I thank you all and I apologize for the delay but I have had health problems, now resolved.
I would like to activate ICMP on the two public interfaces so that the router can be reached from the internet and from the internal network.
thanks for the help you can give me
This is conf:
# jun/01/2017 17:38:24 by RouterOS 6.40
# software id = 75AZ-C6N1
#
# model = RouterBOARD 3011UiAS
# serial number = 780E07967FB1
/interface ethernet
set [ find default-name=ether2 ] comment="FTTC50KPN DATI" name=FTTCEth2
set [ find default-name=ether6 ] comment="LAN per VOIP" name=LANVOIPEth6
set [ find default-name=ether4 ] comment="LAN DATI " name=LanEth4
set [ find default-name=ether5 ] comment="WAN per VOIP WI (backup)" name=\
WANWIVOIPEth5
set [ find default-name=ether3 ] comment="WAN Fastweb" name=WanEth3
set [ find default-name=ether7 ] comment="Vodafone Station"
set [ find default-name=ether8 ] comment="SHDSLKPN 2M Voce"
/interface pppoe-client
add disabled=no interface=FTTCEth2 name=pppoe-outDATI user=\
myuser@adsl.provider.it
/interface vlan
add disabled=yes interface=FTTCEth2 name=vlan11-DATI vlan-id=1
add interface=ether8 name=vlan11-Voce vlan-id=11
add interface=ether8 name=vlan111-voce vlan-id=111
/interface pppoe-client
add disabled=no interface=vlan11-Voce name=pppoe-out1-Voce user=\
myuser@adsl.provider.it
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=DHCOCOSVIM ranges=x1.x2.x3.101-x1.x2.x3.150
add name=dhcpvoce ranges=x1.x2.x4.50-x1.x2.x4.70
/ip dhcp-server
add address-pool=dhcpvoce disabled=no interface=LANVOIPEth6 name=dhcpsrvvoce
/queue simple
add limit-at=384k/384k max-limit=512k/2M name=voip priority=1/1 target=\
WANWIVOIPEth5
add name=Utente_Ip target=x1.x2.x3.118/32
/snmp community
set [ find default=yes ] addresses=\
x1.x2.x4.0/24,y1.y2.y3.y4/32,x1.x2.x3.0/24 name=passcom
/system logging action
set 1 disk-file-name=/disk1/logfolder/syslog
add disk-file-name=disk1/logfolder/webproxylog name=Logwebproxy target=disk
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/dude
set data-directory=disk1 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=x1.x2.x3.254/32
/ip address
add address=x1.x2.x3.1/24 comment="LAN DATI " interface=LanEth4 network=\
x1.x2.x3.0
add address=x1.x2.x6.250/24 comment="WAN FASTWEB" interface=WanEth3 \
network=x1.x2.x6.0
add address=x1.x2.x7.254/24 comment="WAN VOIP WI" interface=WANWIVOIPEth5 \
network=x1.x2.x7.0
add address=x1.x2.x4.200/24 comment="LAN VOIP" interface=LANVOIPEth6 \
network=x1.x2.x4.0
add address=z1.z2.z3.z4 comment="SHDSL2MKPN WAN VOCE" interface=\
pppoe-out1-Voce network=z1.z2.z3.z4
add address=w1.w2.w3.w4 interface=FTTCEth2 network=255.255.255.248
add address=w1.w2.w3.w5 comment="web server" \
interface=FTTCEth2 network=255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether7
/ip dhcp-server network
add address=x1.x2.x3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x3.1
add address=x1.x2.x4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=x1.x2.x4.200
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=x1.x2.x49.0-x1.x2.x49.254 list=allowed_to_router
add address=x1.x2.x3.0-x1.x2.x3.254 list=allowed_to_router
add address=92.114.32.25 list=blacklist
add address=62.138.16.47 list=blacklist
add address=199.48.164.165 list=blacklist
add address=195.154.191.163 list=blacklist
add address=188.138.57.17 list=blacklist
add address=37.8.94.61 list=blacklist
add address=89.207.131.17 list=blacklist
add address=89.163.146.57 list=blacklist
add address=89.207.131.72 list=blacklist
add address=107.155.133.194 list=blacklist
add address=163.172.110.117 list=blacklist
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=log chain=input disabled=yes in-interface=pppoe-outDATI log=yes \
log-prefix="ICMP INGRESSO" protocol=icmp
add action=log chain=output disabled=yes log=yes log-prefix="ICMP DEBUG" \
out-interface=pppoe-outDATI protocol=icmp
add action=accept chain=input in-interface=LANVOIPEth6 protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="ACCEPT Stabilite e Related" \
connection-state=established,related
add action=accept chain=input comment=\
"Accetta tutto quello che arriva in ingresso dalla LAN" in-interface=\
LanEth4
add action=accept chain=input comment="Accetta tutto da LAN VOCE ETH6" \
in-interface=LANVOIPEth6
add action=accept chain=input comment="VPN in ingresso" dst-port="" protocol=\
tcp src-address=0.0.0.0 src-port=1723
add action=accept chain=input comment="GRE PROTOCOL IN INGRESSO" protocol=gre
add action=accept chain=input dst-port=3389 protocol=tcp
add action=accept chain=input comment="VPN STSENG" protocol=ipsec-esp \
src-address=a1.a2.a3.a4
add action=accept chain=forward dst-address=x1.x2.x3.7 in-interface=FTTCEth2 \
out-interface=LanEth4 src-address=b1.b2.b3.b4/28
add action=accept chain=input comment=\
"web server" dst-address=\
c1.c2.c3.c4 dst-port=80 protocol=tcp src-address=0.0.0.0
add action=accept chain=input comment="Regola proxy" disabled=yes dst-port=\
8888 protocol=tcp src-address=x1.x2.x3.0/24
add action=reject chain=input comment=\
"Drop quello che appartiene alla Blacklist" reject-with=\
icmp-network-unreachable src-address-list=blacklist
add action=drop chain=input comment="Drop invalid connection" \
connection-state=invalid
add action=drop chain=input comment=\
"Drop tutto quello che non e destinato ad essere instradato" disabled=yes \
dst-address-type=!local
add action=accept chain=forward comment=\
"ALLOW ASTERISK CONNECTIONS/REPLIES TO OUTSIDE (INTERNET)" protocol=udp \
src-address=x1.x2.x4.2
add action=accept chain=forward comment=\
"ALLOW FORWARDED CONNECTIONS/REPLIES TO INSIDE (LAN)" dst-address=\
x1.x2.x4.2 dst-port=10000-20000 protocol=udp
add action=accept chain=input comment="Drop tutti gli ip non unicast" \
src-address-type=!unicast
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment="Drop tutti i pacchetti che arrivano da in\
ternet ma non hanno IP pubblici" in-interface=FTTCEth2 src-address-list=\
NotPublic
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=FTTCEth2
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface=FTTCEth2 \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" disabled=yes \
dst-address-list=NotPublic in-interface=LanEth4
add action=drop chain=input comment="Regola proxy" disabled=yes dst-port=8888 \
protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Questa regola mi serve solo \
per markare i pacchetti che voglio inviare sul router voce" \
new-routing-mark=voip passthrough=yes src-address=x1.x2.x4.0/24
add action=mark-connection chain=input disabled=yes in-interface=WanEth3 \
new-connection-mark=wan8m passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=FTTCEth2 \
new-connection-mark=WanVoip passthrough=no
add action=mark-routing chain=output connection-mark=wan8m disabled=yes \
new-routing-mark=to_wan8m passthrough=no
add action=mark-routing chain=output connection-mark=WanVoip disabled=yes \
new-routing-mark=to_wanvoip passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=dati passthrough=\
yes src-address=x1.x2.x3.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat comment="La registrazione Plink su WI" \
dst-address=d1.d2.d3.d4 out-interface=WANWIVOIPEth5 routing-mark=voip \
to-addresses=x1.x2.x7.1
add action=dst-nat chain=dstnat comment="FORWARDING VPN" dst-port=1723 \
protocol=tcp to-addresses=x1.x2.x3.80 to-ports=1723
add action=accept chain=srcnat comment="NAT VPN SUBNET ENG" dst-address=\
b1.b2.b3.b4/28 src-address=x1.x2.x3.7
add action=masquerade chain=srcnat comment="LAN DATI SU INTERNET" disabled=\
yes out-interface=WanEth3 src-address=x1.x2.x3.0/24 to-addresses=\
e1.e2.e3.e4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET" disabled=\
yes out-interface=vlan11-Voce routing-mark=voip src-address=\
x1.x2.x4.0/24 to-addresses=z1.z2.z3.z4
add action=masquerade chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER 8M" \
disabled=yes out-interface=WanEth3 src-address=x1.x2.x4.0/24
add action=accept chain=srcnat comment="LAN VOCE SU INTERNET FAILOVER WI" \
disabled=yes out-interface=WANWIVOIPEth5 src-address=x1.x2.x4.0/24
add action=masquerade chain=srcnat comment="Failover su Vodafone Station" \
out-interface=ether7 src-address=x1.x2.x3.0/24
add action=dst-nat chain=dstnat comment="dstnat webserver" dst-address=\
c1.c2.c3.c4 to-addresses=x1.x2.x3.242
add action=src-nat chain=srcnat comment="srcnat webserver" dst-address=\
!x1.x2.x3.6 src-address=x1.x2.x3.242 to-addresses=c1.c2.c3.c4
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
FTTCEth2 protocol=tcp src-port="" to-addresses=x1.x2.x3.242 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 port="" protocol=\
tcp to-addresses=x1.x2.x3.254 to-ports=3389
add action=redirect chain=dstnat comment="Trasparent Web Proxy" disabled=yes \
dst-address=!x1.x2.x3.242 dst-port=80 protocol=tcp src-address=\
!x1.x2.x3.242 to-ports=8888
/ip ipsec peer
add address=a1.a2.a3.a4/32 dh-group=modp1024 enc-algorithm=3des
/ip ipsec policy
add dst-address=b1.b2.b3.b4/28 sa-dst-address=a1.a2.a3.a4 \
sa-src-address=5.150.135.46 src-address=x1.x2.x3.7/32 tunnel=yes
/ip proxy
set cache-administrator=pinkers cache-on-disk=yes \
cache-path=disk1/web-proxy port=8888
/ip proxy access
add action=deny dst-host=*facebook.com
/ip route
add check-gateway=ping comment="QUesta regola la uso per i viare tutti i pacch\
etti marcati con \"voip\" sul router voce" distance=1 gateway=\
pppoe-out1-Voce routing-mark=voip
add comment="ROTTA DI FAILOVER PER VOIP" disabled=yes distance=10 gateway=\
x1.x2.x6.251 routing-mark=voip
add check-gateway=ping comment=\
"Questa regola la uso per inviare tutti i pacchetti dati sul router dati" \
distance=1 gateway=pppoe-outDATI routing-mark=dati
add check-gateway=ping comment="Failover vodafone station" disabled=yes \
distance=2 gateway=x1.x2.x6.251
add distance=1 dst-address=d1.d2.d3.d4/32 gateway=x1.x2.x7.1
/ip service
set telnet disabled=yes
set ftp address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set www address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set ssh disabled=yes port=8822
set api disabled=yes
set winbox address=f1.f2.f3.f4/32,x1.x2.x3.0/24
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system logging
add action=Logwebproxy prefix=LOGGING-> topics=web-proxy,!debug
/system ntp client
set enabled=yes primary-ntp=193.183.98.38 secondary-ntp=94.177.187.22 \
server-dns-names=8.8.8.8
/system scheduler
add name=BackupROSCosvim on-event=Backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/08/2017 start-time=01:10:02
/system script
add name=Backup owner=francesco policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
export file=export\r\
\n/tool e-mail send to=\"
francesco.dilecce@linkat.it\" subject=\"\$[/syste\
m identity get name] export\" body=\"\$[/system clock get date] configurat\
ionfile\" file=export.rsc"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp-out.mailserver.it from=<
no-reply@linkat.it> start-tls=yes \
user=
francesco.dilecce@linkat.it
/tool graphing interface
add
/tool graphing queue
add
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=ether7 filter-ip-protocol=icmp