Firewall Rules: Block ICMP from WAN (PPPOE connection)

RouterOS Beginner Basics
21

Default config allows incoming icmp from any interface, edit all the firewall rules and change the incoming interface to your pppoe which is the connection that needs protection and remove the default icmp allow rule since mikrotik firewall has a default accept policy the icmp packets will go through all the filter chain until the last input drop all rule which will drop icmp. i imagine if you want to block echo you won’t want to allow other icmp codes. if you wan’t to block outbound icmp then don’t forward it from lan to wan or don’t src-nat it out pppoe interface.

*Edit:
@CZFan

You’re right, good catch, everything to the public ip without a dst-nat is been redirected to lan host and lan host is allowed to respond out pppoe in src-nat

add action=dst-nat chain=dstnat comment=DMZ in-interface=pppoe-out1 to-addresses=192.168.2.109
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=pppoe-out1

@FoxJr

this is your problem rule,

add action=dst-nat chain=dstnat comment=DMZ in-interface=pppoe-out1 to-addresses=192.168.2.109

All traffic not catched by a previous dst-nat rule heading to the public ip will be sent to this internal host, edit the rule and set only exactly what you need to be forwarded to this host all else will be processed in filter by the router insted of handed off to dst-nat before filter.

22

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=pppoe-out1
OKAY - standard rule

add action=dst-nat chain=dstnat comment=“UVNC Client” dst-address=<public_ip> dst-port=6000 protocol=tcp to-addresses=
192.168.2.105 to-ports=6000
OKAY - Forward external requests to a specific public IP on my router, with destination service port 6000 and send this to destination LANIP 192.168.2.105

add action=dst-nat chain=dstnat dst-address=<public_ip> dst-port=6001 protocol=tcp to-addresses=192.168.2.100 to-ports=6001
OKAY - Forward external requests to a specific public IP on my router, with destination service port 6001 and send this to destination LANIP 192.168.2.100

add action=dst-nat chain=dstnat comment=“QNAP NAS” dst-address=<public_ip> dst-port=6002 log=yes protocol=tcp to-addresses=
192.168.2.110 to-ports=443
OKAY - Forward external requests to a specific public IP on my router, with destination service port 6002 and send this to destination LANIP 192.168.2.105 but change port service to 443
(comes in with destination port of 6002 but router sends it to destination LANIP with translated port to 443.

add action=dst-nat chain=dstnat comment=FTP disabled=yes dst-address=<public_ip> dst-port=21 protocol=tcp to-addresses=
192.168.2.110 to-ports=21
Okay (not active dont care)

add action=dst-nat chain=dstnat disabled=yes dst-address=<public_ip> dst-port=20 protocol=tcp to-addresses=192.168.2.110
to-ports=20
Okay (not active dont care)

add action=dst-nat chain=dstnat comment=UTorrent dst-address=<public_ip> dst-port=38862 protocol=tcp to-addresses=
192.168.2.105 to-ports=38862
OKAY - Forward external requests to a specific public IP on my router, with destination service port 38862 and send this to destination LANIP 192.168.2.105.

add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-address=<public_ip> dst-port=7000 protocol=tcp to-addresses=
192.168.2.112 to-ports=3389
Okay (not active dont care)

add action=dst-nat chain=dstnat comment=DMZ in-interface=pppoe-out1 to-addresses=192.168.2.109
NOT Okay- FORWARD ALL traffic hitting the WAN interface (ALL PORTS, except those already noted above that are active) and send them to 192.168.2.9
Very bad idea!!

According to the portforward site:
Application TCP Ports UDP Ports
PlayStation 4 80, 443, 1935, 3478-3480 3478-3479


In addition specific games may have additional ports required.
Unfortunately the mikrotik does not allow one to group port services so you will have to make individual dst nat rules for each rule…

23

Mystery solved, the problem was the PS4, once turned off icmp replies from external sources stopped.

Thanks everyone for your help, especially to CZfan and anav for pinpointing the problem.

Will follow suggested actions and remove such rule.

Regards,
FoxJr