i need to find a solution to get all active LAN clients (ip-address) which connect from LAN to WAN
so every connection which is established from "192.168.0.x" to external IP addresses
we have troubles in our LAN with one or more hosts which randomly tries to establish 16k+ connections LAN->WAN
yeah i know, the client needs to be fixed. we are on it (but it's a bit complicated because it's the CEOs laptop ... oh the irony...)
so i want to check every 5s if there are more than, let's say, 16.000 connections in the firewall and IF this is the case, i would like to find out from which host IP in the LAN these are comming and to add that host-IP to a address-list "lock".
the firewall rule is yet in place:
Code: Select all
[spippan@RP-AT-Hivemind] /ip firewall address-list> print where list="lock"
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 ;;; dummy list entry for LOCK
lock 192.168.254.254 feb/10/2017 12:25:15
[spippan@router] /ip firewall filter> print where chain~"forward"
;;; Lock-Clients in ADDR.List "lock"
chain=forward action=drop src-address-list=lock dst-address-list=!local_nets log=no log-prefix=""
i'm not quite sure how to best realize those steps with a script which can be applied to all LAN clients.
i have a script which is applied for ONE host (so only ONE IP address) but i would like to get it working more dynamically and adaptive.
current script which blocks all forwarding for that particular host:
Code: Select all
:local ipHostIP [/tostr "192.168.0.33"];
:local cHostDHCPname [/ip dhcp-server lease get [find where address="$ipHostIP"] host-name];
:local iCurConn [/ip firewall connection print count-only where src-address~"$ipHostIP"];
:if ( $iCurConn != 0 ) do={
:if ( $iCurConn > 16100 ) do={
log warning "AntiFlood Info ---> RPPC0016 over 16k OUTBOUND connections!!!";
/ip firewall filter enable [/ip firewall filter find where comment="Lock-RPPC0016"];
/tool e-mail send \
from=router@*** \
user=user@domain \
password=***** \
server=192.168.0.248 \
port=25 \
to=recipient@domain \
start-tls=yes \
subject="PC \"$cHostDHCPname\" BLOCKED!" \
body="$cHostDHCPname - $ipHostIP --> has been BLOCKED! was over 16k OUTBOUND connections" ;
}
}
cheers