diff --git a/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js b/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
index fa641d6..8468fde 100644
--- a/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
+++ b/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
@@ -86,6 +86,10 @@ return view.extend({
         o.rmempty = false;
         o.default = 0;
 
+        o = s.taboption(tabname, form.Flag, 'FILTER_TTL_EXPIRED_ICMP', 'FILTER_TTL_EXPIRED_ICMP');
+        o.rmempty = false;
+        o.default = 1;
+
         o = s.taboption(tabname, form.ListValue, 'MODE_FILTER', _('MODE_FILTER'));
         //o.value('none',         'none');
         //o.value('ipset',        'ipset');
diff --git a/zapret/config.default b/zapret/config.default
index c0d26ce..3358b7b 100644
--- a/zapret/config.default
+++ b/zapret/config.default
@@ -136,6 +136,11 @@ DISABLE_IPV4=0
 # do not work with ipv6
 DISABLE_IPV6=1
 
+# drop icmp time exceeded messages for nfqws tampered connections
+# in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws
+# set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP
+FILTER_TTL_EXPIRED_ICMP=1
+
 # select which init script will be used to get ip or host list
 # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
 # comment if not required
diff --git a/zapret/def-cfg.sh b/zapret/def-cfg.sh
index ef70155..01c2b5f 100755
--- a/zapret/def-cfg.sh
+++ b/zapret/def-cfg.sh
@@ -14,6 +14,7 @@ function set_cfg_default_values
 		set $cfgname.config.INIT_APPLY_FW='1'
 		set $cfgname.config.DISABLE_IPV4='0'
 		set $cfgname.config.DISABLE_IPV6='1'
+		set $cfgname.config.FILTER_TTL_EXPIRED_ICMP='1'
 		set $cfgname.config.MODE_FILTER='hostlist'
 		set $cfgname.config.DISABLE_CUSTOM='0'
 		set $cfgname.config.WS_USER='daemon'
diff --git a/zapret/sync_config.sh b/zapret/sync_config.sh
index 3c0fcff..6229614 100755
--- a/zapret/sync_config.sh
+++ b/zapret/sync_config.sh
@@ -80,6 +80,7 @@ sync_param FLOWOFFLOAD
 sync_param INIT_APPLY_FW
 sync_param DISABLE_IPV4
 sync_param DISABLE_IPV6
+sync_param FILTER_TTL_EXPIRED_ICMP
 sync_param MODE_FILTER
 sync_param DISABLE_CUSTOM
 sync_param WS_USER str