cannot ping ether 2 local to PC, but can winbox to it.

lookout · September 10, 2008, 2:13pm

I have a routerboard 433AH that I am configuring as a simple DSL router (using just ethernet, wireless will be added later). I can connect and configure it in Winbox but cannot ping it or login with a web browser. It does not respond.

I had it configured with NAT - srcnat, masqaurade, outgoing=ether1, DHCP Client on Public side(ether 1), DHCP Server on Private side(ether 2). Public side was receiving address properly. Private side dhcp server would not dish out an address to PC. So I assigned a static IP/gateway/dns, etc.. to PC and tried internet - no go. Couldn’t even ping router.

So, I removed all configs except the ether 2 IP address. Still couldn’t ping it.

What am I missing? Why cant I ping the ether 2 port that I am directly connected to?

THANKS!

galaxynet · September 10, 2008, 7:13pm

lookout -
It would be real helpful if you would go in to the teminal (console) and do a;

/ip address export
/ip route export
/ip firewall nat export
/ip dhcp server export

and let us see what your config is at the moment so we can all point you in the right direction…

What is kind of sounds like right now it is probably a netmask or addressing issue, and/or possible a basic routine issue…

R/

lookout · September 10, 2008, 8:02pm

galaxynet,

Thank you for the reply. I was doing the exports as you said when I noticed the ip address export show a /32 rather than /24. So I logged into the router with winbox and changed the ether2 ip address from 192.168.1.1 to 192.168.1.1/24 and shazam! All worked fine.

So the issues were due to the wrong subnet.

One quick question:

Does the firewall do SPI by default or do I need to configure that?

Thanks
lookout

galaxynet · September 11, 2008, 2:28am

lookout -
Well I am glad you found your issue - as I noted in my response - it looked like a netwmask / IP address / or basic route issue…

As to SPI by the MT firewall… It does do SPI, but you have to tell it what you are looking for… As it let’s say you only want your clients to use your mail server;

(In /ip firewall filter now…)
chain=forward in-interface=LOCAL protocol=tcp dst-port=25 dst-addr!= your_mail_server_IP action=drop

LOCAL is just a label I made up to identify WHERE (which eth Interface) your clients come in to the router at.

the ’ ! ’ in dst-addr means ‘does not equal’ (you have to check the block next to the dst-addr and it will show a ’ ! ’ in the box).

I do not know how familiar you are with firewalling…there are some wiki articles that can help you understand the process better.

I usually do not use the method above - I generally filter on that which I want to pass through my router, and then drop everything else. Heck of a lot of bad things out there and only (relatively) a few ‘good’ things you want to have pass through your router…

R/

Thom

lookout · September 11, 2008, 3:04am

Thank you Thom.

I would like to clarify my question a little further. I want my clients to get to anything they want on the internet. But I want all incoming requests from the internet to be dropped unless the connection originated from the client. That’s what I am looking for in the SPI firewall. I want it to operate just like a typical linksys or dlink DSL router with SPI. I really don’t need any port forwarding or a PC in the DMZ.

This router will be for a single business customer with 20 PC’s.

Thanks!

galaxynet · September 11, 2008, 1:14pm

lookout -

Ok lookout - here goes…

Make sure you use masquerade for the private network in /ip firewall nat like so;
src-addr=put_your_local_network_IP_block_here out-interface=Internet_interface action=masq
Firewalling - this is a short excerpt from an article by Dmitry (which you should look up and familarize yourself with…)

/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 comment=“illegal addresses”
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3

/ ip firewall filter

add chain=forward in-interface=Local out-interface=Local action=accept comment=“Allow traffic between local computers”

add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment=“Block port scans”

add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment=“Block TCP Null scan”

add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment=“Block TCP Xmas scan”

add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop

add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment=“Drop TCP RST”

add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment=“Drop TCP SYN+FIN”

add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment=“Dropping invalid connections at once”

add chain=sanity-check connection-state=established action=accept comment=“Accepting already established connections”

add chain=sanity-check connection-state=related action=accept comment=“Also accepting related connections”

add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!PUT_YOUR_LOCAL_NETWORK_IP_BLOCK_HERE action=jump jump-target=drop comment=“Drop illegal destination addresses”

add chain=sanity-check in-interface=Local src-address=!PUT_YOUR_LOCAL_NETWORK_IP_BLOCK_HERE action=jump jump-target=drop comment=“Drop everything that goes from local interface but not from local address”

add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment=“Drop illegal source addresses”

add chain=sanity-check in-interface=Public dst-address=!PUT_YOUR_LOCAL_NETWORK_IP_BLOCK_HERE action=jump jump-target=drop comment=“Drop everything that goes from public interface but not to local address”

R/

Thom

lookout · September 11, 2008, 6:48pm

Thom,

That really helps. Thanks. I am getting an error in the firewall filter section on the lines that I entered my Local Network IP Block. I looked at the manual but couldn’t see what was wrong.

Here is an excerpt:

[admin@MikroTik] /ip firewall filter> add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!192.168.1.0/24 action=jump jump-target=drop comment=“Drop illegal destination addresses”
syntax error (line 1 column 91)
[admin@MikroTik] /ip firewall filter>
[admin@MikroTik] /ip firewall filter> add chain=sanity-check in-interface=Local src-address=!192.168.1.0/24 action=jump jump-target=drop comment=“Drop everything that goes from local interface but not from local address”
input does not match any value of interface
[admin@MikroTik] /ip firewall filter>
[admin@MikroTik] /ip firewall filter> add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment=“Drop illegal source addresses”
input does not match any value of interface
[admin@MikroTik] /ip firewall filter>
[admin@MikroTik] /ip firewall filter> add chain=sanity-check in-interface=Public dst-address=!192.168.1.0/24 action=jump jump-target=drop comment=“Drop everything that goes from public interface but not to local address”
input does not match any value of interface

Thanks

galaxynet · September 12, 2008, 1:26pm

lookout -
Well it looks like for the most part that you have used the names I gave the interfaces in my example and not the names you gave the interfaces…

add chain=sanity-check in-interface=Local src-address=!192.168.1.0/24 action=jump jump-target=drop comment=“Drop everything that goes from local interface but not from local address”
input does not match any value of interface

This is telling you that in this part of the statement “in-interface=Local” that Local is not recognized… So your ‘Local’ interface must have a different name… Looks to be a similiar issue on most of the ones you have above…so fix that and then let’s see what’s left…

R/
Thom