Hi,
I have an IP hotspot with the gateway running on RouterOS 3.17. I see a freshly connected client obtaining a DHCP lease, have verified that the box is actually online (and is responding to pings in another network, there is no personal firewall). But I cannot ping the address from the RouterOS box itself (ping timeout).
Do I need to have a special rule in the walled garden config to allow my clients to be pinged?
Greetings
Marc
Re: ping hotspot client?
Is the client logged in? Or just connected?
If just connected, you will need to bypass the hotspot to ping.
/ip hotspot ip-binding
add address=xx.xx.xx.xx type=bypassed
"Ping in another network" is vague. Same localnet as the client?
If just connected, you will need to bypass the hotspot to ping.
/ip hotspot ip-binding
add address=xx.xx.xx.xx type=bypassed
"Ping in another network" is vague. Same localnet as the client?
Re: ping hotspot client?
Just connected. The walled garden is configured so that an IPSEC gateway is reachable without being logged in, so the local employees just fire up their VPN client, while guests who want to access the Internet need to log in to the hotspot.Is the client logged in? Or just connected?
Is this a persistent setting? Does it somehow affect the client's connectivity?If just connected, you will need to bypass the hotspot to ping.
/ip hotspot ip-binding
add address=xx.xx.xx.xx type=bypassed
I mean, when the client is connected to a "normal" network, not being the Mikrotik device, it can be pinged from both the local net and via a router. I mentioned this to prove that the client would reply to echo requests if they reached it."Ping in another network" is vague. Same localnet as the client?
Greetings
Marc
Re: ping hotspot client?
If you want to ping the client, the client will need to log in, or you need to bypass the client in "/ip hotspot ip-binding". The walled-garden is only one-way. Outbound requests/responses only.
Re: ping hotspot client?
If you're happy with all clients being able to ping while being un-authenticated, enable ICMP in the walled-garden IP level. That works for me just fine, we allow ICMP for troubleshooting purposes. Here the entry:
Here's an unauthenticated host:
With the walled-garden entry disabled, ping from the router to the client does not work:
With the entry enabled, it does:
Code: Select all
[admin@MikroTik] > /ip hotspot walled-garden ip pri
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 ;;; Allow hotspot users to ping for troubleshooting purposes
icmp accept
Code: Select all
[admin@MikroTik] > /ip hotspot host pri
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 H 00:1E:52:87:F4:4A 10.2.1.254 10.2.1.254 Hotspot 30m
Code: Select all
[admin@MikroTik] > /ip hotspot walled-garden ip disable 0
[admin@MikroTik] > ping 10.2.1.254
10.2.1.254 ping timeout
2 packets transmitted, 0 packets received, 100% packet loss
Code: Select all
[admin@MikroTik] > /ip hotspot walled-garden ip enable 0
[admin@MikroTik] > ping 10.2.1.254
10.2.1.254 ping timeout
10.2.1.254 64 byte ping: ttl=64 time=2 ms
10.2.1.254 64 byte ping: ttl=64 time=5 ms
10.2.1.254 64 byte ping: ttl=64 time=3 ms
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max = 2/3.3/5 ms
[admin@MikroTik] >