Netmap with Ping unreachable and ports open?

RouterOS General
1

Hi, I have a strange “problem”, I have netmap my public IPs to route them through L2TP tunnel, but when I try to do ping to this IPs, ping is unreachable… if I disable netmap rules for any IP, this IP is ping reached from outside… if enable rule ping unreachable. But my clients can use internet, it´s working now, but the only doub is about ping…

Other question, by this way I don´t need to open ports, right? All ports is opened for each IP?

/interface bridge
add fast-forward=no name=loopback
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
/ip pool
add name=VPN-L2TP-IPSec ranges=10.1.200.2-10.1.200.254
add name=PPTP ranges=10.1.100.2-10.1.100.254
/ppp profile
add change-tcp-mss=yes dns-server=172.16.1.1,8.8.8.8 local-address=172.16.1.1 \
    name=profile-pptp only-one=yes
add local-address=10.1.200.1 name=L2TP-IPSec remote-address=VPN-L2TP-IPSec
add local-address=10.1.100.1 name=PPTP only-one=yes remote-address=PPTP
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes ipsec-secret=L2TPPassword use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=borderIP interface=ether1 network=BorderNetwork
add address=xxx.xxx.xxx.xxx/24 interface=ether1 network=xxx.xxx.xxx.0
add address=uuu.uuu.uuu.uuu/24 interface=ether1 network=xxx.xxx.xxx.0
add address=zzz.zzz.zzz.zzz/24 interface=ether1 network=xxx.xxx.xxx.0
add address=yyy.yyy.yyy.yyy/24 interface=ether1 network=xxx.xxx.xxx.0
add address=192.168.254.1 interface=loopback network=192.168.254.1
add address=uuu.uuu.uuu.uuu interface=ether1 network=xxx.xxx.xxx.0
/ip arp
add address=zzz.zzz.zzz.zzz interface=ether1 mac-address=-------------
add address=yyy.yyy.yyy.yyy interface=ether1 mac-address=-------------
add address=uuu.uuu.uuu.uuu interface=ether1 mac-address=-------------
add address=xxx.xxx.xxx.xxx interface=ether1 mac-address=-------------
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dns
set cache-max-ttl=1d servers=\
    8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow VPN - PPTP Server" dst-port=1723 \
    protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow VPN - L2TP / IPSec Server" \
    dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Alow VPN traffic access & passthrough" \
    src-address=10.1.100.0/24
add action=accept chain=forward src-address=10.1.100.0/24
add action=accept chain=input src-address=10.1.200.0/24
add action=accept chain=forward src-address=10.1.200.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=netmap chain=dstnat dst-address=xxx.xxx.xxx.xxx to-addresses=\
    172.16.1.50
add action=netmap chain=srcnat src-address=172.16.1.50 to-addresses=\
    xxx.xxx.xxx.xxx
add action=netmap chain=dstnat dst-address=yyy.yyy.yyy.yyy to-addresses=\
    172.16.1.51
add action=netmap chain=srcnat src-address=172.16.1.51 to-addresses=\
    yyy.yyy.yyy.yyy
add action=netmap chain=dstnat dst-address=zzz.zzz.zzz.zzz to-addresses=\
    172.16.1.52
add action=netmap chain=srcnat src-address=172.16.1.52 to-addresses=\
    zzz.zzz.zzz.zzz
add action=netmap chain=dstnat disabled=yes dst-address=uuu.uuu.uuu.uuu \
    to-addresses=10.1.200.2
add action=netmap chain=srcnat disabled=yes src-address=10.1.200.2 \
    to-addresses=uuu.uuu.uuu.uuu
/ip route
add distance=1 gateway=111.111.111.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add local-address=172.16.1.1 name=xxx.xxx.xxx.xxx-! password=\
    "password5" remote-address=172.16.1.50 service=pptp
add disabled=yes local-address=172.16.1.1 name=test-test password=password4 \
    profile=profile-pptp remote-address=172.16.1.51 service=pptp
add local-address=172.16.1.1 name=yyy.yyy.yyy.yyy password="password3" \
    remote-address=172.16.1.51 service=pptp
add local-address=172.16.1.1 name=zzz.zzz.zzz.zzz password="password2" \
    remote-address=172.16.1.52 service=pptp
add local-address=10.1.200.1 name=uuu.uuu.uuu.uuu password="pasword1" \
    profile=L2TP-IPSec remote-address=10.1.200.2 service=l2tp
/system identity
set name=Border
/system logging
add disabled=yes topics=pptp
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
2

If what you posted is complete config, then

  1. your firewall is non-existing and everything is allowed.
  2. with netmap rule disabled, pings from internet are answered by router itself
  3. with netmap rule enabled it’s up to internal device to do something. It will see public IP as src-address on incoming pings and its up to device’s firewall configuration how to react. Even if you can ping the said internal device from other internal devices, it doesn’t mean it will answer to connections from public internet
3

Firewall is under construction… I added this firewall rules on before days… then with netmap, it “redirect” all traffic to the internal device and this device is that need to response to ping and other services?

4

Yes and no. Firewall filters (chain=forward) are still enforced and you can still secure the netmapped LAN host using RB’s firewall. However, while you didn’t have any drop or deny filter rule in your firewall, router just forwarded any incomming packets to targrted LAN host and if you didn’t get any reply it was most probably due to the host not replying (probably due to its firewall).

5

Hi, this is my “basic” topology… I tried to forward / input on both, client and NOC MK but no lock…