Hi there,
I’ve a WISP with 100+ users with 1 public IP address. I’m facing this problem https://support.google.com/websearch/answer/86640?hl=en.
How can I find which user IP is sending automated queries to Google?
I’ve set up a mangle rule but just can’t find anything.
Can somebody help me?
You might want to set up some traffic monitoring. That is, log EVERY connection made to Google, and the private IP of it. Soon after, you’ll see upon viewing the log, if a certain private IP is making too much requests in a too short time frame, or perhaps if the overall rate is becoming too much, and you need a new public IP to move some of your customers to.
What about log every NAS and watch which NAS is doing the biggest traffic?
That’s kind’a what I meant, yeah.
Although if multiple devices (as in, multiple private IPs) connect through the same NAS, this wouldn’t help you locate the exact client, but would still help you narrow your search.
First I would check if your firewall/router etc. is compromised. Google is pretty good at differentiating normal NATed traffic from abuse. Nine times out of ten we find that there is compromised system behind this problem.
What did you mean with:
if your firewall/router etc. is compromised
?
I’m using all Mikrotik routers an all NAS and internet gateway. All is working fine
The problem might be caused by a client being compromised but it can also be caused by problems on (e.g.) your firewall itself.
If you email me we can check your external IP for the most obvious problems. Please don’t post the IP publicly.
The problem at 90% are caused from webproxy open on WAN,
some remote PC can navigate throught your webproxy.
Check if you have webproxy activated, and disable it, or add nat rule to block all unsolicited new connection from wan to webproxy port.
If I have solved your problem, please add Karma.
It sounds like your going to need a little more help then you’ll generally get from the user forum. Let me know if you would like some detailed help. You can get my contact info from my website.
Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk
What do your filters look like on the input chain? Do you have the web proxy running?
Hi there,
thanks for all your posts.
Here is what I have:
ip proxy print
enabled: no
Address list:
/ip firewall address-list
add address=64.233.161.0/24 list=Google
add address=64.233.183.0/24 list=Google
add address=66.102.7.0/24 list=Google
add address=66.249.93.0/24 list=Google
add address=64.233.167.0/24 list=Google
add address=64.233.185.0/24 list=Google
add address=66.102.9.0/24 list=Google
add address=64.233.171.0/24 list=Google
add address=64.233.187.0/24 list=Google
add address=66.102.11.0/24 list=Google
add address=64.233.179.0/24 list=Google
add address=64.233.189.0/24 list=Google
add address=66.249.87.0/24 list=Google
add address=74.125.70.0/24 list=Google
add address=72.14.207.0/24 list=Google
add address=107.178.192.0/18 list=Google
add address=173.194.0.0/16 list=Google
add address=216.239.53.0/24 list=Google
add address=216.239.63.0/24 list=Google
add address=216.239.32.0/19 list=Google
add address=216.239.53.0/24 list=Google
add address=216.239.37.0/24 list=Google
And this mangle for each NAS:
/ip firewall mangle
add action=log chain=forward comment=“NAS1 to Google” connection-state=new
dst-address-list=Google log-prefix=Nas1-Google out-interface=ether2
src-address=172.16.128.0/24
So I have no proxy and I have set up a rule to count how many request are sent to Google IP prefixes.
I guess I have to put a rule for each client connects to my netowrk, so 100+ rules!