Change TTL of ping command

Hi all,
I want when the clients in my network run the Tracert command, they can’t see the internal hops(how many routers, Firewalls) of my LAN. they just see only the external hops. how can i do that with Mikrotik?
also i want to change the actual TTL and ping time values to our desire numbers like time=95 and TTL=20.for example when users issue the ping www.yahoo.com command, they see the time number equal 95 and TTL equal 20. how can i do that? please give me the Mikrotik commands that i can implement on my Mikrotik RouterOS.

any help would be appreciated. thanks in advanced.

I can understand you by TTL request, but for the other time=95 you wanna be one cheater with your clients?.

If you have configured correctly all your network, without changing TTL the user on tracert see only pppoe-server (if used) and the border router.

You can set TTL using mangle:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

You can set internal devices not to respond to ping or block ping though that presents its own issues.

Thanks for your reply.
CelticComm, you mean that i add a rule in firewall/mangle like this :

/ip firewall mangle
add action=change-ttl chain=forward disabled=no in-interface=ether1 new-ttl=
set:1 passthrough=no

please explain it and leave your Mikrotik command recommendation.
Thanks.

Yes you can change the TTL using a command like that. The TTL field helps avoid routing loops so manually changing it should only be done with a full understanding of the potential impact.

ok CelticComms , but when i use above command, when ICMP packets from user’s pc reach to my router dropped, I want their ICMP packets only show routers that exist out of my network. in fact, the ICMP packet jump out of my network and does not show my internal router(s). what’s your suggestion?

Use a tunnel between customer point of acces and yor external gateway router. Or live wit the fact that they ca deduce your number of internal hops. That is what TTL was intended for by design.

Thanks for your post docmarius,
All i want is do the job only with change TTL parameters, no with other way like Tunneling. I want to know how can i hide my internal hops with TTL. one of my co-worker do the same thing in their network with Mikrotik, but he does not give the clue to me. when i run the tracert www.yahoo.com command, the first hop shown was the first external router. please give me Mikrotik command(s) to do that. any help would be appreciated.

add ip firw filter > add chain=input protocol=icmp action=drop
on the internal routers to achieve what you want.

Dear dosh,
With your suggestion, users cannot ping external hops. because my internal router(Mikrotik) drops any ICMP packets received from LAN(users). i want users be able to ping only external hops and all internal hops hidden to them. please give your suggestion.

CelticComms already pointed you in the right direction and you seem to have found the proper mangle rule, you just need to fine-tune it a bit.

However, I don’t see any point in messing with TTL. I can’t see any good reasons for doing this.

Drop on input chain will drop only requests to the router itself. External requests are managed by the forward chain and will be passed from LAN to WAN. So the behavior will be as you want it.
And of course you can refine the rules to drop only requests that you do not want to appear using e.g. the interface and dst address fields.

With my suggestion, users cant ping only your routers and trace doesnt show internal routers because the firewall is in the input chain. they can ping external addresses.

It will stop them being able to ping the internal routers directly but it will not stop those routers showing up in a typical trace route output.

How can i give a karma to all of you? thanks all of you for your suggestions. it’s clear to me. thanks a lot my friends .