net.nz [111.69.7.104]
3 14 ms 14 ms 13 ms 38.27.69.111.static.snap.net.nz [111.69.27.38]
4 13 ms 13 ms 13 ms 39.27.69.111.static.snap.net.nz [111.69.27.39]
5 14 ms 14 ms 14 ms ae9-44.akcr11.global-gateway.net.nz [122.56.127.209]
6 14 ms 14 ms 14 ms mdr-ip24-dom.msc.global-gateway.net.nz [122.56.116.10]
7 15 ms 15 ms 15 ms 222-153-223-166.sparkdigital.co.nz [222.153.223.166]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * ^C

 

The sparkdigital.co.nz routers seem to be blocking the traceroute, but I can connect fine to https://services.ird.govt.nz/irsso/newlogin?id=rightnav.

 

Tracetcp on the https port gets through all the way, as expected:

 

[d:\]tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 10.0.1.251 [erl.jsw.gen.nz]
2 3 ms 15 ms 2 ms 111.69.7.104 [104.7.69.111.static.snap.net.nz]
3 16 ms 56 ms 15 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz]
4 20 ms 14 ms 15 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz]
5 20 ms 17 ms 15 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.net.nz]
6 15 ms 15 ms 15 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway.net.nz]
7 16 ms 15 ms 16 ms 222.153.223.166 [222-153-223-166.sparkdigital.co.nz]
8 Destination Reached in 16 ms. Connection established to 222.153.202.43
Trace Complete.

 

Tracetcp is available from here: http://simulatedsimian.github.io/tracetcp.html

 

 

I've just tried the tracetcp and cannot get through, but you can.undecided

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

 

C:\tracetcp_v1.0.3>tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 192.168.60.1
2 3 ms 2 ms 19 ms 111.69.1.254 [111-69-1-254.core.snap.net.nz]
3 21 ms 44 ms 19 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz
]
4 21 ms 19 ms 21 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz
]
5 20 ms 19 ms 29 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.ne
t.nz]
6 19 ms 23 ms 22 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway
.net.nz]
7 30 ms 81 ms 19 ms 222.153.223.166 [222-153-223-166.sparkdigital.co
.nz]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace Complete.

 

C:\tracetcp_v1.0.3>




10 posts

Wannabe Geek


  Reply # 2121898 7-Nov-2018 23:57
Send private message quote this post

yitz: Is your router secured properly, why can I see a Mikrotik login page.

 

Good question. I believed it was secured properly but maybe not. The web ui should be disabled for external traffic. I'll get that looked at.




10 posts

Wannabe Geek


  Reply # 2121901 8-Nov-2018 00:00
Send private message quote this post

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.




10 posts

Wannabe Geek


  Reply # 2121903 8-Nov-2018 00:03
Send private message quote this post

lxsw20:

 

Yeah, what router are you using, is it doing any sort of L7 filtering or anything?

 

 

No L7 filtering


596 posts

Ultimate Geek
+1 received by user: 97


  Reply # 2121912 8-Nov-2018 06:20
Send private message quote this post

Given the web interface on the Mikrotik was exposed I would be highly suspect of something in the config on there causing your issue. Do you have another router you can test with?

Issues like this with HTTPS are usually caused by MTU or TCP MSS being set incorrectly somewhere, testing with another router would quickly confirm this.

255 posts

Ultimate Geek
+1 received by user: 207

Trusted
2degrees

  Reply # 2121931 8-Nov-2018 08:21
Send private message quote this post

dvanwijk:

 

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.

 

 

 

 

please update DNS to 202.37.101.1, 202.37.101.2, 202.37.101.3

 

 


255 posts

Ultimate Geek
+1 received by user: 207

Trusted
2degrees

  Reply # 2121932 8-Nov-2018 08:22
One person supports this post
Send private message quote this post

Kraven: Given the web interface on the Mikrotik was exposed I would be highly suspect of something in the config on there causing your issue. Do you have another router you can test with?

Issues like this with HTTPS are usually caused by MTU or TCP MSS being set incorrectly somewhere, testing with another router would quickly confirm this.

 

 

 

Based on the information supplied,I concur - I can access the ird website from multiple points on our network.


3170 posts

Uber Geek
+1 received by user: 1222

Subscriber

  Reply # 2121936 8-Nov-2018 08:34
Send private message quote this post

Those above linked IRD webpages work just fine on my 2degrees fibre connection. And I have a static IP as well.

Some earlier versions of Mikrotik firmware have security problems.

Paging @Sbiddle as he would be able to sort out your router, or would know someone who can.





3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 2121937 8-Nov-2018 08:35
Send private message quote this post

NickMack:

 

dvanwijk:

 

NickMack: I'm accessing https://services.ird.govt.nz/irsso/newlogin?id=rightnav via fibre connection right now - Are you using our DNS servers or someone else's? What are you using as a router? Since you are a business customer are you using a managed service device?

 

DNS on router (Mikrotik RB2011) is set to 2degrees DNS (I think)...

 

118.148.1.10

 

118.148.1.20

 

Are these correct?

 

The router is not managed. We get IT to deal with issues as they arise. We own the router.

 

 

 

 

please update DNS to 202.37.101.1, 202.37.101.2, 202.37.101.3

 

 

 

 

/interface pppoe-client name="whatever your pppoe interfce to snap is" use-peer-dns=yes

 

And then make sure your MTU is set correctly across the pppoe interface and ethernet interface.


375 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2122465 8-Nov-2018 22:37
Send private message quote this post

dvanwijk:

 

I've just tried the tracetcp and cannot get through, but you can.undecided

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

 

C:\tracetcp_v1.0.3>tracetcp.exe services.ird.govt.nz:https

 

Tracing route to 222.153.202.43 on port 443
Over a maximum of 30 hops.
1 2 ms 1 ms 1 ms 192.168.60.1
2 3 ms 2 ms 19 ms 111.69.1.254 [111-69-1-254.core.snap.net.nz]
3 21 ms 44 ms 19 ms 111.69.27.38 [38.27.69.111.static.snap.net.nz
]
4 21 ms 19 ms 21 ms 111.69.27.39 [39.27.69.111.static.snap.net.nz
]
5 20 ms 19 ms 29 ms 122.56.127.33 [ae9-42.akcr11.global-gateway.ne
t.nz]
6 19 ms 23 ms 22 ms 122.56.116.10 [mdr-ip24-dom.msc.global-gateway
.net.nz]
7 30 ms 81 ms 19 ms 222.153.223.166 [222-153-223-166.sparkdigital.co
.nz]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace Complete.

 

C:\tracetcp_v1.0.3>

 

 

That suggests that the 222.153.202.43 device is blocking your specific IP address for some reason.  The rest of us can get through, but you can not.  It would be worthwhile running Wireshark to see if you are receiving any ICMP packets from 222.153.202.* that might tell you why you are being blocked.


27144 posts

Uber Geek
+1 received by user: 6579

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2122470 8-Nov-2018 22:55
Send private message quote this post

If you were running a vulnerable version of routeros it's highly likely to have been compromised.

Wouldn't surprise me if this issue could be a hacked router with the SOCKS proxy set which is sending all your traffic offsite.

27144 posts

Uber Geek
+1 received by user: 6579

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2122471 8-Nov-2018 22:55
Send private message quote this post

If you were running a vulnerable version of routeros it's highly likely to have been compromised.

Wouldn't surprise me if this issue could be a hacked router with the SOCKS proxy set which is sending all your traffic offsite.

329 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2122530 9-Nov-2018 08:39
Send private message quote this post

fe31nz:

 

That suggests that the 222.153.202.43 device is blocking your specific IP address for some reason.  The rest of us can get through, but you can not.  It would be worthwhile running Wireshark to see if you are receiving any ICMP packets from 222.153.202.* that might tell you why you are being blocked.

 

 

Just because you cannot ping something doesn't mean you cannot get to it. Standard security practice is to turn off ICMP responses for internet facing servers/devices unless there is a specific requirement for it. Note that other peoples tracerts end at the same hop.

 

 


448 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2122537 9-Nov-2018 08:49
One person supports this post
Send private message quote this post

I had this exact issue for a client on a different ISP. Couldn't sign in to E Services on the IRD site.

 

We also use the same ISP and had no issues, could use a proxy on the client end and connect okay so it appeared to be something at the IRD end.

 

Tried logging a fault with IRD, not actually possible to log this as an issue as it doesn't appear as a category in their system. It was informally passed through to IRD IT but nothing progressed. Many many follow up calls and I finally got a contact person in IT who I could deal with.

 

 

 

Turned out that the client was part of a shared office and other tenants had been accessing the IRD sites and had triggered a "suspicious" activity alert at the IRD end and the address was blocked. No warning or logging from the IRD end.

 

 

 

Matt.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.