I have configured routing between two subnets which I'll call "Office" and "Home". Home is defined on the bridge and includes ether2, ether3, ether4 and the wireless. Office is connected to ether1.
From a host on Office subnet I can ping one particular device on the Home subnet, but can't open a TCP connection. Packet captures show the initial SYN being received on ether1 but not being sent on the bridge interface. It seems to apply to this host only. I don't have a problem for example opening a web page from our PVR that's connected via the same interface.
I'm not sure where I should be looking. The "problem" host is my SIP system and is regularly refreshing it's registrations. Could those connections in some way be interfering with forwarding TCP? It doesn't seem likely on the face of it as the SIP connections are going out of ether5.
Firewall shouldn't be interfering as the relevant interfaces are all in the same group "LAN"
Code: Select all
/ip firewall filter
add action=accept chain=forward disabled=yes in-interface-list=LAN out-interface-list=LAN \
src-address-list=""
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN