DMZ ping and hide from traceroute?

saibarker · March 17, 2020, 12:41am

Hi there,

What im trying to do is, DMZ all traffic to a local host including ping requests. I also want to hide my RB from trace-routes… Is this possible?

Thanks,

Sob · March 19, 2020, 1:41am

Sure it is. First is simple dstnat, same thing like when you forward ports, only you skip protocol and it will take all. And for second, use mangle to increase ttl by one, and block ttl exceeded packets from RB to client using filter in output.

saibarker · March 23, 2020, 1:32am

Thanks Sob, I get the first dst-nat part but don’t get the second. Would you have an example command for this?

Sob · March 24, 2020, 2:54am

In fact, dropping packets is not necessary, just change TTL. For example, this will cause client 192.168.80.10 to not see router in traceroute:

/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=increment:1 passthrough=yes src-address=192.168.80.10

saibarker · March 24, 2020, 3:47am

In fact, dropping packets is not necessary, just change TTL. For example, this will cause client 192.168.80.10 to not see router in traceroute:
/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=increment:1 passthrough=yes src-address=192.168.80.10

Awesome! thanks Sob.

Ill give it a test tonight

dice4real · February 8, 2024, 1:15am

I’m a newbie and wanted to hide my ISP Router. Can you provide a physical configuration for Mikrotik Thank you in advance…