Hello
What solution do you do to limit ping (firewall filter)? 
For example:
After 5 seconds + Size more than 400
action: Drop
Thanks 
Actually my settings are
action=accept chain=input protocol=icmp
Thank you anav
But this open all ping
I want to be able to ping for a short time.
Be open for pings with normal 32-byte packets.
For how long to block source?
For eg. this will block source IP for 1h (address-list-timeout=1h):
/ip firewall filter
add action=jump chain=input jump-target=icmp-limit packet-size=!0-400 protocol=icmp
add action=return chain=icmp-limit dst-limit=1/5s,3,src-address/10s
add action=add-src-to-address-list address-list=BLOCK_ICMP address-list-timeout=1h chain=icmp-limit
/ip firewall raw
add action=drop chain=prerouting protocol=icmp src-address-list=BLOCK_ICMP
or you want to block per connection? like this for eg:
/ip firewall filter
add action=drop chain=input connection-mark=BLOCK_ICMP protocol=icmp
/ip firewall mangle
add action=jump chain=input jump-target=icmp-limit packet-size=!0-400 protocol=icmp
add action=accept chain=icmp-limit dst-limit=1/5s,3,src-address/10s
add action=mark-connection chain=icmp-limit new-connection-mark=BLOCK_ICMP passthrough=no
Thank you igorch
I have tried both methods
I think it works for remote ping
But it did not work in the local network
It should work from LAN also, it depends where rules are placed, maybe some rule accepts LAN packets before these rules.
Post exported ROS config for troubleshooting.
When dealing with ICMP, one should not forget that ICMP is way more than only âEchoâ and âEcho Replyâ. Blindly blocking all ICMP traffic might severely interfere with normal IP communication (e.g. PMTUD doesnât work without ICMP working) ⌠specially so in IPv6.
Additionally, some traceroute implementations use ICMP (e.g. windows tracert) while others (e.g. linux traceroute) use UDP (or ICMP if instructed to do so ⌠or even TCP when using tcptraceroute).
Which means that blocking ICMP (even if only type 0 and type 8 ) doesnât really improve security of your router or LAN. Not a tiny little bit.
In such case it would be better to implement per connection limiting, I guess this is asked for icmp flood attack protection.
IMO in such case itâs better to filter per ICMP type ⌠some are not really necessary (e.g. echo / echo request), some are. Filtering by rate can be added to basic filtering by type.
Not sure how much icmp standard messages can grow, but if packet size for such types will be less than 400 bytes, rule will not affect them.
The order of execution in firewall is from top to bottom?
I had put the rolls on top.
It seems right
what is your plan?
My plan? I donât bother, so essentially the same as by @anav in post #2 (plus similar for chain=forward in /ipv6/firewall/filter).
Yes, firewall rules are processed from top to bottom and with jump into custom chain it is possible to make certain advanced conditions.
Regarding filtering icmp it depends on which kind of network is applied, in my case for home Iâm dropping icmp from WAN and guest VLAN; and accepting from LAN and VPN since clients are considered as trusted from there. In other cases consider what @mkx wrote before.
No! Re-read what @mkx wrote above. You should not blindly block all kind of ICMP messages. Try these test pages:
http://icmpcheck.popcount.org/
http://icmpcheckv6.popcount.org/
? No issues here from LAN and restricted VLANâŚ
and fw filter rule is from defconfâŚ
egress icmp ofc is not blockedâŚ
Edit: Also tested over all my back to home VPNs - OpenVPN, Wireguard and Wireguard over Xray tunnel (VLESS+Reality), still no issuesâŚ