Hello,

My router ping utility started to work when I created the rule:

chain: input
protocol: ICMP
in interface: ether1
conn state: established
action: accept

So why the tracert doesn't work? It also uses ICMP to sent back the information.
How can make tracert pass the firewall without opening ICMP for all connections?

Now I do receive infomation for last hop because ping works

If everybody would deny ICMP, then traceroute wouldn't work.
Think about this when you decide to drop ICMP since this is not "best practice".
Others give you the means to use this tool, give it back to others, too. Or don't use it at all and filter out ICMP.
But do not use a tool on THEIR network and don't allow others to use it on YOURS. This is not fair play.
Your IP can be found and your server status assessed by various means, so denying ICMP will not give you added security or fix security holes.

I found if I add a firewall rule:

chain: forward
protocol: icmp
in interface: ether1
action: accept

Then I can safely use tracert on my LAN computers, that is my outside ports show as stealth if somebody tried to ping me because the incoming pings are not for my LAN the router just drops them. That's great.

But what if I want to use the tracert utility on my router? Is there a way to do the same without unstealhing my ports?

my suggestion would be to allow ICMP from anywhere but limit max packet size that is accepted and limit at what rate you will answer to single host.

see manual for details at http://wiki.mikrotik.com

For anyone wondering, creating input rules for both echo reply and time exceeded allow both ping and traceroute to work fine, while ping and traceroute from internet will be denied.
This is strictly for traffic originating from the router itself.