Unable to ping google from LAN to WAN

Hello All,

I would like to ask for some assistance and/or pointers on how to resolve an issue I’ve been having for about 2 weeks that driving me up the walls. I was trying to upgrade a web server by running a WGET command but kept getting “host unreachable”. I then attempted to ping google at 8.8.8,8 and received the same result. When I changed my default gateway on the server to another route the ping went through. When I placed the original default gateway IP address (192.168.1.200) the ping failed. As I can reach the server from the WAN (public IP) to the LAN I suspect that it is something with my NAT configuration. This is what my topology looks like:

Basically I would like to know what rule I need in order to get out to the internet from my server (LAN) to the public internet (WAN) as I have been unsuccessful to figure this out thus far. If it helps this is what I have for my configuration currently:

/ip firewall filter
add action=accept chain=input comment=“Allow Whitelist IP’s” disabled=no src-address-list=Whitelist
add action=drop chain=input comment=“Block Unauthorized access to winbox except Whitelist” disabled=no dst-port=8291 protocol=tcp src-address-list=!Whitelist
add action=drop chain=input comment=“Drop Invalid Connections” connection-state=invalid disabled=no
add action=accept chain=input comment=“ICMP/PING Rules” disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input comment=winbox disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=“Accept Established Connections” connection-state=established disabled=no
add action=accept chain=forward comment=“Accept Current Connections” connection-state=established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=drop chain=forward comment=“Drop to bogon list” disabled=no dst-address-list=“BOGON IPs”
add action=drop chain=input comment=“Block Flagged IPs” disabled=no src-address-list=“Blocked IPs”
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=forward disabled=no src-address-list=“Blocked IPs”
add action=log chain=input comment=“Log Blocked Foreign IP” disabled=no log-prefix=“Block Foreign IPs”
add action=drop chain=input comment=“Block Foreign IPs” disabled=no src-address-list=Foreign
add action=drop chain=forward disabled=no src-address-list=Foreign
add action=accept chain=output comment=“FTP Brutefore Protection” content=“530 Login incorrect” disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=“Blocked IP’s” address-list-timeout=3h chain=output content=“530 Login incorrect” disabled=no protocol=tcp
add action=add-src-to-address-list address-list=“Blocked IPs” address-list-timeout=2w chain=input comment=“Add Port Scanners to Blocked IPs” disabled=no
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Drop UDP 520” disabled=no dst-port=520 protocol=udp
add action=drop chain=input comment=“Drop Common Ports” disabled=no dst-port=21 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=22 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=23 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=3389 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=1433 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=135 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=137 in-interface=ether1-wan protocol=udp
add action=drop chain=input disabled=no dst-port=138 in-interface=ether1-wan protocol=udp
add action=drop chain=input disabled=no dst-port=139 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=445 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=69 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=389 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=3306 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=1352 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no in-interface=ether1-wan protocol=tcp src-port=23
add action=drop chain=input disabled=no in-interface=ether1-wan protocol=tcp src-port=22
add action=drop chain=input disabled=no in-interface=ether1-wan protocol=tcp src-port=21
add action=drop chain=input comment=“Block PHPMyAdmin, Webmin, Web Shell - Outside Access” disabled=no dst-port=12320 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=12321 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=12322 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=12320 in-interface=ether1-wan protocol=udp
add action=drop chain=input disabled=no dst-port=12321 in-interface=ether1-wan protocol=udp
add action=drop chain=input disabled=no dst-port=12322 in-interface=ether1-wan protocol=udp
add action=drop chain=input comment=“Mail Server Rules” disabled=no dst-port=587 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=25 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=8080 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=143 in-interface=ether1-wan protocol=tcp
add action=drop chain=input disabled=no dst-port=110 in-interface=ether1-wan protocol=tcp
add action=log chain=input comment=“Drop Packet Log” disabled=no log-prefix=Filter:
add action=drop chain=input comment=“Drop everything else” disabled=no

/ip firewall nat
add action=dst-nat chain=dstnat comment=“dst nat srv01 ssh” disabled=yes dst-address=1.2.3.4 dst-port=22 protocol=tcp to-addresses=192.168.1.165
to-ports=22
add action=dst-nat chain=dstnat comment=“dst nat srv01 https” disabled=no dst-address=1.2.3.4 dst-port=444 protocol=tcp to-addresses=192.168.1.165
to-ports=444
add action=dst-nat chain=dstnat comment=“dst nat srv01 http” disabled=no dst-address=1.2.3.4 dst-port=80 protocol=tcp to-addresses=192.168.1.165
to-ports=8888
add action=masquerade chain=srcnat comment=“masquerade servers” disabled=no src-address=192.168.1.0/24


Thanks in advance to anyone that can help me to resolve this issue.

Many Regards

add action=masquerade chain=srcnat comment=“masquerade servers” disabled=no src-address=192.168.1.0/24

Add out-interface=ether1 to your rule above.

add action=masquerade chain=srcnat comment=“masquerade servers” disabled=no out-interface=ether1 src-address=192.168.1.0/24

Does that help?

What operating system is your server running? Linux often uses arp ping by default and depending on your firewall you are probably blocking that.
Start by disabling your firewall and the run your tests. Then re-enable the firewall. you may need to modify your firewall adding some rulles.

Hello Soonwai,

Thank you for your reply. I will try the rule adjustment you suggested and update you with the result.

To answer dgnevans question the server being used is linux. As for going through the firewall rules I will review them again after I try the aforementioned suggestion.

Thank you both.

Regards

Hello dgnevans,

Thank you for your assistance in suggesting that I check my firewall rules. I did just that and found that in my address list to block bad IP’s I found one that was 192.0.0.0/2 and after going through 2754 addresses I had to remove that one to resolve my issue. It makes a lot of sense to to go through any address list anyone download from the web to verify each and every one of them to avoid my mistake. As for the hairpin solution I had tried that suggestion first but it didn’t work however I will take note of it just in case I need it in the future. Thank you all once again.

Regards,