Using V2.9.23, private wired and wireless interfaces bridged, wireless interface in AP Bridged mode, IP firewall rules created from pages 398-399 of the manual with the exception of “Deny NBT” port 137-139 UDP which is disabled because it prevented file sharing on my network. Windows XP and 2000 PC’s hardwired, XP laptop’s connected wireless. The wired pc’s can ping each other by name but cannot ping the laptop’s by name. Pinging by IP address works fine. Laptop’s can ping each other by name but not the PC’s. Pinging by IP address works fine.
Two questions; Is there a rule I can create or a setting I can change that will allow hosts on the wireless to communicate with wired hosts by name and vice-versa?
Secondly, by creating the firewall rules on pages 398-399, I’ve locked myself out from connecting via Winbox to the public interface of the router. What is the rule I need to add or modify to allow me to remote into the public interface to manage the MT?
Ports 137-139 are only part of what is needed for windows shares, you also need port 445 (and 135, I think).
The reason your wireless clients can see each other, is that they have forwarding enabled for them in your access list (or default forwarding is enabled, for the whole interface). That particular setting will bypass the firewall entirely.
As for locking yourself out, I would guess that this is the rule that did you in:
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
You should modify 192.168.0.0/24 to match the actual subnets you use.
Be careful copying config lines directly from the manual, they often need to be modified to fit your network, and many may have effects you do not desire.
Thanks for the reply Eric. I know why I’m locked out of remotely managing my router, I was hoping someone could help me with a rule I can add to allow me to connect from my office through the public interface for remote management.
My other problem is wireless clients not being able to share by name with wired clients and vice-versa even though everyone is on the same subnet(192.168.1.xxx). Sharing wired to wired and wireless to wireless no problem, just sharing wired to wireless or wireless to wired won’t work. Doesn’t sound like a big deal until I have to go around to all of the workstations updating hosts files everytime I make a change on the network, and I’m not onsite just to add to the fun.
Just to clarify, I can manage the MT when I’m onsite through the bridge interface (192.168.1.xxx), but I would also like to remote into the public interface (206.192.xxx.xxx) when I am offsite.