Page 1 of 1
ICMP Issue
Posted: Tue Jul 27, 2021 10:03 am
by abulat
Hi guys,
Please help me what us wrong with ICMP rules... I cant ping from outside to want interface from Mikrotik. If I switch off rules nr.7 its works but with switch on is not working...but rules for ICMP is above
Thanks in advance.
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:39 am
by rextended
/ip firewall filter export
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:41 am
by abulat
/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp
add action=accept chain=input comment="ACCEPT L2TP" dst-port=500,1701,4500 protocol=udp src-address-list=admins
add action=accept chain=input comment="ACCEPT L2TP" in-interface="ether1 - WAN" protocol=ipsec-esp src-address-list=admins
add action=accept chain=input comment="ACCEPT WINBOX" dst-port=8291 in-interface="ether1 - WAN" protocol=tcp src-address-list=admins
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
add action=drop chain=input comment="Drop any from WAN" in-interface="ether1 - WAN"
add action=accept chain=forward comment="ACCEPT 80" dst-port=80 protocol=tcp
add action=accept chain=forward comment="ACCEPT 443" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 - WAN"
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:43 am
by rextended
Screenshot say nothing...
but the export talk:
/ip firewall filter
add action=accept chain=input comment="ACCEPT ICMP" packet-size=100 protocol=icmp
Why packet size 100?
Accept only ICMP with exactly that size.
You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:49 am
by abulat
which is optimal packet size ?
Re: ICMP Issue [SOLVED]
Posted: Tue Jul 27, 2021 10:50 am
by rextended
do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings.
WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53
expect self-destruction by DDoS
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:53 am
by abulat
do not exist "optimal packet size", must be a range (at least packet-size=0-1600) remove that settings. => removed packet size 100 and works normal now
WARNING:
add action=accept chain=input comment="ACCEPT DNS" in-interface="ether1 - WAN" protocol=udp src-port=53 => was removed Thanks for information
expect self-destruction by DDoS
Thanks a lot
Re: ICMP Issue
Posted: Tue Jul 27, 2021 10:57 am
by abulat
You also mix rules, usually est./relat. are on top, and is missing "drop invalid" on both chain
What you mean I don't understand here ? … can you correct me how need to do ?
Thanks in advance
Re: ICMP Issue
Posted: Tue Jul 27, 2021 11:04 am
by rextended
move
add action=accept chain=input comment="ACCEPT related,established" connection-state=established,related
on top
create (paste on terminal) and put this just under the first:
/ip firewall filter
add action=drop chain=input comment="defconf: DROP invalids" connection-state=invalid
move
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
just under input Drop any from WAN
create (paste on terminal) and put this just under the previous forward established,related:
/ip firewall filter
add action=drop chain=forward comment="defconf: DROP invalids" connection-state=invalid