Hi all!
My setup is like this:
ETH1 interface is Hotspot (10.10.1.0/18). Access points are on 10.10.0.1-10.10.1.254 and rest of addresses is for hotspot users. (I know now this is very wrong setup)
ETH7 interface is WAN interface with public IP.
ETH10 interface is management (MGMT) interface 192.168.199.1
Router is only accessible via Winbox form MGMT PC with IP 192.168.199.2
My problem is that from MGMT PC or router itself I cannot ping AP's that are on Hotspot (ETH1) interface. UNLESS I made IP binding with AP's IP address but then all clients that are connected to those AP's are bypassing the 'hotspot rules'.
I've tried few solutions like Can't ping device past hotspot but without success. What I'm doing wrong?
Here is some info and simple drawing
print screen
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE MTU L2MTU MAX-L2MTU
0 R HOTSPOT ether 1500 1598 9498
1 R MGMT ether 1500 1598 9498
2 R WAN ether 1500 1598 9498
3 ether2 ether 1500 1598 9498
4 ether3 ether 1500 1598 9498
5 ether4 ether 1500 1598 9498
6 ether5 ether 1500 1598 9498
7 ether6 ether 1500 1598 9498
8 ether8 ether 1500 1598 9498
9 ether9 ether 1500 1598 9498
10 ether11 ether 1500 1600 9500
11 ether12 ether 1500 1600 9116
12 ether13 ether 1500 1600 9116
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R HOTSPOT 1500 D4:CA:6D:54:96:2C enabled none switch2
1 R MGMT 1500 D4:CA:6D:54:96:35 enabled none switch1
2 R WAN 1500 D4:CA:6D:54:96:32 enabled none switch1
3 ether2 1500 D4:CA:6D:54:96:2D enabled none switch2
4 ether3 1500 D4:CA:6D:54:96:2E enabled none switch2
5 ether4 1500 D4:CA:6D:54:96:2F enabled none switch2
6 ether5 1500 D4:CA:6D:54:96:30 enabled none switch2
7 ether6 1500 D4:CA:6D:54:96:31 enabled none switch1
8 ether8 1500 D4:CA:6D:54:96:33 enabled none switch1
9 ether9 1500 D4:CA:6D:54:96:34 enabled none switch1
10 ether11 1500 D4:CA:6D:54:96:36 enabled
11 ether12 1500 D4:CA:6D:54:96:37 enabled
12 ether13 1500 D4:CA:6D:54:96:38 enabled
[admin@MikroTik] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=a.b.c.54/30 network=a.b.c.52 interface=WAN
actual-interface=WAN
1 address=10.10.0.1/18 network=10.10.0.0 interface=HOTSPOT
actual-interface=HOTSPOT
2 address=192.168.199.1/30 network=192.168.199.0 interface=MGMT
actual-interface=MGMT
[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=a.b.c.53
gateway-status=a.b.c.53 reachable via WAN distance=1 scope=30
target-scope=10
1 ADC dst-address=10.10.0.0/18 pref-src=10.10.0.1 gateway=HOTSPOT
gateway-status=HOTSPOT reachable distance=0 scope=10
2 ADC dst-address=192.168.199.0/30 pref-src=192.168.199.1 gateway=MGMT
gateway-status=MGMT reachable distance=0 scope=10
3 ADC dst-address=a.b.c.52/30 pref-src=a.b.c.54 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE MTU L2MTU MAX-L2MTU
0 R HOTSPOT ether 1500 1598 9498
1 R MGMT ether 1500 1598 9498
2 R WAN ether 1500 1598 9498
3 ether2 ether 1500 1598 9498
4 ether3 ether 1500 1598 9498
5 ether4 ether 1500 1598 9498
6 ether5 ether 1500 1598 9498
7 ether6 ether 1500 1598 9498
8 ether8 ether 1500 1598 9498
9 ether9 ether 1500 1598 9498
10 ether11 ether 1500 1600 9500
11 ether12 ether 1500 1600 9116
12 ether13 ether 1500 1600 9116
[admin@MikroTik] > interface ethernet print detail
Flags: X - disabled, R - running, S - slave
0 R name="HOTSPOT" default-name="ether1" mtu=1500 l2mtu=1598
mac-address=D4:CA:6D:54:96:2C orig-mac-address=D4:CA:6D:54:96:2C
arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps
master-port=none bandwidth=unlimited/unlimited switch=switch2
1 R name="MGMT" default-name="ether10" mtu=1500 l2mtu=1598
mac-address=D4:CA:6D:54:96:35 orig-mac-address=D4:CA:6D:54:96:35
arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps
master-port=none bandwidth=unlimited/unlimited switch=switch1
2 R name="WAN" default-name="ether7" mtu=1500 l2mtu=1598
mac-address=D4:CA:6D:54:96:32 orig-mac-address=D4:CA:6D:54:96:32
arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps
master-port=none bandwidth=unlimited/unlimited switch=switch1
[admin@MikroTik] > ip firewall export
nov/27/2013 16:29:21 by RouterOS 6.5
software id = 7ET8-Y2H5
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=drop chain=forward comment="Layer 7 zabranjeno" layer7-protocol=
Zabranjeno
add action=jump chain=forward content=www.index.hr in-interface=HOTSPOT
jump-target=www.jutarnji.hr
add action=drop chain=input dst-port=8080 in-interface=WAN protocol=tcp
src-address=0.0.0.0
add chain=input comment="Accept established connections" connection-state=
established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections"
connection-state=invalid
add chain=input comment=UDP protocol=udp
add action=drop chain=forward comment="drop invalid connections"
connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=input dst-port=8080 in-interface=WAN protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139
protocol=tcp
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan"
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list=
"port scanners"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=10m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=10m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network"
src-address=10.10.0.0/18 to-addresses=0.0.0.0
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="masquerade mgmt network"
src-address=192.168.199.0/24
add action=masquerade chain=srcnat src-address=a.b.c.52/30
Thanks for some info and guidelines!