I've found something very strange.

I've only one LAN interface active and I've configured NAT.I see my WAN interface usage has more usage than LAN.And it is always killing my 7-8 Mbps bandwidth(approx) taken from upstream.
Any idea?

Check so it's not a dns amplification attack

Hello,

In my experience, this situation is almost always caused by lack of or incorrect firewall configuration.

Many people consider that the use of NAT is firewalling. It is not.

The source of this traffic is often that either or both the DNS server and/or web proxy are enabled on the router, but not protected by specific firewall filter rules, and so somebody out there on the internet is relaying their DNS and Web Proxy requests through your router.

This manifests itself to you as high traffic in to and out of your router WAN interface.

If you enable those features you MUST have firewall rules that block access to those services.

Good hunting!

Alex

Hello,

In my experience, this situation is almost always caused by lack of or incorrect firewall configuration.

Many people consider that the use of NAT is firewalling. It is not.

The source of this traffic is often that either or both the DNS server and/or web proxy are enabled on the router, but not protected by specific firewall filter rules, and so somebody out there on the internet is relaying their DNS and Web Proxy requests through your router.

This manifests itself to you as high traffic in to and out of your router WAN interface.

If you enable those features you MUST have firewall rules that block access to those services.

Good hunting!


Alex

Thank you for your reply.
But I've not enabled web proxy or even DNS server.

Here is my IP address:

[@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; LAN
172.18.0.1/24 172.18.0.0 172.18.0.255 LAN
1 ;;; WAN REDUNDANT
197.149.132.29/27 197.149.132.0 197.149.132.31 WAN-REDUNDANT
2 ;;; LAN
197.149.132.129/26 197.149.132.128 197.149.132.191 LAN
3 172.30.0.2/24 172.30.0.0 172.30.0.255 LAN



[@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept protocol=tcp src-address=172.18.0.0/24 dst-address=76.73.102.146 dst-port=25

1 chain=forward action=accept protocol=tcp src-address=172.18.0.10 dst-port=25

2 chain=forward action=accept protocol=tcp src-address=172.18.0.0/24 dst-address=198.57.182.14 dst-port=25

3 chain=forward action=accept protocol=tcp src-address=172.18.0.148 dst-address=50.116.75.96 dst-port=25

4 chain=forward action=accept protocol=tcp src-address=172.18.0.12 dst-address=0.0.0.0/0 dst-port=25

5 chain=forward action=accept protocol=tcp src-address=172.18.0.13 dst-address=66.96.143.176 dst-port=25

6 chain=forward action=accept protocol=tcp src-address=172.18.0.88 dst-address=70.168.92.167 dst-port=25

7 chain=forward action=accept protocol=tcp src-address=172.18.0.104/29 dst-address=197.149.132.10 dst-port=25

8 chain=forward action=accept protocol=tcp src-address=172.18.0.74 dst-port=25

9 chain=forward action=accept protocol=tcp src-address=172.18.0.130 dst-port=25

10 chain=forward action=accept protocol=tcp src-address=172.18.0.144/29 dst-address=197.149.132.10 dst-port=25

11 chain=forward action=accept protocol=tcp src-address=172.18.0.0/28 dst-address=197.149.132.10 dst-port=25

12 chain=forward action=accept protocol=tcp dst-address=66.96.147.112 dst-port=25

13 chain=forward action=accept protocol=tcp src-address=172.18.0.5 dst-address=197.149.132.10 dst-port=25

14 chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp src-address=172.18.0.0/24 dst-address=0.0.0.0/0 dst-port=25

15 chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp dst-port=25

16 ;;; OS
chain=input action=accept src-address=197.149.132.0/22

17 chain=input action=accept src-address=172.18.0.0/24

18 chain=input action=accept protocol=icmp

19 chain=input action=drop connection-state=invalid

20 chain=input action=reject reject-with=icmp-network-unreachable connection-state=established

21 chain=input action=reject reject-with=icmp-network-unreachable protocol=udp

22 chain=input action=drop

23 ;;; Bogons
chain=forward action=drop src-address=0.0.0.0/8

24 chain=forward action=drop dst-address=0.0.0.0/8

25 chain=forward action=drop src-address=127.0.0.0/8

26 chain=forward action=drop dst-address=127.0.0.0/8

27 chain=forward action=drop src-address=224.0.0.0/3

28 chain=forward action=drop dst-address=224.0.0.0/3

29 ;;; ICMP
chain=icmp action=accept protocol=icmp icmp-options=0:0

30 chain=icmp action=accept protocol=icmp icmp-options=3:0

31 chain=icmp action=accept protocol=icmp icmp-options=3:1

32 chain=icmp action=accept protocol=icmp icmp-options=4:0

33 chain=icmp action=accept protocol=icmp icmp-options=8:0

34 chain=icmp action=accept protocol=icmp icmp-options=11:0

35 chain=icmp action=accept protocol=icmp icmp-options=12:0

36 chain=icmp action=drop

37 ;;; Reject Other Traffics
chain=forward action=reject reject-with=icmp-network-unreachable src-address=192.168.0.0/16 in-interface=LAN

38 chain=forward action=reject reject-with=icmp-network-unreachable dst-address=192.168.0.0/16

39 chain=forward action=reject reject-with=icmp-network-unreachable src-address=10.0.0.0/8

40 chain=forward action=reject reject-with=icmp-network-unreachable dst-address=10.0.0.0/8

41 chain=forward action=reject reject-with=icmp-network-unreachable src-address=169.254.0.0/16

42 chain=forward action=reject reject-with=icmp-network-unreachable dst-address=169.254.0.0/16

43 chain=forward action=reject reject-with=icmp-network-unreachable src-address=172.30.0.0/24

44 chain=forward action=reject reject-with=icmp-network-unreachable dst-address=172.30.0.0/24

45 X ;;; Facebook Block
chain=forward action=drop src-address=172.18.0.14 dst-address=69.171.224.0/19

46 X chain=forward action=reject reject-with=icmp-network-unreachable src-address=172.18.0.14 dst-address=69.63.176.0/20

47 X chain=forward action=reject reject-with=icmp-network-unreachable src-address=172.18.0.14 dst-address=66.220.144.0/20

48 X chain=forward action=reject reject-with=icmp-network-unreachable src-address=172.18.0.14 dst-address=204.74.64.0/18

49 ;;; BCN BL
chain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp src-address=197.149.133.0/24 dst-port=25

50 ;;; Video Block(RAMP)
chain=forward action=drop src-address=197.149.132.146 layer7-protocol=Youtube

51 chain=forward action=drop src-address=197.149.132.146 layer7-protocol=Facebook time=9h-16h,sun,mon,tue,wed,thu,fri,sat

52 chain=forward action=drop src-address=197.149.132.146 dst-address=92.122.126.0/24

53 chain=forward action=reject reject-with=icmp-network-unreachable src-address=197.149.132.146 dst-address=195.245.125.0/24

54 ;;; Block Attack
chain=forward action=drop protocol=udp dst-port=19

Hi,

Please be sure that /ip proxy enabled=no and also /ip dns allow-remote-requests = no.

FInally if you really dont have the above enabled / firewalled, then I have seen this in one other scenario, and this was provider related.

Here goes:

The design was where an ISP had provided their own POP in a commercial building. They had installed a cisco metro switch to which they distributed internet to many customers in the building.

I connected my RB1100AHx2 to the provider switch, and immediately saw what you are seeing in the form of a lot of traffic on my wan interface, even when I disable my lan interfaces.

It turned out that the provider had not enabled port seucrity on their access ports, and I was seeing traffic being generated by the other customers of isp within the building.

I ran CDP / ip neighbours on that interface and was able to "see" the neighboring customers on that switch. We were all on the same vlan.

The ISP enable port security and listed my mac address, and the problem was solved.

I dont know if I have explained that very well, but maybe it can help you.

All the best,

Alex

You can also run torch on the WAN interface to see what is causing the traffic.

Same problem please help
Thanks

Same problem please help
Thanks

Before necro-posting, did you try following the advice from the thread?

An inbound queue can cause this. In the case of a single TCP connection, the sender will send packets as fast as it can until it detects packet loss. Then it'll slow it's transmission until the point where packets are not being lost. In the case of many short lived TCP connections, such as many internal users browsing websites, the senders will all send as fast as they can at the beginning of a TCP connection. So you'll see a high rx rate on the WAN, then your queue drops packets, an a lower tx rate on your lan.

You have a default drop rule for inbound packets on wan. So your DNS service in the Mikrotik isn't being hammered. But a denial of service could still be happening. Tools > Torch will show you what remote IPs are sending to what ports. That'll be your best bet on troubleshooting.

yes I did but same problem

port 1 - WAN bridge with Port 2 and 3 , and hotspot on port 4 and on Port 5 Lan configure pppoE