What is the best way to implement (quote from Microsoft):
DDoS attacks commonly involve spoofing the origin address of the attack packets; with egress filtering on, your network will never forward those packets out to the rest of the world.
So I want to be sure my network sends only packets with valid IPs.
My configuration is very simple
Interface1 has WAN IP (real IP, routed)
behind Interface2 there is LAN IP subnet (real customers IP addresses) and LAN IP subnet (local addresses for local devices)
Is option “ip-settings (strict)” enough or should I write some Firewall rules.
Hi,
Well if i understand you clearly this would be some approach to solve your problem.
Define an access list including your Public/Local/Etc. IP addresses, then add a firewall rule which matches if the packets are going out from your WAN ( Out interface = WAN ) and source addresses are your access list name then set the action to allow these packets. Add another firewall rule with out interface = wan but without any other rule then add action drop. This rule will route only your IP addresses through the WAN interface.
A year has passed since this thread was opened, but Mikrotik didn’t offered any products with more SFP+ ports so far.
I’m bumping this thread to remind that this suggestion are really could be useful for many. With recent development of 10G networks even new mid-range servers has 10G ports. With only 2 ports on Mikrotik that leaves only downlink and uplink, leaving no available ports to connect endpoints with 10G in most networks.