Page 1 of 1

ping not responding

Posted: Mon Dec 07, 2009 4:14 am
by pollo
H i have a 1000u and /27 public subnet on wan I configured the dst and src nats also i did 1:1 mapping, Im able to do remote desktop, using the public address to local IPS, but i cant ping the address when servers connected, also did the filter rules icmp forward. Thanks in Advance..

Re: ping not responding

Posted: Mon Dec 07, 2009 7:56 am
by fewi
Post your firewall rules.

Re: ping not responding

Posted: Mon Dec 07, 2009 8:38 am
by pollo
ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp 

 1   ;;; Added by webbox
     chain=input action=accept connection-state=established in-interface=NEPTUNO 

 2   ;;; Added by webbox
     chain=input action=accept connection-state=related in-interface=NEPTUNO 

 3   ;;; Added by webbox
     chain=input action=drop in-interface=NEPTUNO 

 4   ;;; Allow HTTP
     chain=forward action=accept protocol=tcp dst-port=80 

 5   ;;; Allow SMTP
     chain=forward action=accept protocol=tcp dst-port=25 

 6   ;;; allow TCP
     chain=forward action=accept protocol=tcp 

 7   ;;; allow ping
     chain=forward action=accept protocol=icmp 

 8   ;;; allow udp
     chain=forward action=accept protocol=udp 

 9   ;;; Allow POP-110
     chain=forward action=accept protocol=tcp dst-port=110 

10   chain=forward action=jump jump-target=icmp protocol=icmp 

11   ;;; allow echo request
     chain=icmp action=accept protocol=icmp icmp-options=8:0 

12   ;;; allow time exceed
     chain=icmp action=accept protocol=icmp icmp-options=11:0 

13   ;;; allow already established connections
     chain=icmp action=accept protocol=icmp icmp-options=3:1

14   ;;; allow source quench
     chain=icmp action=accept protocol=icmp icmp-options=4:0 

15   chain=icmp action=accept protocol=icmp icmp-options=12:0 

16   chain=icmp action=accept protocol=icmp icmp-options=12:0 

17   chain=icmp action=accept protocol=icmp icmp-options=12:0 

18   ;;; allow parameter bad
     chain=icmp action=accept protocol=icmp icmp-options=17:0 

19   chain=forward action=accept connection-state=established 

20   chain=forward action=accept connection-state=established
nat print      
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Added by webbox
     chain=srcnat action=masquerade out-interface=NEPTUNO 

 1   chain=dstnat action=dst-nat to-addresses=11.11.11.3 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y9 dst-port=0-65535 

 2   chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y9 to-ports=0-65535 protocol=tcp src-address=11.11.11.3 src-port=0-65535 

 3   chain=srcnat action=netmap to-addresses=2yy.yy.yyy.y7 to-ports=0-65535 protocol=tcp src-address=11.11.11.1 src-port=0-65535 

 4   chain=dstnat action=netmap to-addresses=11.11.11.1 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y7 dst-port=0-65535 

 5   chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y0 to-ports=0-65535 protocol=tcp src-address=11.11.11.4 src-port=0-65535 

 6   chain=dstnat action=dst-nat to-addresses=11.11.11.4 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y0 dst-port=0-65535 

 7   chain=srcnat action=src-nat to-addresses=2yy.yy.yyy.y1 to-ports=0-65535 protocol=tcp src-address=11.11.11.5 src-port=0-65535 

 8   chain=dstnat action=dst-nat to-addresses=11.11.11.5 to-ports=0-65535 protocol=tcp dst-address=2yy.yy.yyy.y1 dst-port=0-65535 
Neptuno is gateway interface(wan), 2yy.yy.yyy.yX is public subnet/27 Thanks in advance.

Re: ping not responding

Posted: Mon Dec 07, 2009 8:56 am
by mrz
Your NAT rules clearly says protocol=tcp. Ping is not TCP protocol.

Re: ping not responding

Posted: Mon Dec 07, 2009 2:21 pm
by pollo
but what about icmp thats ping or not

Re: ping not responding

Posted: Mon Dec 07, 2009 2:52 pm
by kirshteins
Yes, ping is ICMP, but you do not have any NAT rule to forward it.

Re: ping not responding

Posted: Mon Dec 07, 2009 2:53 pm
by mrz
Yes, ping uses ICPM protocol.

Re: ping not responding

Posted: Mon Dec 07, 2009 3:31 pm
by pollo
so i have to do a scrnat and dst nat with protocol icmp?

Do i have to select any interface setup.? thankss

Re: ping not responding

Posted: Mon Dec 07, 2009 3:51 pm
by pollo
i tried that and didnt workout...

Re: ping not responding

Posted: Wed Dec 09, 2009 10:56 am
by janisk
works for me.

make sure you have set up everything correctly
srcnat you already have, in form of masquerade rule, you have to add dstnat rule for ICMP protocol packets so packets are forwarded through the router as previous posters suggested.

here are rules i have there:
0   chain=srcnat action=masquerade out-interface=Out
1   chain=dstnat action=dst-nat to-addresses=<some internal address> protocol=tcp dst-address=<some external address>
please pay attention when you read manual on how to configure NAT and firewall in RouterOS, these features have a lot options and you can brake your networking in a blink of an eye, if you set something you dont know anything about.

Re: ping not responding

Posted: Wed Dec 09, 2009 2:12 pm
by pollo
Thanksss.