Community discussions

MikroTik App
 
abulat
newbie
Topic Author
Posts: 32
Joined: Mon Nov 16, 2020 4:14 pm

ICMP Issue

Tue Jul 27, 2021 10:03 am

Hi guys,

Please help me what us wrong with ICMP rules... I cant ping from outside to want interface from Mikrotik. If I switch off rules nr.7 its works but with switch on is not working...but rules for ICMP is above

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ICMP Issue

Tue Jul 27, 2021 10:39 am

/ip firewall filter export
 
abulat
newbie
Topic Author
Posts: 32
Joined: Mon Nov 16, 2020 4:14 pm

Re: ICMP Issue

Tue Jul 27, 2021 10:41 am

/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp
add action=accept chain=input comment="ACCEPT L2TP" dst-port=500,1701,4500 protocol=udp src-address-list=admins
add action=accept chain=input comment="ACCEPT L2TP" in-interface="ether1 - WAN" protocol=ipsec-esp src-address-list=admins
add action=accept chain=input comment="ACCEPT WINBOX" dst-port=8291 in-interface="ether1 - WAN" protocol=tcp src-address-list=admins
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
add action=drop chain=input comment="Drop any from WAN" in-interface="ether1 - WAN"
add action=accept chain=forward comment="ACCEPT 80" dst-port=80 protocol=tcp
add action=accept chain=forward comment="ACCEPT 443" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 - WAN"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ICMP Issue

Tue Jul 27, 2021 10:43 am

Screenshot say nothing...

but the export talk:

/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp

Why packet size 100?
Accept only ICMP with exactly that size.

You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain
Last edited by rextended on Tue Jul 27, 2021 10:50 am, edited 2 times in total.
 
abulat
newbie
Topic Author
Posts: 32
Joined: Mon Nov 16, 2020 4:14 pm

Re: ICMP Issue

Tue Jul 27, 2021 10:49 am


which is optimal packet size ?

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ICMP Issue  [SOLVED]

Tue Jul 27, 2021 10:50 am

do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings.


WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
expect self-destruction by DDoS
 
abulat
newbie
Topic Author
Posts: 32
Joined: Mon Nov 16, 2020 4:14 pm

Re: ICMP Issue

Tue Jul 27, 2021 10:53 am

do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings. => removed packet size 100 and works normal now


WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53 => was removed Thanks for information
expect self-destruction by DDoS

Thanks a lot
 
abulat
newbie
Topic Author
Posts: 32
Joined: Mon Nov 16, 2020 4:14 pm

Re: ICMP Issue

Tue Jul 27, 2021 10:57 am


You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain

What you mean I don't understand here ? … can you correct me how need to do ?

Thanks in advance
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ICMP Issue

Tue Jul 27, 2021 11:04 am

move
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
on top

create (paste on terminal) and put this just under the first:
/ip firewall filter
add action=drop chain=input comment="defconf: DROP invalids" connection-state=invalid

move
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

just under input Drop any from WAN

create (paste on terminal) and put this just under the previous forward established,related:
/ip firewall filter
add action=drop chain=forward comment="defconf: DROP invalids" connection-state=invalid

Who is online

Users browsing this forum: No registered users and 46 guests