Hello all,

At a customer site we installed a Mikrotik CCR (core) serving internet to hAp Lites through PPPoE. A setup we use very often in buildings with multiple sub customers.
The core Mikrotik is pingable and reachable through SNMP. However, all the other PPPoE client hAp Lites can be reached with HTTP and responds to ping, but seems to reject ICMP packets from our monitoring server and SNMP packets.

Is there something in the firewall filter of the core Mikrotik I have to enable in order for our monitoring server to ping and SNMP the hAp Lites?

Beeelze

Looks like you have nat in the way. You should be routing or bridging in the internal network instead of natting. If it is the case with you can use dst nat to redirect the ports and masquerade it towards inner network to fool the inner routers or add special accepting rule in input chain for that connections. If you use dude you can run the dude agent on that ccr to get the data from the directly connected clients and deliver them to central dude instance. Or you can run monitoring tunnel from each of the clients to your central point... Many things you can do.

Hi Jarda,

All the clients have a public IP address being PPPoE clients. Alle the IP addresses are excluded from NAT in the core Mikrotik firewall filter.
So there is no NAT involved here. Also, the core Mikrotik does not have a masquerade rule, it should just passthrough all traffic.

This should be enough right?

Beeelze

It should. Focus on input firewall rules of each device...