I want to block ICMP traffic on WAN interface (so no one from internet can ping my wan ip)
but I want Mikrotik itself to ping any one. How is it possible.
I am using following rule, but its also blocking ping of mikrotik itself to out world.
5 ;;; Allow Mikrotik itself (localhost) to PING OUTSIDE WORLD
chain=output action=accept protocol=icmp
6 ;;; DROP PING ICMP on WAN interface
chain=input action=drop protocol=icmp in-interface=WAN_interface
the first rule is not need, if you after that do not block any type of icmp coming from routerboard to outside.
if you want allow all, from routerboard to outside, do not define any rule.
simply add on the second rule connection-type=new
(is implicit you accept related and estabilished)
Thank you for your reply Sir.
When I apply only following rule.
/ip firewall filter
add action=drop chain=input comment=“DROP PING ICMP N WAN INTERFACE” disabled=no in-interface=WAN protocol=icmp
Then ping of mikrotik itself to outer world also stopped. and what I want is that mikrotik should be able to ping outside world, but no one should be able to ping my mikrotik wan interface/ip from outside world.
you have to accept established connections for returned ICMP packets to be accepted. And you have to place that accept rule before drop rule because rule order is important in firewall.
And connection-state new is just that, new connection that is not in connection tracking. For established and releated you have to have separate rules that will accept those.