Hi, another newbie question:
I’ve hardened access to my RouterOS device by following this wiki page: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
I allow access to all services from an internal subnet only, also all users can only login from that subnet.
But now I have this problem: from outside that subnet it’s not possible to ping the device. I rather would like to have ping possible also from outside this subnet.
Is there an explicit access settings also for the ping service itself? IMHO there should be one → feature request as this is important also for remote monitoring etc…
This I left enabled, but ping from outside the subnet isn’t working:
[admin2@MikroTik] > /tool mac-server ping print
enabled: yes
I don’t understand the role of this device and its place in network layout (which I don’t understand either).
As far as I understand the setup, CRS is used as a LAN switch - all ports are bridged meaning all are member if same ethernet subnet. It also only has single IP address 192.168.88.1/17 (which spans IP addresses from 192.168.0.0 to 192.168.127.255). You also configured default router whise address is inside indicated IP network.
You’re saying that you allow services from the same subnet which is fine.
But you also write that ping doesn’t work from outside this subnet.
Use of subnet mask /17 is not wrong, but rather uncommon (a /24 is more common). Are you sure it’s the right netmask? Is the same netmask configured on other LAN hosts, including router?
BTW, you could harden security of your device by using /ip firewall config section. It is indeed less resource friendly, but as you’re only using device as a switch, it would onky deal with connection towards its own management interface. On the other hand it offers great flexibility and logging facility as well.
Yes, the netmask /17 is correct, and all devices in LAN2 have it.
On Router1 a static route to 192.168.0.0/17 via IP 192.168.254.253 is present.
NAT is not used anywhere (except on the WAN router of course).
LAN1 normally has no other devices attached than those shown above.
But if I attach a PC with IP 192.168.254.3/24 to LAN1 then it somehow can’t ping LAN2, funny: not even 192.168.254.253 which is the same subnet.
Now, the problem for this PC in LAN1 is that it has two gateways: one default to WAN and the second to LAN2,
but the above static route on Router1 does cover this already. I even added an extra route going to LAN2 but still not working.
So, it seems to be a routing problem, maybe a problem with Router1 (it’s not an MT device, also not Router2);
I’ll need to check this further.
But, does the posted config of my switch allow ping requests from outside LAN2? I mean: should it normally work?
Thx
Update: I think I have an idea: it could be the (minimalistic) firewall on Router2 that I had set up some time ago… Sorry…
Update2: yes, found & fixed: there was an iptables firewall rule with status “Established and Related”, adding “New” to it solved the problem. The rationale behind it was to prevent all connections from LAN1 (and WAN) to LAN2, ie protecting LAN2 by allowing only outgoing connections… Ok, now for this test of course I have to change that rule…
Sorry for the confusion, it was my own fault…
Btw, I now found also a working solution whereby one allows only ping traffic (ie. protocol icmp) via a firewall rule.
(this is on a router with iptables firewall).
as this is important also for remote monitoring etc…