dns ping brop

kazanova · July 12, 2010, 8:27pm

can i drop ping to my dns
i use rule to drop ecmp but my client still able to png the real dns i want to drop it

fewi · July 12, 2010, 8:44pm

Yes, you can.

Show a network diagram including the router, the DNS server and the clients that should be filtered, as well as the rule set you tried.

kazanova · July 13, 2010, 2:18pm

sorry can you explain more or give an example

fewi · July 13, 2010, 2:21pm

Yes, you can firewall filter ICMP. To help you with that, please draw a picture that shows your router, the DNS server and the clients and how they connect to one another. Label IP addresses and interface names in that picture. Such a picture is known as a ‘network diagram’, and it helps people visualize their network. No one here knows how your network is set up, so it’s hard to give specific help outside of ‘what you’re trying to do is impossible’ because specific help depends on details of your network you didn’t post.

kazanova · July 13, 2010, 7:12pm

/ip firewall filter add action=drop chain=input comment=“drop ping” disabled=no protocol=icmp

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=172.23.4.1 secondary-dns=172.23.4.1

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.10.1/24 192.168.10.0 192.168.10.255 Local (client range)
2 D 172.24.40.226/32 172.23.4.18 0.0.0.0 pppoe-out7 (internet provide)

i willl try to make Network digram soon

fewi · July 13, 2010, 7:23pm

a) it makes no sense to list 172.23.4.1 as both primary and secondary.
b) so you’re trying to drop ICMP packtes from 192.168.10.0/24 to 172.23.4.1?

If so,

/ip firewall filter add action=drop chain=input comment="drop ping" disabled=no protocol=icmp

Makes no sense. The input chain is for packets destined to the router itself. Packets traversing the router (like packets from the client to 172.23.4.1) are in the forward chain.

/ip firewall filter add action=drop chain=forward disabled=no protocol=icmp src-address=192.168.10.0/24 dst-address=172.23.4.1

kazanova · July 13, 2010, 7:45pm

) it makes no sense to list 172.23.4.1 as both primary and secondary.

it is :S i had remove the secondary dns now :s i dont if it better

b) so you’re trying to drop ICMP packtes from 192.168.10.0/24 to 172.23.4.1?

i want to drop icmp form 0.0.0.0/0 to 0.0.0.0/0 i wnat no ping at all

when i do use this rule
/ip firewall filter add action=drop chain=input comment=“drop ping” disabled=no protocol=icmp

ping to my dns form terminal time out

but from clinet to from to dns server reply but ping to my router down

what best free prog for ‘network diagram’,

fewi · July 13, 2010, 7:48pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Chains
Again, from the router itself you can at that point no longer ping because the return packets from whatever you’re pinging are destined to the router itself, so they are in the ‘input’ chain.
If you want to drop all ICMP traversing the router, use

/ip firewall filter add chain=forward protocol=icmp action=drop

kazanova · July 13, 2010, 7:54pm

thx i t work
/ip firewall filter add chain=forward protocol=icmp action=drop
/ip firewall filter add chain=input protocol=icmp action=drop