How do I allow a ping from the first PC to a second one but block a ping from the second PC to the first one?

I created this firewall rule on both Mikrotik routers:

add action=accept chain=forward dst-address= protocol=icmp \
add action=accept chain=forward dst-address= protocol=icmp \
add action=drop chain=forward

If I turn off the first or second rule, none of the pings work. If I allow both, pinging works on both PCs.

2 Answers 2


Both 'ping' requests and responses are ICMP. So one rule allows the request and another allows the response, in either direction.

You can match individual ICMP packet types using icmp-options=Type[:Code]. According to this website, echo requests are type 8 and responses are type 0.

Note that ICMP is a bit more than just 'ping'. It is really not wise to discard ICMP error indications.

  • Thx. It seems to be helped. I know the importance of ICMP, but for now, this was a goal.
    – Alex
    Commented Jul 12, 2018 at 15:23

For those who need an answer:

On both routers I matched ICMP type 0 (echo reply) to rule:

add action=accept chain=forward dst-address= protocol=icmp \

On both routers I matched ICMP type 8 (echo request) to rule:

add action=accept chain=forward dst-address= protocol=icmp \

Complete rules on both routers:

add action=accept chain=forward dst-address= icmp-options=0:0-255 \
    protocol=icmp src-address=
add action=accept chain=forward dst-address= icmp-options=8:0-255 \
    protocol=icmp src-address=
add action=drop chain=forward

So from to - ping is working.

From to - ping is not working.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .