Mikrotik How To

If your broadband network operates through a MiktroTik router, then you can block your children and others in your household from accessing Facebook. To do this, you must have WinBox, a console application that allows you to fine-tune all your MikroTik router settings.
With it, you can log directly into your router via your computer and then submit specific terminal commands to block any and all Facebook Internet content. Difficulty:
Easy Instructions

1. Launch WinBox, and log in to your router account. 
2. Click the "New Terminal" button in the left menu. 
3. Type the following commands into the terminal, and press enter after typing each command:

/ip firewall filter add chain=forward content="facebook.com" action=drop comment="Drop Facebook" /ip firewall filter add chain=forward content="www.facebook.com" action=drop comment="Drop Facebook"

/ip firewall filter add chain=forward content="apps.facebook.com" action=drop comment="Drop Facebook"

/ip firewall filter add chain=forward content="facebook" action=drop comment="Drop Facebook" /ip firewall filter add chain=forward content="facebook.*" action=drop comment="Drop Facebook"

(www.wikiopens.com )

• Restrict bandwidth usage for embedded video streaming

Second, marking data packets using firewall mangle:
Then finally, add new rule in simple queue to limit bandwidth usage for http-video packets (in this example, download for embedded video streaming was capped at 64kbps, you can define this to suite your needs).

•  Blocking embedded video streaming with mikrotik

First, add a video content filter at Layer7 protocol:
Second, marking data packets using firewall mangle:
Finally, drop all http-video packets :)

There is Mikrotik Router OS Version 5.17 has benn release. This is the feautures new 5.17 version of mikrotik router OS  :

*) files – fixed problem when directories disappeared after reboot on usb or sd flash;
*) webfig – make QuickSet scan list work in Firefox v12;
*) webfig – fixed problem in QuickSet when changing country or channel-width in AP
mode would enable NV2 protocol;
*) webfig – fixed skins when hiding first tab may make other tabs inaccessible;
*) winbox – fixed packet raw data view in packet sniffer;
*) winbox – fixed problem when router could be DoS attacked through winbox port; This is a biggie!!
*) ports – add option “/port firmware ignore-directip-modem”
which will ignore modems ip interface
and modem’s serial ports will be made accessible to users;
*) ipv6 pool – allow pools with prefix equal to prefix length;
*) ping times improved on Nv2 high data rate wireless links;
*) tool email – added starttls option;
*) snmp – allow multiple ip ranges for each community;
*) serial console – added channel support;

It has thirteen individual gigabit Ethernet ports, two 5-port switch groups, and includes Ethernet bypass capability. 2GB of SODIMM RAM are included, there is one microSD card slot, a beeper and a serial port. The RB1100AH comes preinstalled in a 1U aluminium rackmount case, assembled and ready to deploy.


CPU PowerPC P2020 dual core 1066MHz network CPU with IPsec accelerator Memory SODIMM DDR Slot, 2GB installed (RouterOS will use only up to 1.5GB) Boot loader RouterBOOT, 1Mbit Flash chip Data storage Onboard NAND memory chip, one microSD card slot Ethernet Thirteen 10/100/1000 Mbit/s Gigabit Ethernet with Auto-MDI/X Ethernet Includes switch to enable Ethernet bypass mode in two ports miniPCI none Serial port One DB9 RS232C asynchronous serial port.

Extras Reset switch, beeper, voltage and temperature sensors Power options Built-in power supply (IEC C14 standard connector 110/220V), PoE (12- 24V on port 13) Fan Built in fans, and Fan headers Dimensions 1U case: 44 x 176 x 442 mm, 1275g. Board only: 365g Operating System MikroTik RouterOS, Level 6 license.

MikroTik Router RB951-2n - If you thought the RB751 couldn’t get any cheaper, MikroTik have specs available for download now for the new RB951-2n.

Smaller and cheaper than the 751. No USB port or external antenna though. No date on release yet, but pre-production samples are available soon to distributors.

Now you can build and improve your network security with mikrotik router without high cost.

The RB951-2n is the home wireless AP you have been waiting for. It has five Ethernet ports and a 802.11b/g/n wireless AP with an antenna built in.

This model is much smaller than the more powerful 2HnD model, the RB951-2n looks exactly like our popular RB750 series. The device is very small and will look good in any home or

office, wall mounting anchor holes are provided. 

Heres the specification of RB951-2n :

CPU Atheros AR9331 300MHz

CPU Memory 32MB

DDR SDRAM onboard memory

Ethernet Five independent 10/100 Ethernet ports

LEDs Power, NAND activity, 5 Ethernet LEDs

Power options PoE:  8-30V DC on Ether1 (Non 802.3af).

Jack: 8-30V DC Dimensions 113x89x28mm.

Weight without packaging and cables: 142g

Power consumption Up to 4W

Operating Temp -20C .. +50C

Operating System MikroTik RouterOS, Level4 license

Package contains RouterBOARD in a plastic case, power adapter

Antennas 1x1 MIMO with two onboard PIF antennas, max gain 1.5dBi

TX power 802.11b: 17dBm @ 11Mbps

802.11g: 15dBm @ 6Mbps to 11 dBm @ 54 Mbps

802.11n: 15dBm @ MCS0 to 9dBm @ MCS7 40MHz

RX sensitivity 802.11g: -92dBm @ 6Mbit/s to -73dBm @ 54Mbit/s

802.11n: –92 dBm @ MCS0 to –67 dBm @ MCS7

Modulations OFDM: BPSK, QPSK, 16 QAM, 64QAM

DSSS: DBPSK, DQPSK, CCK

New products-
*RB411GL
*RB411UAHL
*RB711-2HnD
*RBPOE-CON-HP
*RB2011L
*RB2011L-IN
*RBWMK
*RBSXTG-5HnD

*MUM USA 2012

Download the newsletter here:
http://www.mikrotik.com/download/share/news_37.pdf


See you at the MUM USA - New Orleans, LA, September 27-28, 2012!
Registration is already open:
http://mum.mikrotik.com/2012/US/info

--
This mail has been sent automatically because you are subscribed to notification list.
To unsubscribe from this list please follow the link:
http://www.mikrotik.com/client/ecom_notify.php?

It's only THREE WEEKS until the MUM Poland 2012! More than 800 participants have registered. Be the first one to discover market leading innovations to be revealed at the largest WISP conference in Europe - MUM Poland 2012 -Warsaw/Poland, March 15-16, 2012
http://mum.mikrotik.com/register.php?section=32
- new agenda topics
- live product demonstrations
- birds of feather tables
- pre-MUM training classes
- meet experts face to face
- special Polish beer
- travel info

*new agenda topics*

We have added three workshops by MikroTik Engineers
Mar 15, 10:30 RouterOS Quickset, and RouterOS Tips and Tricks Workshop by Sergejs Boginskis (MikroTik)
Mar 16, 09:00 Wireless Workshop by Uldis Cernevskis (MikroTik)
Mar 16, 11:00 Load Balancing Workshop by Janis Megis (MikroTik)

*live demonstration of RB2011*

Participate in the first live demonstration of MikroTik RouterBOARD 2011 series products for home and FTTx installations!

*Birds of feather*

Participate in birds of feather workshops which will take place during the lunch time on March 15 and 16. Write to support@mikrotik.com and suggest topics which you would like to discuss!

*Pre-MUM Training Classes on March 12-14, Monday-Wednesday*

This year, we have built up one of most experienced Trainer teams ever to provide all available MikroTik Training courses before MUM.

- New to MikroTik? MTCNA is first level certification, required as a base for all other certifications.
MTCNA in English language will be performed by Andis Arins (router.lv).
During last 12 months, he has performed seven MTCNA trainings.
Sign up now at http://www.router.lv/eng/courses/24

MTCNA in Polish language will be performed by Pawel Cieplinski. Pawel has issued more that 30 MTCNA certificates last year. Based in Poland, he has experience and knowledge, required for local ISP/WISP.
Sign-up now at http://cieplinski.pl/mtcna-before-mum.pdf

- MTCTCE (Traffic Control) will be provided by Jaromir Cihak (Sys-DataCom) and Valens Riyadi (Citraweb). They are the pioneers of MikroTik Certified Training since 2004, specialized on many aspect of networking and RouterOS configurations, with years of real networking experiences and consulting. Jaromir own and manage a WISP at Praha (Czech Republic) and surrounding area, and Valens also has one at Yogyakarta (Indonesia). They made several MUM presentations about various interesting topics.
Sign up at http://mtctce.mikrotik.cz/

- there will be two MTCRE (Routing) classes.
MTCRE in English language  will be presented by Wardner Maia (MD Brazil). He is MikroTik Certified Trainer since 2007 and specializes in routing and inter-networking. He has issued more that 140 MTCRE certificates and more than 50 MTCINE certificates- biggest number of all MikroTik teachers.
Sign up at http://www.mdbrasil.com.br/en/

MTCRE in German language will be performed by Sebastian Inacker (FMS). Sebastian also is MikroTik teacher since 2007. He has performed four MTCRE courses during last two years with excellent average passing grade.
Sign up at http://www.mikrotik-shop.de/Training:::92.html

- One of the most popular Trainings always is MTCWE (Wireless). This year it will be performed by Ron Touw (Nest Wireless), one of our most active Forum Members (user id "nest"). He has over 30 years experience in RF Engineering, specializing in wireless interference resolution for the last 25 years with the UK Government.
Sign up at http://www.nestwireless.co.uk/

- MTCUME (User Manager) training will be performed by Lorenzo Busatti (Grifonline S.r.l.). Lorenzo has all seven MikroTik certificates and he is frequent guest to MUM meetings.
Sign up at http://training.grifonline.it/training_mikrotik_MTCUME_WARSAW_032012_en.html

- MTCINE (Inter-networking) is the most advanced course, and this time it will be performed by MikroTik Engineer Maris Bulans.
Sign up now at http://www.mikrotik.com/training/offers

- want to become a MikroTik Trainer? There will be Train-the-Trainer course, performed by MikroTik Engineer Janis Megis.
Sign up now at http://www.mikrotik.com/training/offers

*Meeting points*

Meet MikroTik Consultants http://www.mikrotik.com/consultants and Trainers http://www.mikrotik.com/training/partners at the Meeting Point next to the registration desk. Send email and setup a meeting! This is the opportunity to receive professional answers to your questions (how to improve/secure/manage your network, increase the throughput speed of your wireless links, what equipment to use, etc.) and perhaps establish a long-term cooperation in the field of consulting and training.

*Special Polish beer*

Don't miss special Polish beer Zywiec (pronounced Geevyets) http://zywiec.com.pl/ to be served for FREE during the Meet'n' Greet Party on Wednesday night, March 14, from 6PM

*Travel info*

We have inspected hotel facilities and an extensive review is available at http://mum.mikrotik.com/2012/PL/accomodation. It includes how to get there with taxi, train or bus, pricing, where to eat and other valuable tips. If you plan to go, definitely check it out!

*Register now!*

Where:           Warsaw (Poland)
When:            Thu-Fri, March 15-16
Meet and greet:  Wednesday, March 14, 6PM (registration and free beer)
Venue:          http://mum.mikrotik.com/2012/PL/accomodation
Agenda:        http://mum.mikrotik.com/2012/PL/agenda

Register for MUM Poland 2012 here http://mum.mikrotik.com/register.php?section=32. Free or Paid registration is mandatory for all attendees. Register now and remember to print the ticket!

See you in Warsaw!

Regards,
MikroTik

The new 5GHz super high power wireless card for long range links and powerful access points. This is the professional choice for reaching the last mile. 800mW transmit power will give you the ability to reach even further than before.

The card features built-in LED indicators for wireless mode, connection status (connected, searching, disabled), TX and RX activity and wireless signal strength - just looking at the card will help with installation and alignment. The card comes with a preinstalled industrial grade heatsink, one MMCX connector and nine LED indicator lights.

Due to local regulations, currently we can sell R5SHPn only to countries outside European Union.

(routerboard.com)

It's only FIVE WEEKS until the Biggest WISP Event in Europe of all times -
MUM Poland 2012 !!! Warsaw/Poland, March 15-16, 2012
http://mum.mikrotik.com/register.php?section=32.
We are expecting MUM Poland 2012 to gather more than 1000 attendees thus
becoming the ALL TIMES largest WISP event in Europe. Be a part of this
historical event and register now for FREE!

We are pleased to announce that we have managed to allocate more HARDWARE
GIFTS of RouterBOARD product family to 100 more MUM attendees who will
register at http://mum.mikrotik.com/register.php?section=32.

FREE registration ends on February 21, 2012. Entrance ticket at the door
will cost USD 75.

* * * What to see? * * *

* * Agenda | Presentations and Workshops * *

    March 14, Wednesday

18:00     Meet 'n' greet party, early check-in, free drinks, free hardware
gift

    March 15, Thursday

08:00     Check-in and Exhibitor hall opens. Bring your printed tickets!
10:00     Opening and Introduction, New Amazing Product Announcements by
Normunds Rustanovics (MikroTik, Latvia)
10:30     RouterOS Tips and Tricks Workshops by RouterOS professionals
12:00     Lunch time
13:30     MikroTik RouterOS as a PIM router (principles of multicast
routing, PIM-SM routing protocol, other multicast related topics) by Piotr
Cogiel (Inter Projekt, Poland)
14:15     High availability network services using MikroTik RouterOS
(techniques how to make sure your critical services like DNS or RADIUS are
running and reachable) by Martin Pina (hanacke.net, Czech Republic)
15:00     Switch Chip, Bypass and Co. - Using advanced RouterBOARD Hardware
Features by Patrik Schaub (FMS Internetservice, Germany)
15:45     OSPF on Wireless - with a twist by Ron Touw (Nest Wireless, UK)
and Leo De Geer (Satellithuset, Sweden)
16:30     IPV6 Security - Threats and countermeasures by Wardner Maia (MD
Brasil, Brazil)

    March 16, Friday

08:00     Check-in and Exhibitor hall opens. Bring your printed tickets!
09:00     Wireless workshop by RouterOS professionals
10:30     Coffee break
11:00     QoS workshop by RouterOS professionals
12:30     Lunch time
14:00     Why our link performance is not Good? (primary elements which
directly affect your wireless link performance, tips to improve it) by Ahmad
Mortazavi (Deltalink Electronics Ltd., Turkey)
14:30     Web skins, What are they and how the use them? (one of latest
features of RouterOS which allows to create a customized user interfaces for
different purposes) by Paweł Ciepliński (Poland)
15:45     Access Point Redundancy, Part 2 (advanced setup for implementing
Access Point Redundancy using RouterOS) by Lorenzo Busatti (Grifonline
S.r.l., Italy)
16:15     Raffle and closing of MUM

Full list of presentations is here:
http://mum.mikrotik.com/2012/PL/agenda

* * Exhibition area * *

... is about to gather more than 30 distributors and vendors showing their
latest products, product samples, live demos and more:

Totalconn (Italy) http://www.wi4net.it/
Meconet (Germany) http://www.meconet.de/
Batna (Poland) http://www.anteny24.pl/
CDR (Poland) http://www.4wifi.pl/
FMS (Germany) http://www.fmsweb.de/
Inter Projekt (Poland) http://www.interprojekt.pl/
Sys-DataCom (Czech Republic) http://www.sys-data.com/
ATS (Poland) http://www.wirelesslan.pl/
Cyberbajt (Poland) http://www.cyberbajt.pl/
i4wifi (Czech Republic) http://www.i4-wifi.com/
NIM Wave (Italy) http://www.nimwave.com/
RF Elements (Slovakia) http://www.rfelements.com/
Deltalink (Turkey) http://deltalink.com.tr/
EDCwifi (China) http://www.edcwifi.com/
NET service solution (Czech Republic) http://www.ispadmin.eu/
Jirous (Czech Republic) http://en.jirous.com/
Technologic (Poland) http://www.technologic.pl/
Itelite (Poland) http://www.itelite.net/ (NEW)
MTI (Israel) http://www.mtiwe.com/ (NEW)
Cyberteam (Poland) http://www.cyberteam.pl/ (NEW)
Townet (Italy) http://www.townet.it (NEW)
Hotlava (USA) http://www.hotlavasystems.com/ (NEW)
... 6 more in process

* * Meet our sales department * *

If you want to learn about possible partnership possibilities (distribution,
training, production, etc.) with MikroTik, have questions about orders or
simply wish to meet a representative of our sales team in person - e-mail
sales@mikrotik.com to sign up for a meeting. This is your chance to clarify
things in person. Sales meetings take place the whole day, for both days of
the MUM event - March 15 and 16.

* * Pre-MUM Training Classes on March 12-14, Monday-Wednesday * *

- Training for Trainers by MikroTik (ENG)
http://www.mikrotik.com/training/offers
- MTCTCE by Sys-DataCom and Citraweb (ENG) http://mtctce.mikrotik.cz/
- MTCINE by MikroTik (ENG) http://www.mikrotik.com/training/offers
- MTCWE by NEST Wireless UK (ENG) http://www.nestwireless.co.uk/training/
- MTCNA by router.lv (ENG) http://www.router.lv/eng/courses/24
- MTCRE by FMS Internetservice (GER)
http://www.mikrotik-shop.de/Training:::92.html
- MTCRE by MD Brasil (ENG) http://www.mdbrasil.com.br/en
- MTCUME by Grifonline S.r.l. (ENG)
http://training.grifonline.it/training_mikrotik_MTCUME_WARSAW_032012_en.html
- MTCNA by Pawel Cieplinski (POL)
http://cieplinski.pl/training.php?e=mtcna-before-mum

* * Register now! * *

Where:           Warsaw (Poland)
When:            Thu-Fri, March 15-16
Meet and greet:  Wednesday, March 14, 6PM (registration and free beer)
Venue:          http://mum.mikrotik.com/2012/PL/accomodation
Agenda:        http://mum.mikrotik.com/2012/PL/agenda

Follow this link http://mum.mikrotik.com/register.php?section=32 to register
for the largest WISP event in Europe! Remember that either Free or Paid
registration is mandatory for all attendees, register now and remember to
print the ticket!

See you in Warsaw!

Regards,
MikroTik

Biggest WISP event in Europe!  LESS THAN TWO MONTHS UNTIL THE MUM !!!
Warsaw/Poland, March 15-16, 2012

Over 500 people have already registered for the MUM Europe 2012. The
capacity of the conference room will be reached soon. We are working
with the hotel to get additional space if needed, but please register
IMMEDIATELY to be sure of your place.


FREE registration will end on February 21, 2012. Entrance ticket at the
door will cost USD 75.

Registered attendees and the next 150 people to register will receive a
HARDWARE GIFT from MikroTik! Register now to be among them
http://mum.mikrotik.com/register.php?section=32.

The hotel is filling up as well, please reserve your room as soon as
possible to be sure that you get one! Promotion code for booking rooms
at a special price is "MIKROTIK", more information -
http://mum.mikrotik.com/2012/PL/accomodation.

Come and see:

- !!! BIG new product announcements and demos !!!
- New Hands On Workshop Events
- a raffle on the last day of the MUM with many interesting gifts from
us and the vendors at the show
- meet, greet, and register Wednesday night at 6PM (free beer and soft
drinks)
- exhibition area with distributors and vendors presenting their
innovative hardware and software designs
http://mum.mikrotik.com/2012/PL/exhibitors

    Totalconn (Italy) http://www.wi4net.it/
    Meconet (Germany) http://www.meconet.de/
    Batna (Poland) http://www.anteny24.pl/
    CDR (Poland) http://www.4wifi.pl/
    FMS (Germany) http://www.fmsweb.de/
    Inter Projekt (Poland) http://www.interprojekt.pl/
    Sys-DataCom (Czech Republic) http://www.sys-data.com/
    ATS (Poland) http://www.wirelesslan.pl/
    Cyberbajt (Poland) http://www.cyberbajt.pl/
    i4wifi (Czech Republic) http://www.i4-wifi.com/
    NIM Wave (Italy) http://www.nimwave.com/
    RF Elements (Slovakia) http://www.rfelements.com/
    Deltalink (Turkey) http://deltalink.com.tr/
    EDCwifi (China) http://www.edcwifi.com/
    NET service solution (Czech Republic) http://www.net-service.cz/
    Jirous (Czech Republic) http://en.jirous.com/
    Technologic (Poland) http://www.technologic.pl/
    ... 4 more in process

Where:           Warsaw (Poland)
When:            Thu-Fri, March 15-16
Meet and greet:  Wednesday, March 14, 6PM (registration and free beer)
Register:        http://mum.mikrotik.com/register.php?section=32
Venue:          http://mum.mikrotik.com/2012/PL/accomodation
Agenda:        http://mum.mikrotik.com/2012/PL/agenda

Training sessions before the MUM are almost fully booked. Please be sure
to register soon to get a seat. Contact the organizer to sign up!

Trainings before MUM (March 12-14):

- Training for Trainers by MikroTik (ENG)
http://www.mikrotik.com/training/offers
- MTCTCE by Sys-DataCom and Citraweb (ENG) http://mtctce.mikrotik.cz/
- MTCINE by MikroTik (ENG) http://www.mikrotik.com/training/offers
- MTCWE by NEST Wireless UK (ENG) http://www.nestwireless.co.uk/training/
- MTCNA by router.lv (ENG) http://www.router.lv/eng/courses/24
- MTCRE by FMS Internetservice (GER)
http://www.mikrotik-shop.de/Training:::92.html
- MTCRE by MD Brasil (ENG) http://www.mdbrasil.com.br/en
- MTCUME by Grifonline S.r.l. (ENG)
http://training.grifonline.it/training_mikrotik_MTCUME_WARSAW_032012_en.html
- MTCNA by Pawel Cieplinski (POL)
http://cieplinski.pl/training.php?e=mtcna-before-mum

To register for the MUM event (conference, exhibition, workshop), follow this link: http://mum.mikrotik.com/register.php?section=32

See you in Warsaw!

Regards,
MikroTik

The MikroTik new products: 

* RB751U-2HnD
* RB411L
* RB433GL
* R5SHPn
* RB433L
* RB751G-2HnD
* OmniTikUPA-5HnD
* RB433UAHL


Download the newsletter here: 
http://www.mikrotik.com/download/share/news_36.pdf

See you in the MUM in Poland! 

Came across an interesting (yet to be verified) bug today.
The info:
RouterOS v4.10 running on x86 server
Site runs both a hotspot and PPPoE server on the same interface.
Users can decide to login via the captive portal (which most do) or for those who understand and wish to use a pppoe connection, they have the option to use that instead, as it comes with a public IP.

The problem:
Support call came in saying that a user was unable to access www.google.com (which for the sake of this example we’ll say resolves to 192.0.2.1). I checked and confirmed I could indeed ping and trace to the address and put it down to a user issue, but left the ticket open to have one of our on-site techs give a try.
– later on–
Onsite tech indicated he to had become unable to access www.google.com via the pppoe login option and after getting a first hop response from the gateway the connection simply timed out.
The cause:
I’ll save you from having to hear about everything I tested and tried over the next hour however the actual cause was rather interesting.
The “hosts list” on the hotspot, had old entries from someone with an improperly configured IP address (in this case 192.0.2.1) which had tried to access the login page sometime in the past couple of days and was being held there. This meant that for users connected behind the pppoe interfaces, traffic to 192.0.2.1 was trying to go to that host RATHER than going out the correct default route.
Why? No idea.
The solution:
When the hotspot was setup (we’d reinstalled the machine just recently) it appears someone had forgotten to set the ‘idle-timeout’ value on the hotspot user-profile. This meant all these hosts were being held and the table was getting larger and larger (there were other incorrect addresses in there too).
Better solution: Provided by Mikrotik support
You have an option to allow only specific subnet to reach the HotSpot network.
Add the to ip-binding, specify subnets you would like to allow and set type=regular.
Block any other unneeded subnet by type=blocked.
Eg:
/ip hotspot ip-binding
add address=10.10.40.0/21 comment="Accept (not bypass) anything in the LAN range" disabled=no
add address=0.0.0.0/0 comment="block all else" disabled=no type=blocked
Side note: We don’t use the address-pool option on the hotspots as this causes LAN traffic to pass back (and be counted by) the router which we don’t want (as we let our users have unlimited LAN access to each other) so I’m at quite a loss as to why this routing pattern would occur.

The port "knock" itself is similar to a secret handshake and can considt of any number of TCP, UDP, or ICMP or other protocol packets to numbered ports on the destination machine.The KNock may also consist of text strings sent to the device being knocked to add additional complexity and security.
Port knocking example :

Host send a connection to the one of router ports, the router stores the requester's IP for an amount of time.If the host send a connection again in the other ports, the router will check to see if the IP is the same IP from the first connection. If the IP is the same and the time between first attemp and second is within a specified time then the requester IP will be allowed to access the router.

/ip firewall filter

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
  disabled=no protocol=icmp

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

add  action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
  src-address-list="!ICMP + Http"

(youtube/wiki)