I have an extension site which is backhauled as if it is a client of the main tower. Hopefully a diagram explains the setup:

Internet-->Main Site-->wireless-->TR200-->ethernet-->Wrap V.2.8.28-->ethernet-->RB532 V.2.9.10 w/ Prism AP-->wireless-->TR200 Client Radios

The site has been working great from the customer prospective, but I'm unable to ping the Prism AP or the Client Radios if not logged into the local router (WRAP V.2.8.28).

I've tried adding all the necessary firewall rules to allow the pings to pass. Since I'm running Hotspot on the WRAP router, I've also added a rule that mangled pings from my internal network ips with the "hs-auth" tag.

My torch session and troubleshooting show that the WRAP router is receiving the ping from the Main Site on its WAN ethernet port, but it doesn't show on the internal bridged interface. The pings do not make it to the RB532 which has the AP on board.

I'm sure there is something that I'm missing, but can anyone give me a series of things to check or verify? Assuming I have all the correct accept statements and mangle rules, how could I go about troubleshooting a problem like this to determine it isn't a setup issue?

Any help, thoughts, or ideas would be greatly appreciated. I've been having this problem for the past 6 months with this site and another like it and it is really driving me crazy.

Thanks,

-Chad