My setup is NOT using NAT.
I have real public IP's on my network of server and my mikrotik is sitting between my uplink and servers. everything is in one /28 subnet, I'm not doing any routing. To get to my servers from the internet, traffic physically flows through my mikrotik to the servers.
Very simply, I want to block icmp to all my servers. however this does not work at all. Here is the lines of config I setup:
/ip firewall filter
add action=drop chain=forward protocol=icmp
I also read somewhere that I may need to use bridge interface filters, so I also entered this:
/interface bridge filter
add action=drop chain=forward dst-address=x.x.x.x/28 ip-protocol=icmp mac-protocol=ip packet-mark=""
(I'm using x's as the IP as to not post the IP of my unprotected server here, I assure you there is a real IP in place of the x's)
I also made sure that in bridge I enabled "use IP firewwall"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
and,
/ip firewall connection tracking
set enabled=yes
I'm so stumped, can someone pleeeeease help...