We have a problem with out MT blocking pings from inside our LAN to other networks via VPN, etc…
We can VPN in fine and we have a guy sat in South Africa VPN’d in and he can ping back out which suggests it our LAN not being allowed through the MT…Any ideas?
Firewall rules?
OK narrowed it down slightly, can now ping fine (took outgoing interface off the masquerade rule), its just the outgoing VPN is still not working!
NAT
0 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=987 protocol=tcp dst-address=81.149.77.68 dst-port=987
1 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=443 protocol=tcp dst-address=81.149.77.68 dst-port=443
2 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=80 protocol=tcp dst-address=81.149.77.68 dst-port=80
3 chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
4 chain=srcnat action=masquerade src-address=192.168.0.0/24
FILTER
0 ;;; PTPP PORT
chain=input action=accept protocol=tcp dst-port=1723
1 ;;; GRE PORT
chain=input action=accept protocol=gre
2 chain=input action=accept protocol=tcp dst-port=44818
3 chain=input action=accept protocol=tcp dst-port=1723,25,80,987,443
4 chain=forward action=accept dst-address=192.168.0.2
5 ;;; Accept established connections
chain=input action=accept connection-state=established
6 ;;; Accept related connections
chain=input action=accept connection-state=related
7 ;;; UDP
chain=input action=accept protocol=udp
8 X ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2
9 X ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=22
10 ;;; winbox
chain=input action=accept protocol=tcp dst-port=8291
11 X ;;; Log everything else
chain=input action=log log-prefix=“DROP INPUT”
12 X ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
13 X chain=input action=drop src-address=202.96.36.107
14 X ;;; Drop excess pings
chain=input action=drop protocol=icmp
15 X ;;; Drop everything else
chain=input action=drop
16 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
17 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m
18 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect
19 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
20 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
21 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
dst-port=22
22 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
dst-port=22
23 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22