Mikrotik 1200 - Net Prohibited Issue ???

mnour · Tue Oct 30, 2012 10:56 pm

Using Mikrotik Routerboard 1200 as a main router and 40 asus repeaters flashed with DD-WRT

I am using the built in Hotspot to provide Internet for clients .

RB1200 ( Ether1 - 192.168.222.1/24 ) --------- > Switch
ISP <--------- RB1200 (Ether 2)
RB1200 ( Ether3 - 192.168.0.1/20 - Hotspot Port - DHCP Pool ) --------- > Switch

------------- Floor 1
Switch ---------> ------------- Floor 2
------------- Floor 3

for the repeaters the IPs are 192.168.222.2 - 192.168.222.42
*************************************************************

I am connecting to the Rb1200 using Winbox , usually I use Putty and web interface to manage the repeaters , of course I can do that using port forwarding .

but before I put port forwarding , I have to be able to ping those repeaters from mikrotik using the ether1 , when I am trying to ping them , they reply with net prohibited and the reply is from 192.168.0.1 .

I think it is related to firewall filter rules

ip firewall filter print all 
Flags: X - disabled, I - invalid, D - dynamic 

 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth 

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth 

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client 

 3 D chain=input action=drop protocol=tcp hotspot=!from-client 
     dst-port=64872-64875 

 4 I chain=hs-input action=jump jump-target=pre-hs-input 

 5 D chain=hs-input action=accept protocol=udp dst-port=64872 

 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 7 D chain=hs-unauth action=return dst-address=x.x.x.x

 8 D chain=hs-unauth action=return dst-address=y.y.y.y

 9 D chain=hs-unauth action=return dst-address=z.z.z.z

10 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 

11 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

12 D chain=hs-unauth-to action=return src-address=x.x.x.x 

13 D chain=hs-unauth-to action=return src-address=y.y.y.y

14 D chain=hs-unauth-to action=return src-address=z.z.z.z 

15 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

16 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 

17 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

so any advice please ?????

jandafields · Tue Oct 30, 2012 11:05 pm

Reset the counters on all your rules to zero, then run the ping and see which rule increments.

TheWiFiGuy · Wed Oct 31, 2012 4:02 am

Add the repeaters ip address to /ip hotspot ip-binding as bypassed

mnour · Wed Oct 31, 2012 10:29 pm

Add the repeaters ip address to /ip hotspot ip-binding as bypassed

I treid adding this in Ip binding but no way

can you help me in the syntax or how I can use winbox to do that , cause I tried but no way

jandafields · Thu Nov 01, 2012 3:28 pm

Look in the hotspot settings in winbox. You will see bindings.

mnour · Thu Nov 01, 2012 9:01 pm

THANKS guys for your answer

for the first suggestion

I reset all counters and when I am trying to ping more than one filter rule match and increase their counter and I delete most of them and still have the same result .

if you ckecked the rule 15&16 I deleted both of them and nothing changed

for the second one before I asked you I tried to go to winbox and I added repeaters Ip in address box and Server : all and type is : Bypassed ans still have the same result

is that what you guys both suggested ?????

jandafields · Thu Nov 01, 2012 9:28 pm

THANKS guys for your answer

for the first suggestion

I reset all counters and when I am trying to ping more than one filter rule match and increase their counter and I delete most of them and still have the same result .

if you ckecked the rule 15&16 I deleted both of them and nothing changed

for the second one before I asked you I tried to go to winbox and I added repeaters Ip in address box and Server : all and type is : Bypassed ans still have the same result

is that what you guys both suggested ?????

Did you add their ip addresses to the bindings?

mnour · Thu Nov 01, 2012 10:14 pm

THANKS guys for your answer

for the first suggestion

I reset all counters and when I am trying to ping more than one filter rule match and increase their counter and I delete most of them and still have the same result .

if you ckecked the rule 15&16 I deleted both of them and nothing changed

for the second one before I asked you I tried to go to winbox and I added repeaters Ip in address box and Server : all and type is : Bypassed ans still have the same result

is that what you guys both suggested ?????

Did you add their ip addresses to the bindings?

Yes I told you , hotspot - IP binding - add new Ip binding and filled address and server and type as suggested

mnour · Tue Nov 06, 2012 5:04 pm

one more thing , my repeaters are Asus N12 flashed with DD-WRT , if I connect to them " using another way " and refresh or try to modify something then I can ping , after 20-3- minutes I can not any more .

mnour · Thu Jan 31, 2013 11:24 pm

ANY ANSWER ? I still have the same problem