ping hotspot client?

Zugschlus · October 2, 2009, 1:48pm

Hi,

I have an IP hotspot with the gateway running on RouterOS 3.17. I see a freshly connected client obtaining a DHCP lease, have verified that the box is actually online (and is responding to pings in another network, there is no personal firewall). But I cannot ping the address from the RouterOS box itself (ping timeout).

Do I need to have a special rule in the walled garden config to allow my clients to be pinged?

Greetings
Marc

SurferTim · October 2, 2009, 3:26pm

Is the client logged in? Or just connected?
If just connected, you will need to bypass the hotspot to ping.
/ip hotspot ip-binding
add address=xx.xx.xx.xx type=bypassed

“Ping in another network” is vague. Same localnet as the client?

Zugschlus · October 2, 2009, 3:56pm

Just connected. The walled garden is configured so that an IPSEC gateway is reachable without being logged in, so the local employees just fire up their VPN client, while guests who want to access the Internet need to log in to the hotspot.

Is this a persistent setting? Does it somehow affect the client’s connectivity?

I mean, when the client is connected to a “normal” network, not being the Mikrotik device, it can be pinged from both the local net and via a router. I mentioned this to prove that the client would reply to echo requests if they reached it.

Greetings
Marc

SurferTim · October 2, 2009, 4:30pm

If you want to ping the client, the client will need to log in, or you need to bypass the client in “/ip hotspot ip-binding”. The walled-garden is only one-way. Outbound requests/responses only.

fewi · October 2, 2009, 4:44pm

If you’re happy with all clients being able to ping while being un-authenticated, enable ICMP in the walled-garden IP level. That works for me just fine, we allow ICMP for troubleshooting purposes. Here the entry:

[admin@MikroTik] > /ip hotspot walled-garden ip pri
Flags: X - disabled, I - invalid 
 #   SERVER        PROTOCOL   DST-HOST        DST-ADDRESS     DST-PORT   ACTION
 0   ;;; Allow hotspot users to ping for troubleshooting purposes
                   icmp                                                  accept

Here’s an unauthenticated host:

[admin@MikroTik] > /ip hotspot host pri
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER     IDLE-TIMEOUT
 0 H  00:1E:52:87:F4:4A 10.2.1.254      10.2.1.254      Hotspot    30m

With the walled-garden entry disabled, ping from the router to the client does not work:

[admin@MikroTik] > /ip hotspot walled-garden ip disable 0
[admin@MikroTik] > ping 10.2.1.254
10.2.1.254 ping timeout
2 packets transmitted, 0 packets received, 100% packet loss

With the entry enabled, it does:

[admin@MikroTik] > /ip hotspot walled-garden ip enable 0       
[admin@MikroTik] > ping 10.2.1.254                      
10.2.1.254 ping timeout
10.2.1.254 64 byte ping: ttl=64 time=2 ms
10.2.1.254 64 byte ping: ttl=64 time=5 ms
10.2.1.254 64 byte ping: ttl=64 time=3 ms
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max = 2/3.3/5 ms
[admin@MikroTik] >