I have been testing and tweaking my RB411AH configuration and thought I was ok. It seems I can communicate to the router as long as the connection comes from the same IP subnet. We have several routeable IPs. I have a “foreign network” connected to a Linksys router I use to test VPN connections.
The WAN side of the Linksys is on the same subnet as the WAN port on the MT411AH. From a client behind the Linksys I can ping and tunnel to the MT411AH. I can see and VPN to a Netopia router (the MT411 is supposed to replace) on the same subnet from a different IP range, so there is no blocking by our ISP.
*MT411AH [67.141.xxx.xxx] ---- [67.141.xxx.xxx] Linksys This connection works as expected.
*MT411AH [67.141.xxx.xxx] ---- [some internet IP Address] ---- Can not ping or see the WAN port on the MT411AH
I’m thinking the issue is in my firewall rules:
# feb/05/2009 09:19:27 by RouterOS 3.10
# software id = I4LM-LTT
#
/ip firewall filter
add action=accept chain=input comment="accept established connection packets" \
connection-state=established disabled=no
add action=accept chain=input comment="accept related connection packets" \
connection-state=related disabled=no
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=accept chain=input comment=\
"Allow access to router from known network" disabled=no src-address-list=\
safe
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=no protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" disabled=no \
jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no \
dst-address-type=broadcast
add action=log chain=input comment="" disabled=no log-prefix=Filter:
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no \
protocol=icmp
add action=accept chain=services comment="accept localhost" disabled=no \
dst-address=127.0.0.1 src-address-list=127.0.0.1
add action=accept chain=services comment="allow winbox " disabled=no \
dst-port=8291 protocol=udp
add action=accept chain=services comment="Bandwidth server" disabled=yes \
dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=\
yes dst-port=5678 protocol=udp
add action=accept chain=services comment="Allow PPTP" disabled=no dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow FTP" disabled=no dst-address=\
192.168.2.3 dst-port=21 protocol=tcp
add action=return chain=services comment="" disabled=no
I’m assuming it is something simple that I just cannot see.
.thanks
.rick..