Community discussions

MikroTik App
 
dmitris
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

allow icmp to routers gw

Thu May 20, 2021 6:00 pm

Hello Folks,

I have very basic question about firewall rule on INPUT chain.

Is it possible with single rule to restrict hosts to send ICMP requests only to it's gateway and not allow to ping gateways from others subnets? If you know how to solve it, please share example of rule.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: allow icmp to routers gw

Thu May 20, 2021 6:03 pm

So you want to block all ICMP messages except the gateway IP address (on the forward chain)?
 
dmitris
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: allow icmp to routers gw

Thu May 20, 2021 7:13 pm

So you want to block all ICMP messages except the gateway IP address (on the forward chain)?
I want to allow hosts in specific subnet to ping only their default gateway and not others subnets gateways.

f.e i have 3 subnets behind mikrotik router 192.168.0.1/24, 192.168.1.1/24, 192.168.2.1/24 and problem is that hosts from 192.168.2.0/24 or 192.168.1.0/24 can ping 192.168.0.1. and vice versa .
So i want with single rule restrict icmp for >
hosts in 192.168.0.0/24 can ping only 192.168.0.1,
192.168.1.0/24 can ping only 192.168.1.1 and so on.
 
WeWiNet
Long time Member
Long time Member
Posts: 592
Joined: Thu Sep 27, 2018 4:11 pm

Re: allow icmp to routers gw

Thu May 20, 2021 7:28 pm

why you want a single rule?
You need 4 rules on input: 3 rules allowing the ICMP ping from the specific subnet into the specific gateway, and one drop rule (maybe you already have drop all rule).
 
dmitris
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: allow icmp to routers gw

Thu May 20, 2021 7:46 pm

why you want a single rule?
You need 4 rules on input: 3 rules allowing the ICMP ping from the specific subnet into the specific gateway, and one drop rule (maybe you already have drop all rule).
ok, what will you do if behind router more than 3, f.e 100 or more subnets? I assume there is smarter way to solve this problem .
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: allow icmp to routers gw

Thu May 20, 2021 9:15 pm

In general a drop all rule at the end of the forward chain will block all traffic between subnets.
Therefore one only needs to delineate allowed traffic,
typically
-subnets to WAN
-subnets to shared device (printer).
 
dmitris
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: allow icmp to routers gw

Thu May 20, 2021 9:37 pm

In general a drop all rule at the end of the forward chain will block all traffic between subnets.
Therefore one only needs to delineate allowed traffic,
typically
-subnets to WAN
-subnets to shared device (printer).
In theory you are right, but in practice on Mikrotik it's something else.

drop all rule at the end of forward chain isolating hosts in one subnet to reach hosts in second subnet but not gateways. Because for gateways apply INPUT chain not forward.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: allow icmp to routers gw

Fri May 21, 2021 12:17 am

Then your input chain rules are too loose.
The only person with full access should be the admin, everyone else likely just access on port 53, tcp/udp for DNS.
With youi guessed it, a drop all else rule at the end of the input chain.
 
dmitris
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: allow icmp to routers gw

Fri May 21, 2021 9:48 am

Then your input chain rules are too loose.
The only person with full access should be the admin, everyone else likely just access on port 53, tcp/udp for DNS.
With youi guessed it, a drop all else rule at the end of the input chain.

It's not what i asked.
why you want a single rule?
You need 4 rules on input: 3 rules allowing the ICMP ping from the specific subnet into the specific gateway, and one drop rule (maybe you already have drop all rule).
This is how it can be solved and seems at this moment this is the only way, but i asking how to do it by single or couple of firewall rules if behind router are a lot of subnets. Maybe it's not possible and thats all.

br,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: allow icmp to routers gw

Fri May 21, 2021 1:47 pm

I dont understand the issue.
What is the problem if members from one lan subnet can get around firewall rules on both the input and forward chain and are able to ping the gateway of other subnets if that is how gateways (being on the router) work.....................???

They will not be able to do anything else!

Who is online

Users browsing this forum: anav, joshuapl and 28 guests