Hi All
Have an issue with additional Public IP Pool on my Mikrotik RB 2011UiAS with OS: 6.43.8
I do not receive answer on pings send to additional Public IP pool from internet.

Here are details:
Primary IP: XXX.XXX.34.134 mask 255.255.255.252 on port ether1
Additional Public pool: YYY.YYY.46.128 /29 configured on lan side, ether 8 port:

Settings of "address":
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf_MGMT_LAN
192.168.66.1/24 192.168.66.0 ether2
1 ;;; WAN IP
XXX.XXX.34.134/30 XXX.XXX.34.132 ether1
2 ;;; Public_WIFI
10.10.10.1/23 10.10.10.0 VLAN_WIFI_CS
3 ;;; S_WIFI
192.168.75.1/24 192.168.75.0 VLAN_SANDBOX_WIFI
4 ;;; Public_IP_POOL
YYY.YYY.46.129/29 YYY.YYY.46.128 ether8

Settings of "Routes":
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 XXX.XXX.34.133 1
1 ADC 10.10.10.0/23 10.10.10.1 VLAN_WIFI_CS 0
2 ADC XXX.XXX.34.132/30 XXX.XXX.34.134 ether1 0
3 ADC YYY.YYY.46.128/29 XXX.XXX.46.129 ether8 0
4 ADC 192.168.66.0/24 192.168.66.1 bridge 0
5 ADC 192.168.75.0/24 192.168.75.1 VLAN_SANDBOX_WIFI 0

Public IP Pool is excluded from masquerade:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: MASQUERADE ALL LAN with bypass for public IP_POOL
chain=srcnat action=masquerade src-address=!YYY.YYY.46.128/29
out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

Port ether 8 is excluded from bridge.

To port 8 I have connected PC with one of public ip: YYY.YYY.46.130 and gw YYY.YYY.46.129. Internet is working fine. I’m going out with assigned IP (YYY.YYY.46.130 checked with-> https://www.whatismyip.com/what-is-my-p ... p-address/) I can send ping all is ok.

But when I try ping this pc (YYY.YYY.46.130) from outside then receive timeout.
When I send ping to YYY.YYY.46.129 I receive answer.
Moreover when I send ping from Mikrotik terminal there is answer from pc with YYY.YYY.46.130

TORCH on port Ether 8, when I’m sending pings from outside to YYY.YYY.46.130 -> screen in attachment TORCH on port Ether 1 when I’m sending pings from outside to YYY.YYY.46.130 - screen in attachment
I also created two firewall rules to allow traffic to affected IP Pool. The counters for this rules are showing traffic going through..

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Public_IP_POOL_IN
chain=forward action=accept dst-address=YYY.YYY.46.128/29
in-interface=ether1 out-interface=ether8 log=no log-prefix=""

1 ;;; Public_IP_POOL_OUT
chain=forward action=accept src-address=YYY.YYY.46.128/29
in-interface=ether8 out-interface=ether1 log=no log-prefix=""




Any idea what can be wrong?

Thank you in advance

Have you tried pinging from your other internal networks?
Is there any firewall on the PC in question?

Hi,

Thank you for answer.

Just checked again and no I couldn't ping YYY.YYY.46.130 from other internal networks (for YYY.YYY.46.129 ping is working fine from other local networks) . But your hint about FW push me to try turn it off completly and try again.. it start works

On mentioned PC is loaded Win 10 and rule for ping answer is enabled in both direction for all network profiles, confirmed with working pings from Mikrotik terminal.

Looks like there is other rule which i need to find and correct settings just to avoid wasting time with next case

Anyway thank you very much for your help and attention.


Cheers

If it's the built-in firewall rule for icmp echo request, it's limited to local subnets, check its properties.

Hello Sob,

Yes, you are right.
Was able to locate the mentioned option so for other ones who will face this issue, mentioned option is located here: Change it to "Any IP address" or define it regarding to needs.

Thanks