ICMP Issue

abulat · Tue Jul 27, 2021 10:03 am

Hi guys,

Please help me what us wrong with ICMP rules... I cant ping from outside to want interface from Mikrotik. If I switch off rules nr.7 its works but with switch on is not working...but rules for ICMP is above

Thanks in advance.

rextended · Tue Jul 27, 2021 10:39 am

/ip firewall filter export

abulat · Tue Jul 27, 2021 10:41 am

/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp
add action=accept chain=input comment="ACCEPT L2TP" dst-port=500,1701,4500 protocol=udp src-address-list=admins
add action=accept chain=input comment="ACCEPT L2TP" in-interface="ether1 - WAN" protocol=ipsec-esp src-address-list=admins
add action=accept chain=input comment="ACCEPT WINBOX" dst-port=8291 in-interface="ether1 - WAN" protocol=tcp src-address-list=admins
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
add action=drop chain=input comment="Drop any from WAN" in-interface="ether1 - WAN"
add action=accept chain=forward comment="ACCEPT 80" dst-port=80 protocol=tcp
add action=accept chain=forward comment="ACCEPT 443" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 - WAN"

rextended · Tue Jul 27, 2021 10:43 am

Screenshot say nothing...

but the export talk:

/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp

Why packet size 100?
Accept only ICMP with exactly that size.

You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain

abulat · Tue Jul 27, 2021 10:49 am

which is optimal packet size ?

rextended · Tue Jul 27, 2021 10:50 am

do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings.

WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
expect self-destruction by DDoS

abulat · Tue Jul 27, 2021 10:53 am

do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings. => removed packet size 100 and works normal now

WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53 => was removed Thanks for information
expect self-destruction by DDoS

Thanks a lot

abulat · Tue Jul 27, 2021 10:57 am

You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain

What you mean I don't understand here ? … can you correct me how need to do ?

Thanks in advance

rextended · Tue Jul 27, 2021 11:04 am

move
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
on top

create (paste on terminal) and put this just under the first:

/ip firewall filter
add action=drop chain=input comment="defconf: DROP invalids" connection-state=invalid

move
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

just under input Drop any from WAN

create (paste on terminal) and put this just under the previous forward established,related:

/ip firewall filter
add action=drop chain=forward comment="defconf: DROP invalids" connection-state=invalid

ICMP Issue [SOLVED]

ICMP Issue

Re: ICMP Issue

Re: ICMP Issue

Re: ICMP Issue

Re: ICMP Issue

Re: ICMP Issue [SOLVED]

Re: ICMP Issue

Re: ICMP Issue

Re: ICMP Issue