Well, since me setup VPN (still not working) I discovered non-authorized parties have been trying to access the open port. I would like to setup an ICMP rule however, reading the manual just seems confusing. I figured, if I am correct, that it would be on the input chain, and the connection state would have to be not established. However, I see mentioning that the ICMP rule should have a “JUMP” as a part of it…that’s where I am stuttering, Can anyone show their for example?
Chain jumping is a completely separate concept from ICMP or any protocols for that matter. It’s a way to switch between from one set of rules to another (i.e. if a packet in the “input” chain matches certain criteria, instead of verifying against the rest of the “input” rules, verify it against all rules in the chain identified in the action tab).
IMCP uses one “type” of message for echo requests, and another for echo responses. To block ping, you need to filter out echo requests in input and/or filter out echo responses at output. Filtering at input is IMHO more intuitive, so with that in mind, here’s a rule that I actually use in my router to block ICMP echo requests from all interfaces that are not called “local” (a useful approach if you have more than one ISP):
/ip firewall filter add chain=input action=drop in-interface=!local protocol=icmp icmp-options=8:0-255
To hide your inner devices from devices adjacent to your router, you’ll also want to block echo requests in the forward chain that originate from outside the local network.
/ip firewall filter add chain=forward action=drop in-interface=!local protocol=icmp icmp-options=8:0-255
Thank you Boen_robot for responding. Here are my rules (see screen shot)…would you suggest putting your first one at zero? Also, I use interface 5 as my guess network that is separate from my home network. I also use the guess network to test VPN on my network…would your second rule interferes? When I have successfully complete my VPN setup, I won’t need to use the guess network for that purpose.
The rules you have should be blocking ping (and all ICMP for that matter) from everywhere.
If you want to allow the local and VPN networks to make ping requests, you’d need to whitelist them, e.g.
/ip firewall filter add place-before=[:pick [find chain=input] 0] chain=input action=accept protocol=icmp icmp-options=8:0-255 src-address-list="Nolli Home Network" comment="Allow ICMP echo (ping) requests from LAN to the router"
(the above will automatically place this rule at the top of your input rules, ensuring it’s honored)
I don’t see how your VPN interface in there, but whatever it is, you can use it as in-interface instead of src-address-list to also allow ping to the router from inside the VPN.
If you want to allow the router itself to ping others, you’d also need to allow incoming ICMP echo replies (or else you’ll always see “timeout” on all pings from the router), e.g.
/ip firewall filter add place-before=[:pick [find chain=input] 0] chain=input action=accept protocol=icmp icmp-options=0:0-255 comment="Allow ICMP echo (ping) replies to the router"
Boen_robot, I was really wondering with my connection state how could some unauthorized party gain entry twice at least. Their algorithm didn’t match and hence timed out. That’s why I had concluded pinging and port sniffing. It really disturbed me so much that I just turned off rule 3 & 4 (VPN). I have a road warrior setup because I wanted to be able to access my network from anywhere…where the IP address is unknown.
I wish the in-interface could filter by the MAC address as well…any possibility of that? Also, I had upload Supout file to Mikrotik Support a while back which had the unauthorized attempt…I will contact them to see whether I can learn more.
I really appreciate your response and sharing!
I wish the in-interface could filter by the MAC address as well…any possibility of that?
Not from the internet, no. You can only filter by MAC address from devices that are in the same L2 networks as your router, meaning devices in your local network + devices adjacent to your router (e.g. you could accept packets only from your ISP’s gateway, disregarding anyone else who is also connected to it).