H i have a 1000u and /27 public subnet on wan I configured the dst and src nats also i did 1:1 mapping, Im able to do remote desktop, using the public address to local IPS, but i cant ping the address when servers connected, also did the filter rules icmp forward. Thanks in Advance..
Post your firewall rules.
ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Added by webbox
chain=input action=accept protocol=icmp
1 ;;; Added by webbox
chain=input action=accept connection-state=established in-interface=NEPTUNO
2 ;;; Added by webbox
chain=input action=accept connection-state=related in-interface=NEPTUNO
3 ;;; Added by webbox
chain=input action=drop in-interface=NEPTUNO
4 ;;; Allow HTTP
chain=forward action=accept protocol=tcp dst-port=80
5 ;;; Allow SMTP
chain=forward action=accept protocol=tcp dst-port=25
6 ;;; allow TCP
chain=forward action=accept protocol=tcp
7 ;;; allow ping
chain=forward action=accept protocol=icmp
8 ;;; allow udp
chain=forward action=accept protocol=udp
9 ;;; Allow POP-110
chain=forward action=accept protocol=tcp dst-port=110
10 chain=forward action=jump jump-target=icmp protocol=icmp
11 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0
12 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0
13 ;;; allow already established connections
chain=icmp action=accept protocol=icmp icmp-options=3:1
14 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0
15 chain=icmp action=accept protocol=icmp icmp-options=12:0
16 chain=icmp action=accept protocol=icmp icmp-options=12:0
17 chain=icmp action=accept protocol=icmp icmp-options=12:0
18 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=17:0
19 chain=forward action=accept connection-state=established
20 chain=forward action=accept connection-state=established
nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=NEPTUNO
1 chain=dstnat action=dst-nat to-addresses=11.11.11.3 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y9 dst-port=0-65535
2 chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y9 to-ports=0-65535 protocol=tcp src-address=11.11.11.3 src-port=0-65535
3 chain=srcnat action=netmap to-addresses=2yy.yy.yyy.y7 to-ports=0-65535 protocol=tcp src-address=11.11.11.1 src-port=0-65535
4 chain=dstnat action=netmap to-addresses=11.11.11.1 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y7 dst-port=0-65535
5 chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y0 to-ports=0-65535 protocol=tcp src-address=11.11.11.4 src-port=0-65535
6 chain=dstnat action=dst-nat to-addresses=11.11.11.4 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y0 dst-port=0-65535
7 chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y1 to-ports=0-65535 protocol=tcp src-address=11.11.11.5 src-port=0-65535
8 chain=dstnat action=dst-nat to-addresses=11.11.11.5 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y1 dst-port=0-65535
Neptuno is gateway interface(wan), 2yy.yy.yyy.yX is public subnet/27 Thanks in advance.
Your NAT rules clearly says protocol=tcp. Ping is not TCP protocol.
but what about icmp thats ping or not
Yes, ping is ICMP, but you do not have any NAT rule to forward it.
Yes, ping uses ICPM protocol.
so i have to do a scrnat and dst nat with protocol icmp?
Do i have to select any interface setup.? thankss
i tried that and didnt workout…
works for me.
make sure you have set up everything correctly
srcnat you already have, in form of masquerade rule, you have to add dstnat rule for ICMP protocol packets so packets are forwarded through the router as previous posters suggested.
here are rules i have there:
0 chain=srcnat action=masquerade out-interface=Out
1 chain=dstnat action=dst-nat to-addresses=<some internal address> protocol=tcp dst-address=<some external address>
please pay attention when you read manual on how to configure NAT and firewall in RouterOS, these features have a lot options and you can brake your networking in a blink of an eye, if you set something you dont know anything about.
Thanksss.