Ok, here is my setup on ROS 5.1
Ether1 - dhcp-client with IP 210.x.x.x
wlan1 NAT to ether2
Web server IP is 10.0.1.7
Basically, everything is working correctly. Any computer connect to ether2 can go to the Internet. Outside world can access my web server 10.0.1.7 just fine. Even wireless device on wlan1 can access Internet just fine.
The problem is, I can’t ping the router 210.x.x.x from outside. However, SSH or Web both works ok on 210.x.x.x from outside, just the ping doesn’t respond.
I have try to disable every single firewall filter rules and still no go. Anyone can help?
fewi
April 29, 2011, 5:26pm
2
Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.88.4/24 network=192.168.88.0 interface=ether3 actual-interface=ether3
1 address=10.0.2.1/24 network=10.0.2.0 interface=wlan1 actual-interface=wlan1
2 address=10.0.1.110/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
3 address=10.0.1.111/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
4 address=10.0.1.112/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
5 address=10.0.1.113/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
6 address=10.0.1.114/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
7 address=10.0.1.100/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
8 address=10.0.1.1/24 network=10.0.1.0 interface=ether2 actual-interface=ether2
9 D address=210.x.x.x/22 network=210.x.x.0 interface=ether1 actual-interface=ether1
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=210.x.x.1 gateway-status=210.x.x.1 reachable ether1 distance=0
scope=30 target-scope=10 vrf-interface=ether1
1 S dst-address=0.0.0.0/0 gateway=10.0.1.1 gateway-status=10.0.1.1 reachable ether2 distance=1
scope=30 target-scope=10
2 ADC dst-address=10.0.1.0/24 pref-src=10.0.1.110 gateway=ether2 gateway-status=ether2 reachable
distance=0 scope=10
3 ADC dst-address=10.0.2.0/24 pref-src=10.0.2.1 gateway=wlan1 gateway-status=wlan1 reachable distance=0
scope=10
4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.4 gateway=ether3
gateway-status=ether3 unreachable distance=0 scope=200
5 ADC dst-address=210.x.x.0/22 pref-src=210.x.x.x gateway=ether1 gateway-status=ether1 reachable
distance=0 scope=10
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 ether3 ether 1500 1600
1 R ether1 ether 1500 1600
2 R ether2 ether 1500 1600
3 R wlan1 wlan 1500 2290
4 pptpserver pptp-in
[admin@MikroTik] > /ip firewall export
# apr/30/2011 01:28:55 by RouterOS 5.1
# software id = YXKD-BDS9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Accept established connections" connection-state=established \
disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=log chain=input comment="Log everything else" disabled=no log-prefix="DROP INPUT"
add action=drop chain=input comment=winbox disabled=no dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="SSH for secure shell" disabled=no dst-port=22 in-interface=ether1 \
protocol=tcp
add action=drop chain=input comment="Telnet shell" disabled=no dst-port=23 in-interface=ether1 \
protocol=tcp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=input comment="From our private LAN1" disabled=no in-interface=ether2 \
src-address=10.0.1.0/24
add action=accept chain=input comment="From our private LAN2" disabled=no in-interface=ether3 \
src-address=192.168.88.0/24
add action=drop chain=input comment="Drop everything else" disabled=no in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=5900 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.2 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-port=22 in-interface=ether1 protocol=tcp to-addresses=\
10.0.1.7 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.100 in-interface=ether2 to-addresses=\
192.168.88.100
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.110 in-interface=ether2 to-addresses=\
10.0.2.110
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.111 in-interface=ether2 to-addresses=\
10.0.2.111
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.112 in-interface=ether2 to-addresses=\
10.0.2.111
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.113 in-interface=ether2 to-addresses=\
10.0.2.113
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.1.114 in-interface=ether2 to-addresses=\
10.0.2.114
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=192.168.88.100 \
to-addresses=10.0.1.100
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=10.0.2.110 to-addresses=\
10.0.1.110
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=10.0.2.111 to-addresses=\
10.0.1.111
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=10.0.2.112 to-addresses=\
10.0.1.112
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=10.0.2.113 to-addresses=\
10.0.1.113
add action=src-nat chain=srcnat disabled=no out-interface=ether2 src-address=10.0.2.114 to-addresses=\
10.0.1.114
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
10.0.1.7 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=53 in-interface=ether1 protocol=tcp to-addresses=\
10.0.1.7 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-port=53 in-interface=ether1 protocol=udp to-addresses=\
10.0.1.7 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
10.0.1.7 to-ports=21
add action=dst-nat chain=dstnat disabled=no dst-port=6882 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.2 to-ports=6882
add action=dst-nat chain=dstnat disabled=no dst-port=6883 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.3 to-ports=6883
add action=dst-nat chain=dstnat disabled=no dst-port=6885 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.2 to-ports=6885
add action=dst-nat chain=dstnat disabled=no dst-port=5901 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.7 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-port=7777 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.2 to-ports=7777
add action=dst-nat chain=dstnat disabled=no dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
10.0.1.8 to-ports=443
add action=masquerade chain=srcnat disabled=no out-interface=ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >
I have been having the same issue, and have all but given up.
/ip firewall filter
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=jump chain=forward comment="icmp jump to chain" disabled=no \
jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=\
0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow bad parameter" disabled=no \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
I am certain it is something simple, but I am not grasping the concept very well.
Caci99
April 29, 2011, 10:17pm
5
In my country there is one ISP which I know for sure that drops every ping packet (ICMP) to its own IPs
fewi
April 29, 2011, 10:25pm
6
Yeah, both of those rule sets permit ICMP. If it’s getting dropped, it’s probably something in the way dropping it.
Pretty sure it is something do with RouterOS, I used to use a PIX 501 and I can ping just fine. I am thinking if this is something do with the dhcp-client which is not a static IP.