I recently installed a routerboard with 2.8.18. The router is connected to the internet via the PUB interface using a non-routable IP block 172.18.1.2 -> 127.18.1.1. The equipment on the INT interface has routeable addresses and I can connect to the internet from anything on the inside of the INT interface. However, I cannot ping anything FROM the router itself. I have setup a masquerade of the 172.18.1.0/30 ip block and that didn't help. I can ping the public IP on the INT interface from the outside world. I also do not get SNMP responses from the router nor does DNS cache because the router cannot get the the DNS servers for lookups. I'm not sure where to look at this point. The router started with a reset before being programmed and had factory defaults (it was in a hotspot setup prior).
Any ideas?
Re: No connection FROM router but through router OK
For getting SNMP response, you should enable snmp service in /snmp, also add community name.
Please show what you have here:
/ip address print
Please show what you have here:
/ip address print
I recently installed a routerboard with 2.8.18. The router is connected to the
internet via the PUB interface using a non-routable IP block 172.18.1.2 -> 127.18.1.1. The equipment on the INT interface has routeable addresses and I can connect to the internet from anything on the inside of the INT interface. However, I cannot ping anything FROM the router itself. I have setup a masquerade of the 172.18.1.0/30 ip block and that didn't help. I can ping the public IP on the INT interface from the outside world. I also do not get SNMP responses from the router nor does DNS cache because the router cannot get the the DNS servers for lookups. I'm not sure where to look at this point. The router started with a reset before being programmed and had factory defaults (it was in a hotspot setup prior).
Any ideas?
Re: No connection FROM router but through router OK
[quote="viktorija"]For getting SNMP response, you should enable snmp service in /snmp, also add community name.
Please show what you have here:
/ip address print
SNMP is enabled. I have many other routerboards setup in other locations and they are working fine with SNMP, etc.
The /ip address print output:
0 172.18.1.2/30 172.18.1.0 172.18.1.3 pub
1 168.215.xxx.1/24 168.215.xxx.0 168.215.xxx.255 int
2 168.215.xxx.6/24 168.215.xxx.0 168.215.xxx.255 pub
Please show what you have here:
/ip address print
SNMP is enabled. I have many other routerboards setup in other locations and they are working fine with SNMP, etc.
The /ip address print output:
0 172.18.1.2/30 172.18.1.0 172.18.1.3 pub
1 168.215.xxx.1/24 168.215.xxx.0 168.215.xxx.255 int
2 168.215.xxx.6/24 168.215.xxx.0 168.215.xxx.255 pub
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
OK. There's your problem. You don;t have rules to allow things like DNS traffic to work. I've cut the list below to remove the stuff that's not relevant to this:
2 I ;;; accept requests for local DHCP server
in-interface=Wireless dst-address=:67 protocol=udp action=accept
4 ;;; Accept DNS replies
src-address=:53 in-interface=Internet protocol=udp action=accept
7 ;;; Accept Internet established traffic
in-interface=Internet connection-state=established action=accept
9 ;;; Drop all other Internet traffic
in-interface=Internet action=drop log=yes
Regards
Andrew
2 I ;;; accept requests for local DHCP server
in-interface=Wireless dst-address=:67 protocol=udp action=accept
4 ;;; Accept DNS replies
src-address=:53 in-interface=Internet protocol=udp action=accept
7 ;;; Accept Internet established traffic
in-interface=Internet connection-state=established action=accept
9 ;;; Drop all other Internet traffic
in-interface=Internet action=drop log=yes
Regards
Andrew
So...what does that have to do with not being able to ping ANY internet address FROM the router? That seems to be the root of my problems.OK. There's your problem. You don;t have rules to allow things like DNS traffic to work. I've cut the list below to remove the stuff that's not relevant to this:
2 I ;;; accept requests for local DHCP server
in-interface=Wireless dst-address=:67 protocol=udp action=accept
4 ;;; Accept DNS replies
src-address=:53 in-interface=Internet protocol=udp action=accept
7 ;;; Accept Internet established traffic
in-interface=Internet connection-state=established action=accept
9 ;;; Drop all other Internet traffic
in-interface=Internet action=drop log=yes
Regards
Andrew
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
There are no default rules and all traffic is allowed.
When you say you can't ping are you pinging an IP address or FQDN. This is a DNS issue if you can ping hosts by address but not name.
Install the rules that I posted for allowing DNS queries back into the router. Also make sure you've got an empty Output chain. Once DNS is working then you can put the rules in for allowing ICMP traffic.
Regards
Andrew
When you say you can't ping are you pinging an IP address or FQDN. This is a DNS issue if you can ping hosts by address but not name.
Install the rules that I posted for allowing DNS queries back into the router. Also make sure you've got an empty Output chain. Once DNS is working then you can put the rules in for allowing ICMP traffic.
Regards
Andrew