hi,
i have routerboard with 2 wan and 2 ISP. i use one ISP for data and the second ISP for voice, this is config on separate network:
network1 (data)–>WAN1
network2 (voice)–>WAN2
all is ok.
On WAN1 i have set firewall rule for ICMP:
/ip firewall filter
add chain=input comment=“Allow all ICMP” protocol=icmp
but the router not respond to icmp.
can you help me?
How are you testing this?
Perhaps you wanted use a forward chain.
Why do you suggest forward chain?
ICMP is input to test the response of the router/////////////
Tempted to slap Anumrak upside the head. 
Then I realize it says I am a long time user and I don’t know sheite either LOL.
Dude, I just saw he wanted forward ICMP for his data and voice! Maybe was drunk, dunno. Keep your emotions to yourself 
I bet I know more than you ^^
You should check your rules above that one on both sides. It’s pretty simple to allow icmp replying.
No bets required, I am 100% positive you know more than I do.
Unfortunately, I am literate and logical though and for some reason (bad childhood) it gives me great pleasure to knock ‘know it alls’ of their vapour perches who probably wear their pants
below their skinny butt line, but that would be stereotyping…
Where does it indicate he wanted to forward ICMP?
What does ICMP have to do with data and voice?
My basic knowledge impression is that ICMP is used to ensure that ones public IP was accessible from the internet.
Yes, the OP mentions Data and voice but in the context of the fact that he intends to use WAN1 for data and WAN2 for voice.
If anything I suspect that he wants to make sure that his WAN1 and WAN2 public IPs are accessible from the internet.
…
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. > It is used by network devices> , including routers, to send error messages and operational information indicating, for example, that a requested service is not available o> r that a host or router could not be reached> .[1] ICMP differs from transport protocols such as TCP and UDP in that it is > not typically used to exchange data between systems> , > nor is it regularly employed by end-user network applications > (with the exception of some diagnostic tools > like ping > and traceroute).
…
Back to the matter at hand for the OP.
It is hard to know why the basic INPUT chain rule you have setup is not working.
It is the exact same rule I have and it works.
Therefore it is probably due to some other Filter FW rules that you have in place and unless you post a configuration its impossible for us to figure out.
I am not sure if you copied the rule verbatim or were simply showing its allowed because you dont have the action syntax included.
/ip firewall filter
add chain=input comment=“allow all icmp” protocol=(1) icmp action=accept
To provide the rest of your config use the terminal selection available in winbox and enter
/export hide-sensitive file=nameofyourchoosing
Then go to winbox left menu selection of Files
locate the file, right click on it and download to your PC.
Use notepad ++ to open the file and then you can paste here!
What is IP address on your WAN1 and WAN2 interfaces? And show me your routes list.
I thank you all and I apologize for the delay but I have had health problems, now resolved.
I would like to activate ICMP on the two public interfaces so that the router can be reached from the internet and from the internal network.
thanks for the help you can give me
This is conf:
/interface ethernet
set [ find default-name=ether2 ] comment="FTTC50KPN DATI" name=FTTCEth2
set [ find default-name=ether6 ] comment="LAN per VOIP" name=LANVOIPEth6
set [ find default-name=ether4 ] comment="LAN DATI " name=LanEth4
set [ find default-name=ether5 ] comment="WAN per VOIP WI (backup)" name=
WANWIVOIPEth5
set [ find default-name=ether3 ] comment="WAN Fastweb" name=WanEth3
set [ find default-name=ether7 ] comment="Vodafone Station"
set [ find default-name=ether8 ] comment="SHDSLKPN 2M Voce"
/interface pppoe-client
add disabled=no interface=FTTCEth2 name=pppoe-outDATI user=
myuser@adsl.provider.it
/interface vlan
add disabled=yes interface=FTTCEth2 name=vlan11-DATI vlan-id=1
add interface=ether8 name=vlan11-Voce vlan-id=11
add interface=ether8 name=vlan111-voce vlan-id=111
/interface pppoe-client
add disabled=no interface=vlan11-Voce name=pppoe-out1-Voce user=
myuser@adsl.provider.it
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=DHCOCOSVIM ranges=x1.x2.x3.101-x1.x2.x3.150
add name=dhcpvoce ranges=x1.x2.x4.50-x1.x2.x4.70
/ip dhcp-server
add address-pool=dhcpvoce disabled=no interface=LANVOIPEth6 name=dhcpsrvvoce
/queue simple
add limit-at=384k/384k max-limit=512k/2M name=voip priority=1/1 target=
WANWIVOIPEth5
add name=Utente_Ip target=x1.x2.x3.118/32
/snmp community
set [ find default=yes ] addresses=
x1.x2.x4.0/24,y1.y2.y3.y4/32,x1.x2.x3.0/24 name=passcom
/system logging action
set 1 disk-file-name=/disk1/logfolder/syslog
add disk-file-name=disk1/logfolder/webproxylog name=Logwebproxy target=disk
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/dude
set data-directory=disk1 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=x1.x2.x3.254/32
/ip address
add address=x1.x2.x3.1/24 comment="LAN DATI " interface=LanEth4 network=
x1.x2.x3.0
add address=x1.x2.x6.250/24 comment="WAN FASTWEB" interface=WanEth3
network=x1.x2.x6.0
add address=x1.x2.x7.254/24 comment="WAN VOIP WI" interface=WANWIVOIPEth5
network=x1.x2.x7.0
add address=x1.x2.x4.200/24 comment="LAN VOIP" interface=LANVOIPEth6
network=x1.x2.x4.0
add address=z1.z2.z3.z4 comment="SHDSL2MKPN WAN VOCE" interface=
pppoe-out1-Voce network=z1.z2.z3.z4
add address=w1.w2.w3.w4 interface=FTTCEth2 network=255.255.255.248
add address=w1.w2.w3.w5 comment="web server"
interface=FTTCEth2 network=255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether7
/ip dhcp-server network
add address=x1.x2.x3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x3.1
add address=x1.x2.x4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x4.200
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=x1.x2.x49.0-x1.x2.x49.254 list=allowed_to_router
add address=x1.x2.x3.0-x1.x2.x3.254 list=allowed_to_router
add address=92.114.32.25 list=blacklist
add address=62.138.16.47 list=blacklist
add address=199.48.164.165 list=blacklist
add address=195.154.191.163 list=blacklist
add address=188.138.57.17 list=blacklist
add address=37.8.94.61 list=blacklist
add address=89.207.131.17 list=blacklist
add address=89.163.146.57 list=blacklist
add address=89.207.131.72 list=blacklist
add address=107.155.133.194 list=blacklist
add address=163.172.110.117 list=blacklist
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=log chain=input disabled=yes in-interface=pppoe-outDATI log=yes
log-prefix="ICMP INGRESSO" protocol=icmp
add action=log chain=output disabled=yes log=yes log-prefix="ICMP DEBUG"
out-interface=pppoe-outDATI protocol=icmp
add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="ACCEPT Stabilite e Related"
connection-state=established,related
add action=accept chain=input comment=
"Accetta tutto quello che arriva in ingresso dalla LAN" in-interface=
LanEth4
add action=accept chain=input comment="Accetta tutto da LAN VOCE ETH6"
in-interface=LANVOIPEth6
add action=accept chain=input comment="VPN in ingresso" dst-port="" protocol=
tcp src-address=0.0.0.0 src-port=1723
add action=accept chain=input comment="GRE PROTOCOL IN INGRESSO" protocol=gre
add action=accept chain=input dst-port=3389 protocol=tcp
add action=accept chain=input comment="VPN STSENG" protocol=ipsec-esp
src-address=a1.a2.a3.a4
add action=accept chain=forward dst-address=x1.x2.x3.7 in-interface=FTTCEth2
out-interface=LanEth4 src-address=b1.b2.b3.b4/28
add action=accept chain=input comment=
"web server" dst-address=
c1.c2.c3.c4 dst-port=80 protocol=tcp src-address=0.0.0.0
add action=accept chain=input comment="Regola proxy" disabled=yes dst-port=
8888 protocol=tcp src-address=x1.x2.x3.0/24
add action=reject chain=input comment=
"Drop quello che appartiene alla Blacklist" reject-with=
icmp-network-unreachable src-address-list=blacklist
add action=drop chain=input comment="Drop invalid connection"
connection-state=invalid
add action=drop chain=input comment=
"Drop tutto quello che non e destinato ad essere instradato" disabled=yes
dst-address-type=!local
add action=accept chain=forward comment=
"ALLOW ASTERISK CONNECTIONS/REPLIES TO OUTSIDE (INTERNET)" protocol=udp
src-address=x1.x2.x4.2
add action=accept chain=forward comment=
"ALLOW FORWARDED CONNECTIONS/REPLIES TO INSIDE (LAN)" dst-address=
x1.x2.x4.2 dst-port=10000-20000 protocol=udp
add action=accept chain=input comment="Drop tutti gli ip non unicast"
src-address-type=!unicast
add chain=forward comment="Accept established and related packets"
connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets"
connection-state=invalid
add action=drop chain=input comment="Drop tutti i pacchetti che arrivano da in
ternet ma non hanno IP pubblici" in-interface=FTTCEth2 src-address-list=
NotPublic
add action=drop chain=forward comment=
"Drop new connections from internet which are not dst-natted"
connection-nat-state=!dstnat connection-state=new in-interface=FTTCEth2
add action=drop chain=forward comment="Drop all packets from public internet w
hich should not exist in public network" in-interface=FTTCEth2
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to
internet which should not exist in public network" disabled=yes
dst-address-list=NotPublic in-interface=LanEth4
add action=drop chain=input comment="Regola proxy" disabled=yes dst-port=8888
protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Questa regola mi serve solo
per markare i pacchetti che voglio inviare sul router voce"
new-routing-mark=voip passthrough=yes src-address=x1.x2.x4.0/24
add action=mark-connection chain=input disabled=yes in-interface=WanEth3
new-connection-mark=wan8m passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=FTTCEth2
new-connection-mark=WanVoip passthrough=no
add action=mark-routing chain=output connection-mark=wan8m disabled=yes
new-routing-mark=to_wan8m passthrough=no
add action=mark-routing chain=output connection-mark=WanVoip disabled=yes
new-routing-mark=to_wanvoip passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=dati passthrough=
yes src-address=x1.x2.x3.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat comment="La registrazione Plink su WI"
dst-address=d1.d2.d3.d4 out-interface=WANWIVOIPEth5 routing-mark=voip
to-addresses=x1.x2.x7.1
add action=dst-nat chain=dstnat comment="FORWARDING VPN" dst-port=1723
protocol=tcp to-addresses=x1.x2.x3.80 to-ports=1723
add action=accept chain=srcnat comment="NAT VPN SUBNET ENG" dst-address=
b1.b2.b3.b4/28 src-address=x1.x2.x3.7
add action=masquerade chain=srcnat comment="LAN DATI SU INTERNET" disabled=
yes out-interface=WanEth3 src-address=x1.x2.x3.0/24 to-addresses=
e1.e2.e3.e4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET" disabled=
yes out-interface=vlan11-Voce routing-mark=voip src-address=
x1.x2.x4.0/24 to-addresses=z1.z2.z3.z4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER 8M"
disabled=yes out-interface=WanEth3 src-address=x1.x2.x4.0/24
add action=accept chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER WI"
disabled=yes out-interface=WANWIVOIPEth5 src-address=x1.x2.x4.0/24
add action=masquerade chain=srcnat comment="Failover su Vodafone Station"
out-interface=ether7 src-address=x1.x2.x3.0/24
add action=dst-nat chain=dstnat comment="dstnat webserver" dst-address=
c1.c2.c3.c4 to-addresses=x1.x2.x3.242
add action=src-nat chain=srcnat comment="srcnat webserver" dst-address=
!x1.x2.x3.6 src-address=x1.x2.x3.242 to-addresses=c1.c2.c3.c4
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=
FTTCEth2 protocol=tcp src-port="" to-addresses=x1.x2.x3.242 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 port="" protocol=
tcp to-addresses=x1.x2.x3.254 to-ports=3389
add action=redirect chain=dstnat comment="Trasparent Web Proxy" disabled=yes
dst-address=!x1.x2.x3.242 dst-port=80 protocol=tcp src-address=
!x1.x2.x3.242 to-ports=8888
/ip ipsec peer
add address=a1.a2.a3.a4/32 dh-group=modp1024 enc-algorithm=3des
/ip ipsec policy
add dst-address=b1.b2.b3.b4/28 sa-dst-address=a1.a2.a3.a4
sa-src-address=5.150.135.46 src-address=x1.x2.x3.7/32 tunnel=yes
/ip proxy
set cache-administrator=pinkers cache-on-disk=yes
cache-path=disk1/web-proxy port=8888
/ip proxy access
add action=deny dst-host=*facebook.com
/ip route
add check-gateway=ping comment="QUesta regola la uso per i viare tutti i pacch
etti marcati con "voip" sul router voce" distance=1 gateway=
pppoe-out1-Voce routing-mark=voip
add comment="ROTTA DI FAILOVER PER VOIP" disabled=yes distance=10 gateway=
x1.x2.x6.251 routing-mark=voip
add check-gateway=ping comment=
"Questa regola la uso per inviare tutti i pacchetti dati sul router dati"
distance=1 gateway=pppoe-outDATI routing-mark=dati
add check-gateway=ping comment="Failover vodafone station" disabled=yes
distance=2 gateway=x1.x2.x6.251
add distance=1 dst-address=d1.d2.d3.d4/32 gateway=x1.x2.x7.1
/ip service
set telnet disabled=yes
set ftp address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set www address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set ssh disabled=yes port=8822
set api disabled=yes
set winbox address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system logging
add action=Logwebproxy prefix=LOGGING-> topics=web-proxy,!debug
/system ntp client
set enabled=yes primary-ntp=193.183.98.38 secondary-ntp=94.177.187.22
server-dns-names=8.8.8.8
/system scheduler
add name=BackupROSCosvim on-event=Backup policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/08/2017 start-time=01:10:02
/system script
add name=Backup owner=francesco policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/
export file=export\r
\n/tool e-mail send to="francesco.dilecce@linkat.it" subject="$[/syste
m identity get name] export" body="$[/system clock get date] configurat
ionfile" file=export.rsc"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp-out.mailserver.it from=<no-reply@linkat.it> start-tls=yes
user=francesco.dilecce@linkat.it
/tool graphing interface
add
/tool graphing queue
add
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=ether7 filter-ip-protocol=icmp
Based on your config export, changing this rule:
add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp
to:
add action=accept chain=input protocol=icmp
Should allow ICMP on all interfaces
Thanks CZFan i try this but not work.