From http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
I wanted to add:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp action=drop comment="deny all other types"
But it doesn’t work, then, I left only the last rule (add chain=icmp action=drop) to test, still I can ping pe external IP, why it doesn’t work ?
Thank you.
do you have a jump rule to icmp chain?
I used to have this rule:
add action=reject chain=input comment="" connection-state=new disabled=yes in-interface=WAN2 reject-with=icmp-network-unreachable
But if this rule is enabled I can’t connect to my router using Winbox, but I can connect to other ports (port forward).
add this one
/ip firewall filter
add chain=input protocol=icmp action=jump jump-target=icmp
No, I have jump rule only for forward, that’s it.
I want to have only echo reply and net unreachable, anything else dropped.
if packets do not reach any rules in icmp chain then check order of the rules, probably packets are accepted before the jump rule.
post all your firewall rules.
/ip firewall filter
add action=drop chain=icmp comment="" disabled=no
add action=accept chain=icmp comment="" disabled=yes icmp-options=0:0 in-interface=WAN2 protocol=icmp
add action=accept chain=icmp comment="" disabled=yes icmp-options=3:0 in-interface=WAN2 protocol=icmp
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN2 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN1 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN1
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN1
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN2
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN1
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN2 jump-target=customer
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN1 jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
I want to clarify that I’m using ping command to WAN2 IP from outside LAN and I still get a response although first rule should deny it.
as mentioned previously yo need jump rule to icmp chain.
add at the top of forward chain following rule
add chain=forward protocol=icmp action=jump jump-target=icmp
I didn’t notice this rule along others, if I disable it I can’t ping my external IP’s
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
So I’ve added the forward rule you said about, now if I enable this line “/ip firewall filter add chain=icmp action=drop” I still can ping, but if I disable it then the forward rule gets red colored.
It’s all about this code, if it is enabled there is ping reply if disabled no ping..
add action=accept chain=input comment=“Added by webbox” disabled=no protocol=icmp