Community discussions

MikroTik App
  4. RouterOS
  5. General

[ASK] Block ping through filter & nat

Post Reply
 
atut
just joined
Topic Author
Posts: 17
Joined: Fri May 30, 2008 12:43 pm

[ASK] Block ping through filter & nat

Sat Aug 25, 2012 6:04 am

Hi,

My topology:
Internet --- Modem (Bridge) --- MikroTik (pppoe) --- Switch --- LAN

Modem = 10.0.0.1
MikroTik ether1 (to Modem) = 10.0.0.2
MikroTik ether2 (to LAN) = 192.168.1.2
LAN = 192.168.1.xxx/24

I have 2 questions:

1. How to block ping from Internet to MikroTik, and MikroTik still able to ping Internet (google.com)?
I tried with ip firewall filter chain=input action=drop protocol=icmp in-interface=pppoe-out1
It works with blocking ping from Internet but MikroTik became unable to ping Internet. I want MikroTik is still able to ping Internet. LAN is also able to ping Internet.
The purpose is to block intruder/hacker from Internet trying to ping to my network.

2. How to block ping from LAN to ether1 (Modem (Bridge) & MikroTik)? Not blocking with ip, but blocking with interface ether1.
I tried with
ip firewall nat chain=input action=drop protocol=icmp dst-address=10.0.0.1 in-interface=ether2
ip firewall nat chain=input action=drop protocol=icmp dst-address=10.0.0.2 in-interface=ether2
It works, but it is blocking with IP which is not efficient, if I have many devices on 10.0.0.0/24 then I should add them all. I think it is much simpler just block ether1, is it possible?
Top
 
atut
just joined
Topic Author
Posts: 17
Joined: Fri May 30, 2008 12:43 pm

Re: [ASK] Block ping through filter & nat

Sat Aug 25, 2012 9:01 am

Solved question 1: just adding connection-state=new

Thanks....
waiting for answer to question 2...
Top
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:
Contact skillful

Re: [ASK] Block ping through filter & nat

Mon Aug 27, 2012 2:49 am


2. How to block ping from LAN to ether1 (Modem (Bridge) & MikroTik)? Not blocking with ip, but blocking with interface ether1.
I tried with
ip firewall nat chain=input action=drop protocol=icmp dst-address=10.0.0.1 in-interface=ether2
ip firewall nat chain=input action=drop protocol=icmp dst-address=10.0.0.2 in-interface=ether2
It works, but it is blocking with IP which is not efficient, if I have many devices on 10.0.0.0/24 then I should add them all. I think it is much simpler just block ether1, is it possible?
Remove the dst-address, just block ICMP inputs to the router from the required interface. Add the rule in "/ip firewall filter" not "NAT"
Code: Select all
/ip firewall filter chain=input action=drop protocol=icmp in-interface=ether2
Top
 
atut
just joined
Topic Author
Posts: 17
Joined: Fri May 30, 2008 12:43 pm

Re: [ASK] Block ping through filter & nat

Mon Aug 27, 2012 8:44 am

Remove the dst-address, just block ICMP inputs to the router from the required interface. Add the rule in "/ip firewall filter" not "NAT"
Code: Select all
/ip firewall filter chain=input action=drop protocol=icmp in-interface=ether2
The command above block only from ether2 to ether1, and by blocking from ether2 to any devices behind ether1, i use
/ip firewall filter chain=forward action=drop protocol=icmp in-interface=ether2 out-interface=ether1

and it works...
thanks...
Top
Post Reply

Who is online

Users browsing this forum: fposavec, holvoetn and 61 guests
  4. RouterOS
  5. General