MK x86-5.19 - with simple setup
WAN Side - Ether1
0.0.0.45/30 ISP -> 0.0.0.46/30 ether1 on MK (WAN)
Fiber provider giving 2 class C public IP's routed (0.0.136.0/24 0.0.171.0/24)
LAN Side - Ether2
Public IP 0.0.136.1/24 ether2
Public IP 0.0.171.1/24 ether2
Users on LAN with DHCP using Public IP from 0.0.171.0/24 with 0.0.171.1 as gateway
Users on LAN with Static IP using Public IP from 0.0.136.0/24 with 0.0.136.1 as gateway
Everything seems to be working and no complaints from users.
However
I am seeing connections in torch src - 0.0.136.254:3128(squid) trying to make many connections out.
This never stops and sometimes the connections can reach as many as 100-150
I'm not running squid and MK proxy is not enabled.
I've added firewall filter rules to block port 3128 and also made sure the 0.0.136.254 IP is not in use on network.
Any clue as to why/what is causing this?
Regards
MK Squid issues
You do not have the required permissions to view the files attached to this post.
Re: MK Squid issues
Hi,
At a guess I'd say that *.*.136.254 has been tagged on the internet as an open proxy. Those are all internet side connections trying to connect TO 136.254 and abuse its open relay.
From what you've indicated 136.254 is in your static range - how did you check that the IP doesn't exist? Use /
Check "/IP ARP PRINT" to confirm that .254 is NOT on your lan at all.
If after this you can confirm that the .254 IP isn't on your network then more than likely its simply a case of internet hosts trying to connect to that IP. I'd assume at some point that specific IP was then an open relay and may have appeared online in one of the 'open proxy' lists.
Since you obviously wish to protect your IP - let me ask this - ... is your upstream service provider Telemar? If so, and I found your IP - then it would appear either the Mikrotik server HAS 136.254 as an IP or that a NAT is indeed in place
I'm assuming it's you since the Mikrotik port has been moved from the standard port
Wasn't trying to intrude - just have a look to confirm my suspicions
At a guess I'd say that *.*.136.254 has been tagged on the internet as an open proxy. Those are all internet side connections trying to connect TO 136.254 and abuse its open relay.
From what you've indicated 136.254 is in your static range - how did you check that the IP doesn't exist? Use /
Check "/IP ARP PRINT" to confirm that .254 is NOT on your lan at all.
If after this you can confirm that the .254 IP isn't on your network then more than likely its simply a case of internet hosts trying to connect to that IP. I'd assume at some point that specific IP was then an open relay and may have appeared online in one of the 'open proxy' lists.
Since you obviously wish to protect your IP - let me ask this - ... is your upstream service provider Telemar? If so, and I found your IP - then it would appear either the Mikrotik server HAS 136.254 as an IP or that a NAT is indeed in place
I'm assuming it's you since the Mikrotik port has been moved from the standard port Wasn't trying to intrude - just have a look to confirm my suspicions
Re: MK Squid issues
I've checked the ARP list many times and no .136.254 is found.
input and forward rules to drop all traffic to/from IP addresses that have not been issued to clients (.136.254 is in this list)
In firewall nat there are no rules of any kind
Upstream provider not Telemar
I'm not sure you found the correct IP, MK port is on default port.
SSH and Web ports have been changed to non-standard ports.
All other 'ip service' ports have been disabled. Firewall rules drop anything on the MK, SSH and Web ports and 4 knock ports in firewall are in use that have to be knocked in sequence to gain access to box for 1hr.
It does not appear that any traffic is being allowed to/from 136.254 so I would think they would give up trying but this has been going on for a few months now.
Regards
input and forward rules to drop all traffic to/from IP addresses that have not been issued to clients (.136.254 is in this list)
In firewall nat there are no rules of any kind
Upstream provider not Telemar
I'm not sure you found the correct IP, MK port is on default port.
SSH and Web ports have been changed to non-standard ports.
All other 'ip service' ports have been disabled. Firewall rules drop anything on the MK, SSH and Web ports and 4 knock ports in firewall are in use that have to be knocked in sequence to gain access to box for 1hr.
It does not appear that any traffic is being allowed to/from 136.254 so I would think they would give up trying but this has been going on for a few months now.
Regards