Community discussions

 
pinkers
just joined
Topic Author
Posts: 3
Joined: Mon Jun 18, 2018 1:21 pm

icmp

Mon Jun 18, 2018 1:48 pm

hi,
i have routerboard with 2 wan and 2 ISP. i use one ISP for data and the second ISP for voice, this is config on separate network:
network1 (data)-->WAN1
network2 (voice)-->WAN2

all is ok.
On WAN1 i have set firewall rule for ICMP:
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
but the router not respond to icmp.
can you help me?
 
anav
Forum Guru
Forum Guru
Posts: 1139
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: icmp

Mon Jun 18, 2018 2:41 pm

How are you testing this?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: icmp

Tue Jun 19, 2018 5:31 pm

Perhaps you wanted use a forward chain.
 
anav
Forum Guru
Forum Guru
Posts: 1139
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: icmp

Wed Jun 20, 2018 12:36 am

Perhaps you wanted use a forward chain.
Why do you suggest forward chain?
ICMP is input to test the response of the router/////////////
Tempted to slap Anumrak upside the head. ;-)

Then I realize it says I am a long time user and I don't know sheite either LOL.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: icmp

Thu Jun 21, 2018 10:33 am

Perhaps you wanted use a forward chain.
Why do you suggest forward chain?
ICMP is input to test the response of the router/////////////
Tempted to slap Anumrak upside the head. ;-)

Then I realize it says I am a long time user and I don't know sheite either LOL.
Dude, I just saw he wanted forward ICMP for his data and voice! Maybe was drunk, dunno. Keep your emotions to yourself :D I bet I know more than you ^^
Last edited by Anumrak on Thu Jun 21, 2018 10:38 am, edited 1 time in total.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: icmp

Thu Jun 21, 2018 10:37 am

hi,
i have routerboard with 2 wan and 2 ISP. i use one ISP for data and the second ISP for voice, this is config on separate network:
network1 (data)-->WAN1
network2 (voice)-->WAN2

all is ok.
On WAN1 i have set firewall rule for ICMP:
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
but the router not respond to icmp.
can you help me?
You should check your rules above that one on both sides. It's pretty simple to allow icmp replying.
 
anav
Forum Guru
Forum Guru
Posts: 1139
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: icmp

Thu Jun 21, 2018 8:42 pm

Perhaps you wanted use a forward chain.
Why do you suggest forward chain?
ICMP is input to test the response of the router/////////////
Tempted to slap Anumrak upside the head. ;-)

Then I realize it says I am a long time user and I don't know sheite either LOL.
Dude, I just saw he wanted forward ICMP for his data and voice! Maybe was drunk, dunno. Keep your emotions to yourself :D I bet I know more than you ^^
No bets required, I am 100% positive you know more than I do.
Unfortunately, I am literate and logical though and for some reason (bad childhood) it gives me great pleasure to knock 'know it alls' of their vapour perches who probably wear their pants
below their skinny butt line, but that would be stereotyping.........

Where does it indicate he wanted to forward ICMP?
What does ICMP have to do with data and voice?
My basic knowledge impression is that ICMP is used to ensure that ones public IP was accessible from the internet.

Yes, the OP mentions Data and voice but in the context of the fact that he intends to use WAN1 for data and WAN2 for voice.
If anything I suspect that he wants to make sure that his WAN1 and WAN2 public IPs are accessible from the internet.
...
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.[1] ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).
...

Back to the matter at hand for the OP.
It is hard to know why the basic INPUT chain rule you have setup is not working.
It is the exact same rule I have and it works.
Therefore it is probably due to some other Filter FW rules that you have in place and unless you post a configuration its impossible for us to figure out.
I am not sure if you copied the rule verbatim or were simply showing its allowed because you dont have the action syntax included.
/ip firewall filter
add chain=input comment="allow all icmp" protocol=(1) icmp action=accept


To provide the rest of your config use the terminal selection available in winbox and enter
/export hide-sensitive file=nameofyourchoosing

Then go to winbox left menu selection of Files
locate the file, right click on it and download to your PC.
Use notepad ++ to open the file and then you can paste here!
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: icmp

Fri Jun 22, 2018 10:06 am

hi,
i have routerboard with 2 wan and 2 ISP. i use one ISP for data and the second ISP for voice, this is config on separate network:
network1 (data)-->WAN1
network2 (voice)-->WAN2

all is ok.
On WAN1 i have set firewall rule for ICMP:
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
but the router not respond to icmp.
can you help me?
What is IP address on your WAN1 and WAN2 interfaces? And show me your routes list.
 
pinkers
just joined
Topic Author
Posts: 3
Joined: Mon Jun 18, 2018 1:21 pm

Re: icmp

Fri Jul 13, 2018 7:42 pm

I thank you all and I apologize for the delay but I have had health problems, now resolved.

I would like to activate ICMP on the two public interfaces so that the router can be reached from the internet and from the internal network.


thanks for the help you can give me

This is conf:

# jun/01/2017 17:38:24 by RouterOS 6.40
# software id = 75AZ-C6N1
#
# model = RouterBOARD 3011UiAS
# serial number = 780E07967FB1
/interface ethernet
set [ find default-name=ether2 ] comment="FTTC50KPN DATI" name=FTTCEth2
set [ find default-name=ether6 ] comment="LAN per VOIP" name=LANVOIPEth6
set [ find default-name=ether4 ] comment="LAN DATI " name=LanEth4
set [ find default-name=ether5 ] comment="WAN per VOIP WI (backup)" name=\
WANWIVOIPEth5
set [ find default-name=ether3 ] comment="WAN Fastweb" name=WanEth3
set [ find default-name=ether7 ] comment="Vodafone Station"
set [ find default-name=ether8 ] comment="SHDSLKPN 2M Voce"
/interface pppoe-client
add disabled=no interface=FTTCEth2 name=pppoe-outDATI user=\
myuser@adsl.provider.it
/interface vlan
add disabled=yes interface=FTTCEth2 name=vlan11-DATI vlan-id=1
add interface=ether8 name=vlan11-Voce vlan-id=11
add interface=ether8 name=vlan111-voce vlan-id=111
/interface pppoe-client
add disabled=no interface=vlan11-Voce name=pppoe-out1-Voce user=\
myuser@adsl.provider.it
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=DHCOCOSVIM ranges=x1.x2.x3.101-x1.x2.x3.150
add name=dhcpvoce ranges=x1.x2.x4.50-x1.x2.x4.70
/ip dhcp-server
add address-pool=dhcpvoce disabled=no interface=LANVOIPEth6 name=dhcpsrvvoce
/queue simple
add limit-at=384k/384k max-limit=512k/2M name=voip priority=1/1 target=\
WANWIVOIPEth5
add name=Utente_Ip target=x1.x2.x3.118/32
/snmp community
set [ find default=yes ] addresses=\
x1.x2.x4.0/24,y1.y2.y3.y4/32,x1.x2.x3.0/24 name=passcom
/system logging action
set 1 disk-file-name=/disk1/logfolder/syslog
add disk-file-name=disk1/logfolder/webproxylog name=Logwebproxy target=disk
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/dude
set data-directory=disk1 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=x1.x2.x3.254/32
/ip address
add address=x1.x2.x3.1/24 comment="LAN DATI " interface=LanEth4 network=\
x1.x2.x3.0
add address=x1.x2.x6.250/24 comment="WAN FASTWEB" interface=WanEth3 \
network=x1.x2.x6.0
add address=x1.x2.x7.254/24 comment="WAN VOIP WI" interface=WANWIVOIPEth5 \
network=x1.x2.x7.0
add address=x1.x2.x4.200/24 comment="LAN VOIP" interface=LANVOIPEth6 \
network=x1.x2.x4.0
add address=z1.z2.z3.z4 comment="SHDSL2MKPN WAN VOCE" interface=\
pppoe-out1-Voce network=z1.z2.z3.z4
add address=w1.w2.w3.w4 interface=FTTCEth2 network=255.255.255.248
add address=w1.w2.w3.w5 comment="web server" \
interface=FTTCEth2 network=255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether7
/ip dhcp-server network
add address=x1.x2.x3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x3.1
add address=x1.x2.x4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x4.200
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=x1.x2.x49.0-x1.x2.x49.254 list=allowed_to_router
add address=x1.x2.x3.0-x1.x2.x3.254 list=allowed_to_router
add address=92.114.32.25 list=blacklist
add address=62.138.16.47 list=blacklist
add address=199.48.164.165 list=blacklist
add address=195.154.191.163 list=blacklist
add address=188.138.57.17 list=blacklist
add address=37.8.94.61 list=blacklist
add address=89.207.131.17 list=blacklist
add address=89.163.146.57 list=blacklist
add address=89.207.131.72 list=blacklist
add address=107.155.133.194 list=blacklist
add address=163.172.110.117 list=blacklist
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=log chain=input disabled=yes in-interface=pppoe-outDATI log=yes \
log-prefix="ICMP INGRESSO" protocol=icmp
add action=log chain=output disabled=yes log=yes log-prefix="ICMP DEBUG" \
out-interface=pppoe-outDATI protocol=icmp
add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="ACCEPT Stabilite e Related" \
connection-state=established,related
add action=accept chain=input comment=\
"Accetta tutto quello che arriva in ingresso dalla LAN" in-interface=\
LanEth4
add action=accept chain=input comment="Accetta tutto da LAN VOCE ETH6" \
in-interface=LANVOIPEth6
add action=accept chain=input comment="VPN in ingresso" dst-port="" protocol=\
tcp src-address=0.0.0.0 src-port=1723
add action=accept chain=input comment="GRE PROTOCOL IN INGRESSO" protocol=gre
add action=accept chain=input dst-port=3389 protocol=tcp
add action=accept chain=input comment="VPN STSENG" protocol=ipsec-esp \
src-address=a1.a2.a3.a4
add action=accept chain=forward dst-address=x1.x2.x3.7 in-interface=FTTCEth2 \
out-interface=LanEth4 src-address=b1.b2.b3.b4/28
add action=accept chain=input comment=\
"web server" dst-address=\
c1.c2.c3.c4 dst-port=80 protocol=tcp src-address=0.0.0.0
add action=accept chain=input comment="Regola proxy" disabled=yes dst-port=\
8888 protocol=tcp src-address=x1.x2.x3.0/24
add action=reject chain=input comment=\
"Drop quello che appartiene alla Blacklist" reject-with=\
icmp-network-unreachable src-address-list=blacklist
add action=drop chain=input comment="Drop invalid connection" \
connection-state=invalid
add action=drop chain=input comment=\
"Drop tutto quello che non e destinato ad essere instradato" disabled=yes \
dst-address-type=!local
add action=accept chain=forward comment=\
"ALLOW ASTERISK CONNECTIONS/REPLIES TO OUTSIDE (INTERNET)" protocol=udp \
src-address=x1.x2.x4.2
add action=accept chain=forward comment=\
"ALLOW FORWARDED CONNECTIONS/REPLIES TO INSIDE (LAN)" dst-address=\
x1.x2.x4.2 dst-port=10000-20000 protocol=udp
add action=accept chain=input comment="Drop tutti gli ip non unicast" \
src-address-type=!unicast
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment="Drop tutti i pacchetti che arrivano da in\
ternet ma non hanno IP pubblici" in-interface=FTTCEth2 src-address-list=\
NotPublic
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=FTTCEth2
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface=FTTCEth2 \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" disabled=yes \
dst-address-list=NotPublic in-interface=LanEth4
add action=drop chain=input comment="Regola proxy" disabled=yes dst-port=8888 \
protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Questa regola mi serve solo \
per markare i pacchetti che voglio inviare sul router voce" \
new-routing-mark=voip passthrough=yes src-address=x1.x2.x4.0/24
add action=mark-connection chain=input disabled=yes in-interface=WanEth3 \
new-connection-mark=wan8m passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=FTTCEth2 \
new-connection-mark=WanVoip passthrough=no
add action=mark-routing chain=output connection-mark=wan8m disabled=yes \
new-routing-mark=to_wan8m passthrough=no
add action=mark-routing chain=output connection-mark=WanVoip disabled=yes \
new-routing-mark=to_wanvoip passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=dati passthrough=\
yes src-address=x1.x2.x3.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat comment="La registrazione Plink su WI" \
dst-address=d1.d2.d3.d4 out-interface=WANWIVOIPEth5 routing-mark=voip \
to-addresses=x1.x2.x7.1
add action=dst-nat chain=dstnat comment="FORWARDING VPN" dst-port=1723 \
protocol=tcp to-addresses=x1.x2.x3.80 to-ports=1723
add action=accept chain=srcnat comment="NAT VPN SUBNET ENG" dst-address=\
b1.b2.b3.b4/28 src-address=x1.x2.x3.7
add action=masquerade chain=srcnat comment="LAN DATI SU INTERNET" disabled=\
yes out-interface=WanEth3 src-address=x1.x2.x3.0/24 to-addresses=\
e1.e2.e3.e4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET" disabled=\
yes out-interface=vlan11-Voce routing-mark=voip src-address=\
x1.x2.x4.0/24 to-addresses=z1.z2.z3.z4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER 8M" \
disabled=yes out-interface=WanEth3 src-address=x1.x2.x4.0/24
add action=accept chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER WI" \
disabled=yes out-interface=WANWIVOIPEth5 src-address=x1.x2.x4.0/24
add action=masquerade chain=srcnat comment="Failover su Vodafone Station" \
out-interface=ether7 src-address=x1.x2.x3.0/24
add action=dst-nat chain=dstnat comment="dstnat webserver" dst-address=\
c1.c2.c3.c4 to-addresses=x1.x2.x3.242
add action=src-nat chain=srcnat comment="srcnat webserver" dst-address=\
!x1.x2.x3.6 src-address=x1.x2.x3.242 to-addresses=c1.c2.c3.c4
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
FTTCEth2 protocol=tcp src-port="" to-addresses=x1.x2.x3.242 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 port="" protocol=\
tcp to-addresses=x1.x2.x3.254 to-ports=3389
add action=redirect chain=dstnat comment="Trasparent Web Proxy" disabled=yes \
dst-address=!x1.x2.x3.242 dst-port=80 protocol=tcp src-address=\
!x1.x2.x3.242 to-ports=8888
/ip ipsec peer
add address=a1.a2.a3.a4/32 dh-group=modp1024 enc-algorithm=3des
/ip ipsec policy
add dst-address=b1.b2.b3.b4/28 sa-dst-address=a1.a2.a3.a4 \
sa-src-address=5.150.135.46 src-address=x1.x2.x3.7/32 tunnel=yes
/ip proxy
set cache-administrator=pinkers cache-on-disk=yes \
cache-path=disk1/web-proxy port=8888
/ip proxy access
add action=deny dst-host=*facebook.com
/ip route
add check-gateway=ping comment="QUesta regola la uso per i viare tutti i pacch\
etti marcati con \"voip\" sul router voce" distance=1 gateway=\
pppoe-out1-Voce routing-mark=voip
add comment="ROTTA DI FAILOVER PER VOIP" disabled=yes distance=10 gateway=\
x1.x2.x6.251 routing-mark=voip
add check-gateway=ping comment=\
"Questa regola la uso per inviare tutti i pacchetti dati sul router dati" \
distance=1 gateway=pppoe-outDATI routing-mark=dati
add check-gateway=ping comment="Failover vodafone station" disabled=yes \
distance=2 gateway=x1.x2.x6.251
add distance=1 dst-address=d1.d2.d3.d4/32 gateway=x1.x2.x7.1
/ip service
set telnet disabled=yes
set ftp address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set www address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set ssh disabled=yes port=8822
set api disabled=yes
set winbox address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system logging
add action=Logwebproxy prefix=LOGGING-> topics=web-proxy,!debug
/system ntp client
set enabled=yes primary-ntp=193.183.98.38 secondary-ntp=94.177.187.22 \
server-dns-names=8.8.8.8
/system scheduler
add name=BackupROSCosvim on-event=Backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/08/2017 start-time=01:10:02
/system script
add name=Backup owner=francesco policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
export file=export\r\
\n/tool e-mail send to=\"francesco.dilecce@linkat.it\" subject=\"\$[/syste\
m identity get name] export\" body=\"\$[/system clock get date] configurat\
ionfile\" file=export.rsc"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp-out.mailserver.it from=<no-reply@linkat.it> start-tls=yes \
user=francesco.dilecce@linkat.it
/tool graphing interface
add
/tool graphing queue
add
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=ether7 filter-ip-protocol=icmp
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1044
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: icmp

Fri Jul 13, 2018 8:30 pm

Based on your config export, changing this rule:

add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp

to:

add action=accept chain=input protocol=icmp

Should allow ICMP on all interfaces
MTCNA, MTCTCE, MTCRE & MTCINE
 
pinkers
just joined
Topic Author
Posts: 3
Joined: Mon Jun 18, 2018 1:21 pm

Re: icmp

Mon Jul 16, 2018 2:53 pm

Based on your config export, changing this rule:

add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp

to:

add action=accept chain=input protocol=icmp

Should allow ICMP on all interfaces
Thanks CZFan i try this but not work.

Who is online

Users browsing this forum: khaloudy and 21 guests