disable users to use ping, but allow to be pinged

tomislav91 · July 14, 2022, 12:15pm

i have this

/ip firewall filter
add action=drop chain=input disabled=yes dst-address=10.10.10.0/24 protocol=\
    icmp src-address=!10.100.0.100 src-address-list=BlockLAN
add action=drop chain=forward disabled=yes dst-address=!10.100.0.100 \
    dst-address-list=BlockLAN protocol=icmp src-address=10.10.10.0/24

and in this scenario neither i can ping pc inside this network, neither in different direction.
What can i made to allow me to ping pc inside 10.10.10 network, but still disable them to reach to me.

eworm · July 14, 2022, 12:29pm

You need to match on ICMP type and code. Search for “icmp-options”:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

tomislav91 · July 14, 2022, 12:44pm

/ip firewall filter
add action=accept chain=input disabled=yes dst-address=10.10.10.0/24 icmp-options=8 protocol=\
    icmp src-address=!10.100.0.100 src-address-list=BlockLAN
add action=accept chain=forward disabled=yes dst-address=!10.100.0.100 icmp-options=0 \
    dst-address-list=BlockLAN protocol=icmp src-address=10.10.10.0/24

this also didnt help, if i understand good, icmp-option 0 will block icmp and 8 to allow, so first action will allow ping from my BlockLAN list (its list of private subnet that need to reach that subnet 10.10)

eworm · July 14, 2022, 1:39pm

Without reviewing the details… Both rules have “action=accept” and will never block anything.

rextended · July 14, 2022, 3:12pm

You want hide the RB? use only input, dropping incoming (on input chain) echo request, but if something is pinged from the RB, surely the destination will know that the RB exists, MAC included.

You want hide the PC trough the RB? Is sufficient only one rule on forward chain that drop echo request from IP not = to the IP on PC.
And again: If something is pinged from the PC, surely the destination will know that the PC exists, MAC included.

But I discourage any dummy block of ICMP…

anav · July 14, 2022, 4:03pm

WHY? Is there a real problem being encountered or are you off your medications?

rextended · July 14, 2022, 5:44pm

is for @tomislav91???

anav · July 14, 2022, 11:01pm

jajaja not for you rextended, you are beyond hope

kevinds · July 23, 2022, 8:37am

@tomislav91 why do you want to do this?

Unless you have a really good reason, leave ICMP (including ping) alone.