MikroTik

Hi everyone!

This is our network setup:
Client Device -> Router -> Mikrotik RB750gr3 -> ISP(WAN) I have currently set up a mangle rule so that any incoming packets from ISP would change TTL to 2. This is to make sure that the packets that would be going to clients would be TTL=1 after their router.
But in this setup the problem is that if a client connects another router instead of a device, the routers that they have automatically increase(yes, increase instead of -1) if the is TTL=1 to TTL=128.
To solve this I am trying to implement instead that if the incoming packets to my Mikrotik from the client having TTL<=62, the packets would be dropped automatically.
This is the command I'm using but its not working. I tried also to mark the connections with TTL less than 63 and then block those in /ip firewall filter but to no effect.
I hope someone could help me on this.

bump.... hope someone could give an insight

You're wasting your time, client can change TTL as easily as you can, so whatever you do, they will do the opposite and avoid your blocking.

You're wasting your time, client can change TTL as easily as you can, so whatever you do, they will do the opposite and avoid your blocking.

That is correct, that is why I am looking into blocking the incoming packets from client side which TTL are less than or equal to 62. All my clients are Linux based(all expected TTLs=64) that's why I need to block all those TTL<=62.

You can use you command, just change incorrect chain=prerouting to chain=forward and add in-interface=<where client is connected>. But you're wasting your time with incoming packets too, client can change TTL for both incoming and outgoing packets.