Hello everyone,
Trying to configure local LAN block can ping external network using NAT.
Currently using netmap for NAT and all working fine including browsing,
/ip firewall nat
action=netmap chain=srcnat dst-port=20-23,80,443 protocol=\
tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
Also Configure ICMP NAT using netmap, (outgoing only)
action=netmap chain=srcnat connection-limit=100,0 dst-limit=1,1,dst-address/10s limit=1,1:packet protocol=icmp \
src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
Problem is, ICMP is not working.
Adding firewall rules not helping also,
add action=accept chain=forward protocol=icmp src-address=192.168.0.0/22
add action=accept chain=forward dst-address=192.168.0.0/22 protocol=icmp
Note, Need local user can ping external network only. no need to allow ping from external to local LAN.
Any help please.
Device- CCR1009-7G-1C-1S+, Firmware-6.49.6
Thanks.
Faisal.
Re: netmap and ICMP
Does it keep failing if you remove the connection-limit from the action=netmap protocol=icmp rule?
If it does, can you use action=src-nat with the same to-addresses=xxx.xxx.xxx.64/26 as a workaround or you really need to preserve the last 6 bits of the private IP?
If it does, can you use action=src-nat with the same to-addresses=xxx.xxx.xxx.64/26 as a workaround or you really need to preserve the last 6 bits of the private IP?
-
-
KhandakarFaisal
just joined
- Posts: 21
- Joined:
- Location: Dhaka, Bangladesh
Re: netmap and ICMP
Thanks. Change action netmap to srcnet, still ping not working.
Also need to mention, from winbox, Firewall NAT TAB, strangely there is no hits on this ICMP NAT rules, no bytes or packets.
anything else to check?
Also need to mention, from winbox, Firewall NAT TAB, strangely there is no hits on this ICMP NAT rules, no bytes or packets.
anything else to check?
Re: netmap and ICMP
If there are no hits on the rule, no packets have ever reached it or matched it. So very likely some other rule is shadowing it, meaning that packets that would normally match that icmp rule did match some previous rule in the chain and never reach the icmp one, or that they even don't reach the srcnat chain in firewall because something else has blocked them.
So post the complete export of the configuration - see my automatic signature on how to properly remove sensitive information without breaking consistence of the information.
So post the complete export of the configuration - see my automatic signature on how to properly remove sensitive information without breaking consistence of the information.
-
-
KhandakarFaisal
just joined
- Posts: 21
- Joined:
- Location: Dhaka, Bangladesh
Re: netmap and ICMP
Many Thanks Sindy, Please follow firewall and NAT config,
/ip firewall filter
add action=accept chain=input src-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=input src-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=input protocol=icmp src-address=103.xxx.xxx.0/24 #ISP ping allow
add action=accept chain=output dst-address=103.xxx.xxx.0/24 protocol=icmp #ISP ping allow
add action=accept chain=output icmp-options=8:0-255 protocol=icmp \
src-address=103.xxx.xxx.64/26 #self ping allow
add action=accept chain=input dst-address=103.xxx.xxx.64/26 icmp-options=\
0:0-255 protocol=icmp #self ping allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.246 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.246 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.238 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.238 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=input connection-state=!invalid src-address=\
192.168.0.0/22
add action=accept chain=output connection-state=!invalid dst-address=\
192.168.0.0/22
add action=accept chain=forward protocol=icmp src-address=\
192.168.0.0/22
add action=accept chain=forward dst-address=192.168.0.0/22 \
protocol=icmp
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward dst-address=10.0.0.0/8 in-interface=bridge1
add action=drop chain=forward dst-address=172.16.0.0/12 in-interface=bridge1
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=bridge1
add action=reject chain=forward content=facebook.com dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=browsec dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=netflix dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoxx dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hotspotshield dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=bitcoin dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=anchorfree dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=openvpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoichoi dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=primevideo dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=fundesh dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=torrent dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=finevpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpn-club dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpnclub dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.100.35 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.192.0/24 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=accept chain=forward connection-state=established,new src-address=\
192.168.0.0/22
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.0.0/22
add action=drop chain=forward src-address=!192.168.0.0/22
add action=drop chain=forward dst-address=!192.168.0.0/22
/ip firewall nat
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.246 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.238 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat connection-limit=100,0 dst-limit=\
1,1,dst-address/10s limit=1,1:packet protocol=icmp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20-23,80,443,1723,4244,5242,5243,7985,500,515,1352,1533,3389,3390 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
5050,5902,7618,8889,444,3128,3478,1158,1521,5500,5901,5900,4848,8189,8888 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="3313,83,2047,2048,5051,5052,5081,8081\
,8082,8084,8443,8554,9080,40000-40010" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="554,2099,4244,4443,5222,5223,5228-523\
0,5242,6313,10443,30000,33899,50318,59234" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
6000-6016,7100,8090,8787,10554,20002,20014,31000-31012,40014 protocol=tcp \
src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20,123,500,515,1723,5000,5010,5050,5081,5100,8889,2047,2048,3478,5051 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
554,4500,5052,8081,8082,8084,8554,34784,45395,50318,59234,49000-50010 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=gre src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-esp src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-ah src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
/ip firewall filter
add action=accept chain=input src-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=input src-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=input protocol=icmp src-address=103.xxx.xxx.0/24 #ISP ping allow
add action=accept chain=output dst-address=103.xxx.xxx.0/24 protocol=icmp #ISP ping allow
add action=accept chain=output icmp-options=8:0-255 protocol=icmp \
src-address=103.xxx.xxx.64/26 #self ping allow
add action=accept chain=input dst-address=103.xxx.xxx.64/26 icmp-options=\
0:0-255 protocol=icmp #self ping allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.246 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.246 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.238 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.238 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=input connection-state=!invalid src-address=\
192.168.0.0/22
add action=accept chain=output connection-state=!invalid dst-address=\
192.168.0.0/22
add action=accept chain=forward protocol=icmp src-address=\
192.168.0.0/22
add action=accept chain=forward dst-address=192.168.0.0/22 \
protocol=icmp
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward dst-address=10.0.0.0/8 in-interface=bridge1
add action=drop chain=forward dst-address=172.16.0.0/12 in-interface=bridge1
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=bridge1
add action=reject chain=forward content=facebook.com dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=browsec dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=netflix dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoxx dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hotspotshield dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=bitcoin dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=anchorfree dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=openvpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoichoi dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=primevideo dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=fundesh dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=torrent dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=finevpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpn-club dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpnclub dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.100.35 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.192.0/24 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=accept chain=forward connection-state=established,new src-address=\
192.168.0.0/22
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.0.0/22
add action=drop chain=forward src-address=!192.168.0.0/22
add action=drop chain=forward dst-address=!192.168.0.0/22
/ip firewall nat
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.246 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.238 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat connection-limit=100,0 dst-limit=\
1,1,dst-address/10s limit=1,1:packet protocol=icmp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20-23,80,443,1723,4244,5242,5243,7985,500,515,1352,1533,3389,3390 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
5050,5902,7618,8889,444,3128,3478,1158,1521,5500,5901,5900,4848,8189,8888 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="3313,83,2047,2048,5051,5052,5081,8081\
,8082,8084,8443,8554,9080,40000-40010" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="554,2099,4244,4443,5222,5223,5228-523\
0,5242,6313,10443,30000,33899,50318,59234" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
6000-6016,7100,8090,8787,10554,20002,20014,31000-31012,40014 protocol=tcp \
src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20,123,500,515,1723,5000,5010,5050,5081,5100,8889,2047,2048,3478,5051 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
554,4500,5052,8081,8082,8084,8554,34784,45395,50318,59234,49000-50010 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=gre src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-esp src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-ah src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
Re: netmap and ICMP
There is nothing in the nat and filter tables that would explain the issue, except if the connection-limit, dst-limit, and limit matchers in the icmp nat rule itself were the reason - you did not clearly state whether you've tried it without these or not. Or, if you are afraid of some ICMP DDoS attack, place a copy of this rule with action=passthrough instead of action=src-nat and without the *limit matchers right before or right after the original rule and see whether this passthrough one counts. If it does, you can use that rule to tune the parameters of the *limit matchers.
Also I'd recommend you to sniff on the router while pinging some rarely used address, to see whether the echo request packets arrive to the router at all - open a command line window, make it as wide as your screen allows, start pinging from the test client and run /tool sniffer quick ip-protocol=icmp ip-address=rarely.used.ip.address in the command line window.
Also I'd recommend you to sniff on the router while pinging some rarely used address, to see whether the echo request packets arrive to the router at all - open a command line window, make it as wide as your screen allows, start pinging from the test client and run /tool sniffer quick ip-protocol=icmp ip-address=rarely.used.ip.address in the command line window.
-
-
KhandakarFaisal
just joined
- Posts: 21
- Joined:
- Location: Dhaka, Bangladesh
Re: netmap and ICMP
Thank, i'll check and update.
There is nothing in the nat and filter tables that would explain the issue, except if the connection-limit, dst-limit, and limit matchers in the icmp nat rule itself were the reason - you did not clearly state whether you've tried it without these or not. Or, if you are afraid of some ICMP DDoS attack, place a copy of this rule with action=passthrough instead of action=src-nat and without the *limit matchers right before or right after the original rule and see whether this passthrough one counts. If it does, you can use that rule to tune the parameters of the *limit matchers.
Also I'd recommend you to sniff on the router while pinging some rarely used address, to see whether the echo request packets arrive to the router at all - open a command line window, make it as wide as your screen allows, start pinging from the test client and run /tool sniffer quick ip-protocol=icmp ip-address=rarely.used.ip.address in the command line window.