I am trying to block pings on the WAN port of my RB1100AHx2 which due to a supplier change now connects direct to Internet with it own static IP of through another router and I am getting massive ping attacks on the WAN.

I have searched the knowledge base and keep getting the following command as a way to block ping

/ip firewall filter add chain=input protocol=icmp action=drop in-interface=WAN

If I use this command it blocks all internet access from other routers that have internet access via this router

That is similar to commands I use on other routers such as ubnt and pfsense.

Did you read that wiki? http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

It's says how to prevent ping flood. For sure not blocking whole ICMP protocol

> /ip firewall filter add chain=input protocol=icmp action=drop in-interface=WAN
>
> If I use this command it blocks all internet access from other routers that have internet access via this router

Yes. ICMP is much more than ping, and by blocking ICMP in general you also block useful mechanisms. You have probably blocked path MTU discovery, which is often necessary.

If you want to block regular ping activity, specify ICMP type and code: Ping is type 8, code 0.

[code]/ip firewall filter add chain=input protocol=icmp icmp-options=8:0 action=drop in-interface=WAN[/code]

> /ip firewall filter add chain=input protocol=icmp action=drop in-interface=WAN
>
> If I use this command it blocks all internet access from other routers that have internet access via this router

Yes. ICMP is much more than ping, and by blocking ICMP in general you also block useful mechanisms. You have probably blocked path MTU discovery, which is often necessary.

If you want to block regular ping activity, specify ICMP type and code: Ping is type 8, code 0.

Code: Select all

/ip firewall filter add chain=input protocol=icmp icmp-options=8:0 action=drop in-interface=WAN

I tried that as well, still blocks internet traffic, every other router I have come across has a tick box to block ping response or ignore pings on WAN, that is what I want to replicate.

In most cases if the attackers robots do not it is there, they do not try to attack it.

Please try the link.

I'm sure that 8:0 is a ping request but the ping replay is 0:0

19 ;;; 8:0 and limit for 5pac/s | Echo Request
chain=ICMP action=accept protocol=icmp icmp-options=8:0 limit=5,5

20 ;;; 0:0 and limit for 5pac/s | Echo replay
chain=ICMP action=drop protocol=icmp icmp-options=0:0 limit=5,5

If you see I have droped number 20 which is the echo replay. I don't replay on pings at all.

Please try the link.

I'm sure that 8:0 is a ping request but the ping replay is 0:0

19 ;;; 8:0 and limit for 5pac/s | Echo Request
chain=ICMP action=accept protocol=icmp icmp-options=8:0 limit=5,5

20 ;;; 0:0 and limit for 5pac/s | Echo replay
chain=ICMP action=drop protocol=icmp icmp-options=0:0 limit=5,5

If you see I have droped number 20 which is the echo replay. I don't replay on pings at all.

When I put command 20 in to firewall it blocks internet access, which by the way is what I have been trying except that I did not have the limit.

blocking ICMP on the input chain only affects the router. the question is, who is being abused: the router or some hosts behind it.
forwarding ICMP storms is just like forwarding anything else, no extra impact, if your router handles x pps traffic, it will not care whether it's ICMP or anything else.

as someone previously said, ping is just one application handled by ICMP.
in case of many TCP based protocols, there is something called Path MTU Discovery (PMTUD).
it uses ICMP unreachable (3:4) messages to signal there is a hop in the path the packet should travel where
the packet will not fit through with this MTU. This is important, otherwise you end up having problems
with downloads.

or for example traceroute, which uses Time exceeded, TTL expired in transit (11:0) ICMP messages.
and there are a lot more.

ping attacks come in all shape and colour, some target the ICMP protocol, some target other protocols or mechanisms which then generate ICMP traffic (and keeping the cpu busy). For example sending packets to destinations that are not reachable. but if you try to drop them in the output chain, that helps no-one, because the resources have been already consumed to handle the action, to create the reply packet, etc... you just don't send it out. luckily MikroTik does not support directed broadcasts

normally routeros firewall provides a solution for handling "friendly" ICMP messages. this is achieved by the "related" connection state: "related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection"

so if you do your blocking after this entry, at least you don't mess up too much.

of course ICMP echo and echo-reply are not vital for internet access, and can be safely blocked on the external interfaces (in the input chain). you can also use limit to permit a certain amount of icmp requests - say 10pps icmp echo/reply will not kill nothing.

20 ;;; 0:0 and limit for 5pac/s | Echo replay
chain=ICMP action=drop protocol=icmp icmp-options=0:0 limit=5,5

If you see I have droped number 20 which is the echo replay. I don't replay on pings at all.

When I put command 20 in to firewall it blocks internet access, which by the way is what I have been trying except that I did not have the limit.

rule 20 has action=drop. i am not sure, whether limit has any affect on this as all packets will be dropped here.
also, i don't know, where the ICMP chain is referenced from. If it's called from input and forward as well, also the transit traffic is affected,

blocking ICMP on the input chain only affects the router. the question is, who is being abused: the router or some hosts behind it.
forwarding ICMP storms is just like forwarding anything else, no extra impact, if your router handles x pps traffic, it will not care whether it's ICMP or anything else.

as someone previously said, ping is just one application handled by ICMP.
in case of many TCP based protocols, there is something called Path MTU Discovery (PMTUD).
it uses ICMP unreachable (3:4) messages to signal there is a hop in the path the packet should travel where
the packet will not fit through with this MTU. This is important, otherwise you end up having problems
with downloads.

or for example traceroute, which uses Time exceeded, TTL expired in transit (11:0) ICMP messages.
and there are a lot more.

ping attacks come in all shape and colour, some target the ICMP protocol, some target other protocols or mechanisms which then generate ICMP traffic (and keeping the cpu busy). For example sending packets to destinations that are not reachable. but if you try to drop them in the output chain, that helps no-one, because the resources have been already consumed to handle the action, to create the reply packet, etc... you just don't send it out. luckily MikroTik does not support directed broadcasts

normally routeros firewall provides a solution for handling "friendly" ICMP messages. this is achieved by the "related" connection state: "related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection"

so if you do your blocking after this entry, at least you don't mess up too much.

of course ICMP echo and echo-reply are not vital for internet access, and can be safely blocked on the external interfaces (in the input chain). you can also use limit to permit a certain amount of icmp requests - say 10pps icmp echo/reply will not kill nothing.

It is echo-reply option 0 I am trying to block, as soon as I do that all my PPPoE users start dropping the connection

Problem is now solved, the internet providers gateway was pinging my WAN port, if I blocked it, by blocking all pings the internet stopped working, by putting in an accept rule for the gateway and then the block rule I can block all icmp reply's type 0 for the rest of the internet.

I have never come across this before wondering if anybody else has?

I wonder why you hadn't asked your isp before you asked here...

checking the nat of your out ether

how many nat you have ?

I wonder why you hadn't asked your isp before you asked here...

I did not know that the new ISP was doing that, previous provider one did not.

20 ;;; 0:0 and limit for 5pac/s | Echo replay
chain=ICMP action=drop protocol=icmp icmp-options=0:0 limit=5,5

If you see I have droped number 20 which is the echo replay. I don't replay on pings at all.

When I put command 20 in to firewall it blocks internet access, which by the way is what I have been trying except that I did not have the limit.

rule 20 has action=drop. i am not sure, whether limit has any affect on this as all packets will be dropped here.
also, i don't know, where the ICMP chain is referenced from. If it's called from input and forward as well, also the transit traffic is affected,[/quote]

sometimes I'm changing from drop to accept. This is temporary solution chain ICMP is jump-target to chain=input with protocol=icmp

Thanks for all you help, I have solved the problem, my ISP's gateway router is pinging my router, when I drop the reply type 0 or drop the input type 8 or accept with a limit, the internet was dropping out.

I have put an accept with both source and destination being mine and the ISP's router before my drop rule and that stops the internet dropping out.

Why my ISP is doing this is a mystery, I have never come across it before.

I now have 2 accept rules before my block rule an input and an output with source and destination being mine and the ISP's routers.

At least I can now block the attackers.