Dear Friends,
I have more than 300 u*nt antenna connected to mikroitk 1036 4s . I try to block All ip addresses reach and ping to these all 300 antennas. But Filter rule doesnt work please could you tell me what is the problem.
Hello,
You’re filtering on destination address.
Also, I would include icmp-type 8 to restrict only echo requests.
Regards,
Sent from Tapatalk
Thanks For reply,
This rule work for 192.168.101.0/24 . But doesnt work for 192.168.100.0/24. I think there is bug.
Hello,
Misread original post. Sorry.
So yes, dst addr. Ok. I would still add icmp type=8 to restrict only echo request. Otherwise your logic is good.
Forward is the chain to use to prevent other hosts From pinging. If you test From the router, it won’t work as that is an output.
Also, validate order. Its important; first come first served type if deal.
In doubt, create a filter that will log icmp. Very useful for debugging purposes!!! Place it after your two drop filters.
Sent from Tapatalk
Thanks Friend to reply,
I have two rules.
1)Action=drop Chain=forward dst-address=192.168.100.0/24 protocol=icmp
2)Action=drop Chain=forward dst-address=192.168.101.0/24 protocol=icmp
There is one problem about pinging. There is two stuations.
When My ip 192.168.100.X I cannot ping to 192.168.101.0/24 But I can ping 192.168.100.0/24
When My ip 192.168.101.X I cannot ping to 192.168.100.0/24 But I can ping 192.168.101.0/24
Your configuration is good. You’re getting normal behavior.
It’s normal to ping addresses in the same subnet.
Your pc on ethet1 worries me though. Is that port bridged with the rest? If not, you should not have an address 100.x/24. You should be on a different subnet. Then your rules will work all the time.
My understanding of your setup is that you dont want other people pinging the APs. If so, that pc has to be on a different subnet.
Regards,
Sent from Tapatalk
Thank you to reply,
Dont think only for eth1 ı have 8 port bridged . And ı have 192.168.100.x/24 and 192.168.101.x/24 described to this bridged. I dont want any ip address try to check another ip . İf user use static ip it doesnt matter what dhcp gives him. So he can use static ip from 192.168.100.x/24 and ping to other customers.
OK, now I get it.
1st option:
/interface bridge filter
add action=log chain=forward comment="TEST ICMP" dst-address=172.16.2.0/24 ip-protocol=icmp log-prefix="BR-ICMP===" mac-protocol=ip src-address=172.16.2.0/24
Of course, this is only an example and you need to adapt it to your config. Notice also that you don't get the ICMP TYPE option, so you'll block ALL icmp.
2nd option:
/interface bridge> settings set use-ip-firewall=yes
/ip firewall filter
add action=log chain=forward comment="TEST PING============" dst-address=172.16.2.0/24 icmp-options=8:0-255 log-prefix="L2-ICMP-REQUEST====" protocol=icmp src-address=172.16.2.0/24
add action=log chain=forward dst-address=172.16.2.0/24 icmp-options=0:0-255 log-prefix="L2-ICMP-REPLY====" protocol=icmp src-address=172.16.2.0/24
Again, same thing. Correct the example to suit your needs. WARNING: You'll have to check your firewall. Every Layer 2 communications HAVE TO BE CONSIDERED otherwise you'll drop traffic.
This is the output of my logs:
13:44:21 firewall,info FW: L2-ICMP-REQUEST==== forward: in:Bridge-PC(ether02) out:Bridge-PC(ether08), src-mac 00:50:b6:6f:e4:8c, proto ICMP (type 8, code 0), 172.16.2.110->172.16.2.114, NAT 172.16
.2.110->172.16.2.114, len 1028
13:44:21 firewall,info FW: VOIP-CA- ch-voip: in:Bridge-VoIP(ether05) out:Bridge-VoIP(ether09), src-mac d4:85:64:17:70:b9, proto UDP, 172.16.1.105:5060->172.16.1.102:5060, len 573
13:44:21 firewall,info FW: L2-ICMP-REPLY==== forward: in:Bridge-PC(ether08) out:Bridge-PC(ether02), src-mac d0:13:fd:37:fd:d9, proto ICMP (type 0, code 0), 172.16.2.114->172.16.2.110, NAT 172.16.2
.114->172.16.2.110, len 1028
13:44:21 firewall,info FW: VOIP-CA- ch-voip: in:Bridge-VoIP(ether05) out:Bridge-VoIP(ether07), src-mac d4:85:64:17:70:b9, proto UDP, 172.16.1.105:5060->172.16.1.100:5060, len 623
13:44:22 firewall,info FW: VOIP-CA- ch-voip: in:Bridge-VoIP(ether05) out:Bridge-VoIP(ether07), src-mac d4:85:64:17:70:b9, proto UDP, 172.16.1.105:5060->172.16.1.100:5064, len 601
13:44:22 firewall,info FW: L2-ICMP-REQUEST==== forward: in:Bridge-PC(ether02) out:Bridge-PC(ether08), src-mac 00:50:b6:6f:e4:8c, proto ICMP (type 8, code 0), 172.16.2.110->172.16.2.114, NAT 172.16
.2.110->172.16.2.114, len 1028
13:44:22 firewall,info FW: VOIP-CA- ch-voip: in:Bridge-VoIP(ether05) out:Bridge-VoIP(ether09), src-mac d4:85:64:17:70:b9, proto UDP, 172.16.1.105:5060->172.16.1.102:5060, len 573
13:44:22 firewall,info FW: VOIP-CA- ch-voip: in:Bridge-VoIP(ether05) out:Bridge-VoIP(ether07), src-mac d4:85:64:17:70:b9, proto UDP, 172.16.1.105:5060->172.16.1.100:5060, len 623
13:44:22 firewall,info FW: L2-ICMP-REPLY==== forward: in:Bridge-PC(ether08) out:Bridge-PC(ether02), src-mac d0:13:fd:37:fd:d9, proto ICMP (type 0, code 0), 172.16.2.114->172.16.2.110, NAT 172.16.2
.114->172.16.2.110, len 1028
As you can see, you can now control pings on the SAME subnet (provided the ports are bridged, which is your case), BUT My PBX can't talk to my phones anymore, so if I kept these filters, I would have to permit communications between phones and PBX.
Ciao,
Thanks to reply,
And I’m happy to see your detailed explanation.
I tried first option like this;
interface bridge filter add mac-protocol=ip ip-protocol=icmp src-address=192.168.100.0/24 dst-address=192.168.100.0/24 action=drop log=yes log-prefix=ICMP
İt drops ping to 192.168.101.0/24 blocks
Now i want to let pinging, only when ı have 192.168.100.220 ;221 ;222 223 address . Thank you for your support