ICMP still passing

JamesTUIAT · June 23, 2025, 2:43pm

Hi,

I’m configuring a MT from scratch ( router OS 7.16.1 )

I’ve pinged the router and it’s responded, good.

No I disabled the Firewall rule number (3) and still I can ping the device… !?

is that because I previously ping it ? how solve this ?

Flags: X - disabled, I - invalid; D - dynamic 

 0  D ;;; special dummy rule to show fasttrack counters

      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked

      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid

      chain=input action=drop connection-state=invalid log=yes log-prefix="Dropped_invalid" 

 3 X  ;;; defconf: accept ICMP

      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)

      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN

      chain=input action=drop in-interface-list=!LAN 

 6    ;;; defconf: accept in ipsec policy

      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy

      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack

      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked

      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid

      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed

      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

infabo · June 23, 2025, 2:46pm

Ping originating from where?

JamesTUIAT · June 23, 2025, 2:48pm

indeed, sorry.
from local lan, direct on Ethernet port 2

lurker888 · June 23, 2025, 3:34pm

Because no. 5 only drops packets not from LAN (!LAN), everything from LAN is allowed. Like all other traffic, also ping. So your initial ping was accepted by no. 3, in your later test it’s still not blocked. (In Mikrotiks, the “default policy” i.e. what happens to packets to which no other rule was applied, is accept. To change this, you can add a “drop everything” as the last rule.)

JamesTUIAT · June 24, 2025, 1:27pm

Thank you @lurker888 ,

instead of creating a last drop everything, is it possible to change the default (like nftables) as policy drop ?

Amm0 · June 24, 2025, 2:51pm

Side note: dropping ICMP is not a great idea. It will effect PMTUD (path maximum transport unit discovery) which is used when MTU is not 1500. The net of that is if VPN tunnels may be slower if they use this link. And you lose a diagnostic tool yourself to know if the router is up.

Anyway, if you did wanted to drop ICMP, you could turn #3 into a action=drop instead, which would then cover the LAN. If you’re goal was blocking ICMP from internet, disabling the ICMP rule is all you need to do — assuming the /interface/list are right for LAN and WAN. Since #5 drop would drop ICMP from !LAN which is “WAN” (or anything not in LAN interface list)

No. You have to add a action=drop at end of each chain if that’s what you want to do.

lurker888 · June 24, 2025, 3:23pm

I think that having a hard-wired default policy is not a bad design decision:

it’s easy to provide the “default drop” behavior - only one trivial rule has to be added
the setting is prominent - there is no additional setting somewhere else that you have to take into account
the same statistics/logging is available for the default action, and again, it’s visible where you’d expect it to be
it’s consistent - default drop may make sense for filter/input; for filter/output? for mangle or nat chains?

As long as typing that one additional rule doesn’t cause someone’s RSI to flare up, I think it’s actually nice having it like this.