Community discussions

MikroTik App
 
yottabit
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Bitten by Dynamic Interface Lists

Thu Nov 15, 2018 5:49 am

Just a cautionary tale for all of you out there. When the 'detnet' and dynamic interface lists were implemented a while back, I just removed them from the default configs because I didn't trust them yet, and didn't want to bother with the hassle of something trying to automate what I typically didn't need automated. ;-)

Over the intervening time I have grown less wary of it, and I don't always delete it entirely anymore.

Today I setup IPIP-over-IPSec tunnel between two locations. I could ping just fine from LAN1 to Router2 over the tunnel between Router1 and Router2. But I could not Winbox or Webfig from LAN1 to Router2. It was driving me insane.

Finally I found that I had a high-precedence firewall filter to allow ICMP with source of "! WAN" but then my lower precedence catch-all was to drop with source of "! LAN". Apparently the IPIP tunnel interface is not included in "LAN" so I had to change that rule to drop with a source of "WAN" instead.

Spent a good bit of time scratching my head on that one.

Who is online

Users browsing this forum: kazza, Soleous75 and 73 guests