Firewall Filtering ICMP Packet

Krisious · January 20, 2021, 10:59am

Hi everyone, sorry if My English isn’t that good but i hope you will understand.

I’m new on networking study so here is My case, I have 2 router that you can see on this topology.

I want that router 1 can PING to router 2 but router 2 cannot PING to router 1, so I use firewall filter command on router 1 like this :

ip firewall filter add chain=input src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp action=drop

Yes, it works actually router 2 cannot PING to router 1, but unfortunately router 1 cannot PING to router 2 too. And I remember that PING (ICMP Packet) is back forth from router 1 → router 2 → router 1 again.

I guess that My router 1 is reaching the router 2, but when router 2 send the packet back it got blocked.

So here is my question about this case :

Is there any method that I can use to solve this case?
Is there any method that I can prove that router 1 packet is reaching router 2?

Thank you very much for your attention.

anav · January 23, 2021, 6:10pm

Edit Deleted after rereading request. Not solvable by me.

jvanhambelgium · January 23, 2021, 6:43pm

Just add a rule above this one in the input chain where you simply accept “icmp” “echo-reply”. (so protocol “icmp” and further icmp-type use “echo-reply”)

You don’t even have to specify any source-IP’s or interfaces. Just make it very general.
Basically the “return” packet from R2 → R1 containing the echo-reply following the echo-request from R1 can then arrive at R1 and be allowed.

anav · January 23, 2021, 10:54pm

I suppose it depends on setup of firewall rules and

NO drop rule at end of input chain (believe this is the current config) which means everything is allowed unless specifically dropped (I dont like this mode).

/ip firewall filter
…
add chain=input action=allow src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp icmp-options=0:0
add chain=input action=drop src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp

WIth a DROP Rule and the end of the applicable chain(input), which means everything is blocked unless specifically allowed. Note I have narrowed the focus and added the fact that 10.1 can only ping echo request from 10.2 vice any other icmp items.

/ip firewall filter
…
add chain=input action=allow src-address=10.10.10.1 dst-address=10.10.10.2 protocol=icmp icmp-options=8:0 (echo request)
add chain=input action=allow src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp icmp-options=0:0 (echo reply)

16again · January 24, 2021, 12:40pm

Either filter on ICMP specifics, as suggested above (ICMP-request and ICMP-response can be handled differently)
Better:
Dive into statefull firewalling. This way you can allow return traffic for a packet sent out earlier.

Krisious · January 25, 2021, 4:10pm

I suppose it depends on setup of firewall rules and

NO drop rule at end of input chain (believe this is the current config) which means everything is allowed unless specifically dropped (I dont like this mode).

/ip firewall filter
…
add chain=input action=allow src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp icmp-options=0:0
add chain=input action=drop src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp

WIth a DROP Rule and the end of the applicable chain(input), which means everything is blocked unless specifically allowed. Note I have narrowed the focus and added the fact that 10.1 can only ping echo request from 10.2 vice any other icmp items.

/ip firewall filter
…
add chain=input action=allow src-address=10.10.10.1 dst-address=10.10.10.2 protocol=icmp icmp-options=8:0 (echo request)
add chain=input action=allow src-address=10.10.10.2 dst-address=10.10.10.1 protocol=icmp icmp-options=0:0 (echo reply)

Thanks friends it work as soon as I apply it, gonna ask you once more. Is it work for forward chain, or if there three routers and in different network?