my RB750GL is connected to the ISP by a normal PPPoE connection. This works and I get an external IP. The LAN side consists of one internal subnet(192.168.128.0/24) which should get internet accees through the PPPoE gateway. Currently the only client gets internet access without problems.
In order to protect my clients I use a srcnat.
Now the question is how to ping the WAN IP I got from the PPPoE connection? In my opinion as long as I do not have any filter rules applied to the pppoe connection no traffic passes the firewall from outside because of the srcnat. So ICMP for ping will be blocked.
Now my idea was to accept ICMP packages to get a ping reply from the router:
[admin@MkTk] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp in-interface=PPPoE-TelekomDSL
1 chain=output action=accept protocol=icmp out-interface=PPPoE-TelekomDSLThe counter for the first rule arises so the ping command reaches the router definitely. The second rule counter stays at 0.
Is there a kind of backroute missing?
[admin@MkTk] /ip firewall nat> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; === NAT Telekom DSL
chain=srcnat action=masquerade src-address=192.168.128.0/24 out-interface=PPPoE-TelekomDSL
There is nothing wrong, and I suppose you get replies with ping.
Keep in mind the meaning of the chains.
Input is traffic destined for the router.
Forward is for traffic passing the router.
Output is for traffic originated by the router.
If you define no rule, all the traffic reaching the router is accepted and handled by the router.
So is you define no rule at all ping should be working.
If you have no special requirements, the following firewall rules are advised.
/ip firewall filter
add action=drop chain=input comment=“Drop invalid connections” connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=established
add chain=input comment=“Accept related connections” connection-state=related
add chain=input comment=“Allow access from local network” in-interface= src-address=x.x.x.x/24
add action=log chain=input comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop input:”
add action=drop chain=input comment=“Drop everything else”
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add chain=forward comment=“Accept established connections” connection-state=established
add chain=forward comment=“Accept related connections” connection-state=related
add chain=forward comment=“Allow traffic from Local network” in-interface= src-address=x.x.x.x/24
add action=log chain=forward comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop forward:”
add action=drop chain=forward comment="Drop everything else"And for internet to work a NAT masquerade rule is needed
/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerade internal to outside IP” out-interface=pppoe-wan src-address=x.x.x.x/24I hope this clears the clouds from your thoughts
Hm when I see the rules everything seems very clear and easy But it doesn’t work.
The strange in my situation is that the torch command only sees the incoming icmp, no outgoing?!
Neither my mobile phone nor my second DSL wan connection are working. I use the tools/ping command with out interface ether2. There is a second router connected which acts as gateway for the second wan connection. Tracert shows me the way it goes and its correct.
If you have applied the rules like I posted earlier, than ping will be dropped.
You should insert the rule you posted somewhere before the explicit drop rule.
Ok I solved my problem
Looks like there was a missing backroute in combination with a missing mangle rule. When I mark the incoming packets of the PPPoE connection with a routing mark the external ping was successful. But then suddenly the ping from my subnet to internet failed. Another static route with target “my subnet” and the just set routing mark did help
But it doesn’t work.