Hello, I would like to know if what is happening to me is normal.
With the default configuration that Mikrotik brings comes a rule that accepts ICMP traffic to the router from all interfaces, which I think is correct, however over time I have realized that I have a lot of traffic in that rule.
Is that amount of traffic normal in 17 hours?, 99% of the traffic comes from the WAM
1359.2 KiB with 17,713 packets
1.3Mb ? That’s nothing…
“Normal” crap traffic fluctuates a lot, but I agree that 1.3MB in 17 hours doesn’t register on any scale.
Years ago when I was on dialup internet, trying to download something, 1MB would take 20 minutes to transfer.. Your 1MB took almost 17 hours.. That isn’t worth paying attention to.
Thanks for the answers, I agree that it is nothing for the 100 Mbs that I have, but why so many pings to a domestic IP?
From what I have seen there are many Amazon server IPs.
Don’t bother trying to figure that out.
There are plenty of bots trying to ping each and every possible combination.
Just make sure your firewall drops all except your own incoming traffic like vpn.
Your Icmp is no different from my icmp tangent!
Just plug your cable in and you will see.
I suppose your point is that ping is the largest portion of this ICMP traffic? If so, I will not dispute that.
What I was trying to get at is that questions like the OP’s often lead to “okay, let’s block ICMP,” which then breaks traceroute, destination network unreachable, PMTUD and more.
Domestic to whom?
AWS leases resources to anyone and the US has more IP addresses than any other country.
There are many groups out there that ‘scan’ every IPv4 address, hourly, for different things just because they can.
Some of the ‘researchers’ try and connect with commonly used or generic credentials, just to see if they can.. Infected systems do the same trying to install their malware..
So far though, I have seen exactly one instance of a group trying with IPv6 though..
Personally, I’m using honey-pots to add their IPs to my network drop list.
No, ‘drop all’ is a bad idea..
Tangent, that was not a serious comment, I was making a dirty comment LOL.
In any case agree 100% with your comment. Leave the default rule the hell alone, its actual benefits outweigh any perceived cons.
As for Kevin, actually no, DROP ALL at the end of the forward chain and input chain are usually the BEST WAY TO GO.
Use firewall rules to ensure only allowed traffic is permitted the rest should absolutely be dropped.
I can see that you have not joined the BORG yet, you will be assimilated…
Drop all ICMP is a bad idea. There is a reason it is allowed in the default rules with the drop-all at the end.
For the input traffic, that is totally normal and no need for any fixes.
Please stop blocking ICMP if you don’t know what you are doing; http://shouldiblockicmp.com
Allow me to rephrase that:
Use default firewall settings if sufficient (remove lines not needed/used), add your own incoming traffic and drop all the rest.
Default will assure some things are allowed (like ICMP).
Is it right to use such a method?
add action=jump chain=input comment=icmp in-interface-list=WAN jump-target=icmp \
protocol=icmp
add action=accept chain=icmp comment="ICMP echo reply" icmp-options=0:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="ICMP net unreachable" icmp-options=3:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="ICMP host unreachable" icmp-options=3:1 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment=\
"ICMP host unreachable fragmentation required" icmp-options=3:4 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="ICMP allow source quench" icmp-options=\
4:0 in-interface-list=WAN protocol=icmp
add action=drop chain=icmp comment="ICMP allow echo request" icmp-options=8:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="ICMP allow time exceed" icmp-options=11:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="ICMP allow parameter bad" icmp-options=\
12:0 in-interface-list=WAN protocol=icmp
add action=drop chain=icmp comment="ICMP deny all other types"
What’s the reasoning behind that? If I dont know about the traffic or care enough that I dont notice it coming in why allow it access? If I did care about the traffic being dropped I would notice it and put it on a address list or rule accepting it?
I thought it was pretty much uniform that blacklist firewalls were not as effective as whitelist firewalls so I am interested to know the reasoning behind you opinion 
ICMP is used for more than just ping, is the simple answer. When it is outright blocked, things break in mysterious ways. MTU discovery is one.
The default RouterBoard firewall rules block all non-related and non-established incoming traffic except ICMP, there is a reason for this.. There is no actual downside to allowing ICMP.
I was speaking more generally than to just pings Again this is something that I know of and would allow in before my drop all at the end of the firewall.
Also fun tip so you can control ICMP traffic you can actually manage this in the kernel rather than the firewall with:
/ip settings
set icmp-rate-mask=1919 (this is for ping)
set icmp-rate-rate=1000(this is in ms)
you can find more of the masks here as well:
https://man7.org/linux/man-pages/man7/icmp.7.html