Address range in firewall address list

RouterOS Beginner Basics
1

I’m setting up a firewall (RB951) where I want to use address lists to reduce the number of rules. Some of the addresses I want to block are actually ranges of addresses - not entire subnets. Is this possible in RouterOS? If it is - how? Will it work to just enter the start and end address in the list entry?
Example: I want to exclude the address range from 113.169.0.85 to 113.191.255.255.

-Olaf-

2

Why do you want to block via address lists.
For example in my input chain as last rule
chain=input action=drop (anything I have not explicitly allowed is dropped)

Same on the forward chain, i set to what I allow and
then I have a drop all rule last, so anything else is dropped.

The traffic I allow in the input chain is basically the safe default rules and
a. admin to the router
b. LAN to dns services

The traffic I allow in the forward chain is safe default rules and
a. LAN to internet
b. some intervlan traffic to a shared printer
c. any port forwarding required (with a source address list for specific external users).

What do you hope to accomplish??

3

Hi Anav.
Thanks for your response.
I’m running a mail server in my LAN, and have forwarded the needed ports for the outside to reach my server. I experience, however, that there is a lot of attempts to “break into” the server. The server is obviously refusing this access unless the “outside” provides the needed authentication, but it makes the mail server more busy than needed.

I’m now running a Zyxel router where I have blocked addresses that have generated this kind of traffic, and it has resulted in a better environment for the server. I’m now in the process of switching to a Mikrotik router, and would like to do the same thing there.

-Olaf-

4

Update:
I tried to add ranges of IP-addresses to the address list and found that if I entered ranges that were possible to convert to a subnet, then Mikrotik automatically did the conversion and added the correct netmask. Great !!
-Olaf-

5

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list

you can also do 192.168.1.10-192.168.1.20 , for example

 /ip firewall filter add chain=forward src-address=192.168.1.10-192.168.1.20 action=drop
6

Ahh, that makes much sense!
I was aware of being blacklisted due to spam email coming from ones home based email server and found this from sindy…

But to quickly resolve your urgent matter, the following script line should do what you need:
/ip firewall filter add chain=forward place-before=[find comment~“from WAN”] action=drop protocol=tcp dst-port=25 src-address=!lan-side.ip.of.your.mail.server in-interface=!ether1 log=yes log-prefix=“suspicious SMTP client:”

This rule drops attempts to establish a TCP connection to port 25 except connection attempts coming from outside (i.e. via ether1 which seems to be your WAN interface) and from your mail server’s IP address.

The log=yes part helps you identify devices in your network which are responsible for the blacklisting, as each attempt of such device to establish a SMTP connection will be logged, showing the IP address of the device. /log print where topics~“firewall” message~“suspicious” will show only these log records.

In any case not sure how you log or find failed attempts to access your server but typically one identifies failed attempts on the firewall (forward chain in this case?) and add the IPs to firewall address list.
I would imagine dropping that list in raw firewall is a reasonable/efficient spot to do so.

7

Thanks again for feedback and suggestions.
Seems llike I’ve not been very accurate in my explanations… (if I understand the firewall scripts mentioned above correctly).

The problem is unwanted traffic from the outside (WAN) into my mailserver. Attempts to get access may look like:
00:09:05 0008F9 SMTP Connection from 141.98.80.48 port 587
00:09:05 0008F9 SMTP → 220 interchg.infokomp.no ESMTP ready
00:09:06 0008F9 SMTP ← EHLO [141.98.80.48]
00:09:06 0008F9 SMTP → 250-interchg.infokomp.no Hello [141.98.80.48]
00:09:06 0008F9 SMTP → 250-8BITMIME
00:09:06 0008F9 SMTP → 250-AUTH CRAM-MD5
00:09:06 0008F9 SMTP → 250-STARTTLS
00:09:06 0008F9 SMTP → 250-PIPELINING
00:09:06 0008F9 SMTP → 250 SIZE 629145600
00:09:06 0008F9 SMTP ← AUTH CRAM-MD5
00:09:06 0008F9 SMTP → 334 PGY0ZTJlYzc3LjJiYzIwYjc0QGludGVyY2hnLmluZm9rb21wLm5vPg==
00:09:07 0008F9 SMTP ← dG9yZSA3ZDNmYmJmMjUzNGYyZGM5OWIyMjhlYTg3M2U0YTRhNA==
00:09:07 0008F9 SMTP Authenticating as user: tore
00:09:07 0008F9 Incorrect password for user TORE
00:09:07 0008F9 SMTP Authenticate failed from 141.98.80.48 user tore
00:09:09 0008F9 SMTP → 550 Authenticate failed
00:09:09 0008F9 SMTP Connection lost
00:09:09 0008F9 Connection closed

Sometimes this kind of attempts may occur with only a second or two interval.
To avoid these attempts I’ve, over time, recorded the most active IP addresses and configured my current firewall (ZyWall) block them.
When sorting out how to set up address lists, this seems to be doable, also in Mikrotik.

The mailserver also needs some open ports for SMTP, IMAP, WebMail, and there is a CloudKey wifi controller in the LAN. After trying to do this configuration, my setup looks like this. Hope it is not too way off…
Thanks again for your comments and recommendations!
-Olaf-

I’m configuring the router via Winbox. Have attached an export file to show my temporary config.
config.txt (6.56 KB)

8

@omberli, you should on your server use a background tool like fail2ban to automatically ban the IP of such hackers trying to hack such server accounts.
The IP-ban should last for some minutes and then released automatically (to be configured by you).
The fail2ban tool can also put these attackers to a list for further analysis, as well also for manual abuse-reporting per email (if you have time for this work :slight_smile:) to the ISP of the attacker (see “whois ip_address_of_attacker” and therein for “abuse contact” etc.)…
Ie. fail2ban uses the local firewall of the server itself, not the firewall of the router/switch.

Trying to ban them in the firewall of the router/switch is not recommended, as the hackers/attackers usually use dynamic IPs, ie. they change their IP every day or on demand… and you couldn’t catch-up with them… and your list of addresses would grow and grow so that the firewall would make the network very slow with such big address lists…

Of course: you need to have the original public IP of the attacker, and not a SNATted local IP. But according to your log excerpt you already get the public IP.

S.a.
https://en.wikipedia.org/wiki/Fail2ban
https://en.wikipedia.org/wiki/SMTP_Authentication

9

Thanks, mutluit.
Fail2ban looks like an interesting tool. From what I’m able to see on the Wiki, this is running on a “Unix-like OS”. My mailserver is running on a Windows box…

-Olaf-

10

These types of issues cannot really be solved with networking/firewall equipment like Mikrotik. Especially if you are dealing with SMTP you need to take other criteria into mind (eg. reputation). In essence SMTP is a general public service so IF you decided to run your own public SMTP-host, you should be willing to accept any inbound connection from anywhere in the world initially, but perhaps later terminate it because it failed SMTP Authentication (like here). But the initial connection acceptance & dialog is a fact…
So we ARE talking about public SMTP right ? Or is SMTP used here in the context of end-users injecting mail that needs to be delivered further on ? (then port 25 should not be used)

However, perhaps you can do something with Mikrotik, similar like I used for other purposes. → Have some config where you ADD remote SMTP IP’s to an IP ACL if they make TOO MANY connections from the same IP in a given time-slot. (they are put on a access-list and in your firewall you have a DROP rule for TCP/25 coming from these IP’s)
There is some specific config you can do (“PSD” attributes) when construction the rule and other metrics also to work on.

http://forum.mikrotik.com/t/can-someone-please-explain-the-psd-attributes/98488/1

Sure this will be a growing list to filter against but that will be OK. You need to evaluate it and see if it remains acceptable.
In my config here, IP’s that try to make connections too frequently (which I consider scanners) are thrown onto an ACL. At any given time I have about 200 IP’s listed and they remain on there for quite some time.
Such rules could make connections to your SMTP a lot lesser.
Do you have multiplex MX-records set for your domain ? Do you have an upstream ISP that is willing to accept mail for you ? (and then deliver it to you)

11

I think then you could use the following alternative named IPBan for Windows:
https://github.com/DigitalRuby/IPBan/releases/tag/1.5.6-beta1
https://www.digitalruby.com/server-software/
https://github.com/DigitalRuby/IPBan

It says

Officially supported platforms: Windows 8.1 or newer (x86, x64), Windows Server 2012 or newer (x86, x64), Linux Ubuntu 16.04+ or equivelant (x64). Windows Server 2008 will work with some tweaks, but it is basically at end of life, so no longer officially supported.

Or you can look for other alternatives as there seem to be several for Windows.

12

Thanks again for the feedback.

Yes, the server is a public SMTP server. It is handligng emails for just a handful of people - providing web and imap email as well as schedule to users both in the LAN and “on the road”. The reason for running it ourselves is that we’ve been selling the mailserver software (Office-Logic InterChange by LAN-Aces).
The mentioned attack-issues are more or less solved (as I mentioned previously) by adding manually the offending IPs to our old ZyWall router/firewall. When I discover many "Authenticate Failed in the server’s log, I just add the address(es) manually.
Need to replace this old ZyWall, and am setting up a RB951 unit to do so. Since Mikrotik has a more “flexible” and detailed setup, I wasn’t sure how to move the block-lists from the old ZyWall to the new unit. The feedback here has been very helpful, and I hope that the RB951 will be up and running quite soon.
Thanks!

13

If these are only a few IP’s happening over a longer stretch of time you can indeed follow that “manual” route of adding them to the filter-list on your Mikrotik to effectively deny them.
If these are rather regular (eg. dozens per day, hour or minute) you might want to spend some time to try to further automate it or at least start by adding repeating “offenders” to the list.
On your mail server you could make a quick listing from the logs to see if the public SOURCE-IP is repeated often or if you are always hassled by other/new/spoofed public IP’s.

14

jvan - would you capture the offenders in the regular firewall (add to firewall address list) and then drop them in raw?

15

Depends on the current load on your box. Sure if you drop them raw they consume the least amount of resources on your box.
Here on my small home network I have them all in ACL’s and drop them at the regular firewall-level, I maintain statistics of this, inject them into Splunk etc.
So my RB3011 still has plenty of CPU-cycles left to play with this. (I only have a 100Mbps line at home)

If my Mikrotik was pushing a lot of traffic, handling many users, extensive QoS etc,etc … I probably would organize it a bit more efficient I guess …