No connection FROM router but through router OK

RouterOS General
1

I recently installed a routerboard with 2.8.18. The router is connected to the internet via the PUB interface using a non-routable IP block 172.18.1.2 → 127.18.1.1. The equipment on the INT interface has routeable addresses and I can connect to the internet from anything on the inside of the INT interface. However, I cannot ping anything FROM the router itself. I have setup a masquerade of the 172.18.1.0/30 ip block and that didn’t help. I can ping the public IP on the INT interface from the outside world. I also do not get SNMP responses from the router nor does DNS cache because the router cannot get the the DNS servers for lookups. I’m not sure where to look at this point. The router started with a reset before being programmed and had factory defaults (it was in a hotspot setup prior).

Any ideas?

2

For getting SNMP response, you should enable snmp service in /snmp, also add community name.
Please show what you have here:
/ip address print


3

[quote=“viktorija”]For getting SNMP response, you should enable snmp service in /snmp, also add community name.
Please show what you have here:
/ip address print


SNMP is enabled. I have many other routerboards setup in other locations and they are working fine with SNMP, etc.

The /ip address print output:

0 172.18.1.2/30 172.18.1.0 172.18.1.3 pub
1 168.215.xxx.1/24 168.215.xxx.0 168.215.xxx.255 int
2 168.215.xxx.6/24 168.215.xxx.0 168.215.xxx.255 pub

4

Do you have a gateway and/or the proper routes set?

5

Yes. It is routing stuff from one side to the other. The problem is that I cannot talk to anything FROM the router which breaks a number of things on the router. I can get SNMP traffic from devices on the internal side of the network.

6

What’s in the Input chain of your firewall rules?

7

0 src-address=12.144.xxx.0/23 action=accept
1 src-address=208.2.xxx.0/24 action=accept
2 src-address=168.215.xxx.0/24 action=accept
3 src-address=172.18.1.0/30 action=accept
4 action=drop

8

OK. There’s your problem. You don;t have rules to allow things like DNS traffic to work. I’ve cut the list below to remove the stuff that’s not relevant to this:

2 I ;;; accept requests for local DHCP server
in-interface=Wireless dst-address=:67 protocol=udp action=accept

4 ;;; Accept DNS replies
src-address=:53 in-interface=Internet protocol=udp action=accept

7 ;;; Accept Internet established traffic
in-interface=Internet connection-state=established action=accept

9 ;;; Drop all other Internet traffic
in-interface=Internet action=drop log=yes

Regards

Andrew

9

So…what does that have to do with not being able to ping ANY internet address FROM the router? That seems to be the root of my problems.

10

With the last action in the chain being a Drop, unless you have a specific rule above this that allows ICMP traffic both in and out of the router then ping will fail. It certainly does on mine as with the rules I posted above, this traffic is not allowed.

Regards

Andrew

11

It failed when I had no rules at all, when I first installed it. Are there default rules that prevent certain traffic?

12

There are no default rules and all traffic is allowed.

When you say you can’t ping are you pinging an IP address or FQDN. This is a DNS issue if you can ping hosts by address but not name.

Install the rules that I posted for allowing DNS queries back into the router. Also make sure you’ve got an empty Output chain. Once DNS is working then you can put the rules in for allowing ICMP traffic.

Regards

Andrew