Use Hotspot and would like to block the ICMP protocol (PING) within the internal network (LAN).
It sounds very simple but no rule that I create to block this package is working.
Below is a rule created to block all traffic ICMP internal network 20.x / 24
I find it odd that the other rule that I have to block ICMP on my external interface (WAN) is working. Does anyone know why is that?
Note - I have two LAN interfaces with two DHCP servers on each VLAN, and the interface named HSPOT which wanted to block ICMP.
Two things jump out at me reading your rule- actually three:
1: you used the input chain. Input only refers to traffic to the Mikrotik itself. FORWARD blocks traffic going THROUGH the router.
2: if you reject ICMP with an ICMP message - what’s the point? Probably you mean drop…
And most importantly…
3: client to client IP traffic doesn’t go through the router at all. Packets only go through a router if they need to be forwarded to some other network, like lan1 - lan2…
But client1 will just send packets to the MAC address of client2 and the switch will forward it directly to client2. Now if your Mikrotik is also bridging then you can block this in a bridge filter but if there is a switch in your network, then clients (in the same VLAN) will be able to reach each other all day long with the Mikrotik being unable to stop it.
But what I have to do to try to block the ICMP protocol within my lan network?
You mean that this role is the responsibility of my Switch?
I have in my mikrotik two subnets separated by VLAN (NETWORK 10.x and NETWORK 20.X). Each network has a DHCP. I have a level switch with two static vlan per port created.
If you need to block ICMP between your two distinct internal networks, and you have your Mikrotik router in-between those two networks- than sure you can do that. But, as ZeroByte already said, you need to put your blocking rule into the ‘forward’ chain instead of the ‘input’ chain.
First and foremost you must learn that ICMP is not the same as PING.
When you block ICMP you will hit unpleasant surprises, and blocking PING does not do you much good.
So it is better to first ask “why do you want to block ICMP”.
When you have a switch it is not possible to block anything within the same VLAN.
It would be possible to filter traffic going from one VLAN to the other when that is happening in the MikroTik
(i.e. the switch is not a L3 routing switch), but you should certainly not block all ICMP until you fully understand
its purpose.
Ok then you can stop here.
There are enough methods for customers to discover eachothers active computers, other than ping.
Besides, there is no need to discover active computers before beginning an attack.
Probably you mean drop…