Block Traffic from source that is not on my network

hagar83 · January 14, 2023, 2:33pm

Hi, I’m having a terrible maze finding a solution to stop and block traffic on my vpls network.
In picture you can see traffic from 172.31.3.209 to 172.30.255.33 on DNS port, It seems to be boggons IP but can’t find a way to stop it.
If any one could give me a guide to achive what i’m looking for..
Thanks

anav · January 14, 2023, 2:46pm

Post your complete config please.
/export file=anynameyouwish ( minus router serial # and any public WANIP information )

hagar83 · January 15, 2023, 8:00pm

Sure.
core.rsc (26.3 KB)

anav · January 15, 2023, 11:35pm

Interesting complex setup, way over my head though…

Do you mean incoming traffic or outgoing traffic ???
Okay i see you use 172.16 traffic so one has to be careful about any bogon rules… so you dont block own traffic,

You need to note what all your LAN subnets are and remove any bogons on the list that may interfere.

So far I see ( ones that will cause issues )
add address=10.0.0.0/8 list=BOGONS
add address=127.0.0.0/8 list=BOGONS ( in general this is often used on the router and should be left alone )
add address=192.168.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS

So remove the ones above from your firewall address list.
Also make sure one of them doesnt hit the range of your actual WANIP address schema, not likely but ya never know.

Your firewall rules are a mess and disorganized.
Suggest you simplify by removing all, putting back in the defaults
and focussing on what user traffic should be allowed in the input chain ( to the router )
and focussing on what user traffic should be allowed in the forward chain ( lan to lan, lan to wan etc.)

I dont use bogon rules in firewall chain I tend to put them in routes (black hole if I use them)

Like so:
/ip route
add blackhole disabled=no dst-address=0.0.0.0/8
add blackhole disabled=no dst-address=100.64.0.0/10
add blackhole disabled=no dst-address=169.254.0.0/16
add blackhole disabled=no dst-address=192.0.0.0/24
add blackhole disabled=no dst-address=192.0.2.0/24
add blackhole disabled=no dst-address=198.18.0.0/15
add blackhole disabled=no dst-address=198.51.100.0/24
add blackhole disabled=no dst-address=203.0.113.0/24
add blackhole disabled=no dst-address=224.0.0.0/3

Now since the problem subnet is within one of the bogons which also covers your local subnet just add a subnet that is more appropriate
add blackhole disabled=no dst-address=172.30.0.0/16

hagar83 · January 15, 2023, 11:52pm

Thanks you so much.
I’m not a firewall guy as you can see.
Allready try to blackhole that particulary subnet and traffic is still there.
It’s only on the vpls network this is what make me think! I can’t see this traffic on routers outside vpls.
Any way, thanks for your time and will

anav · January 16, 2023, 12:10am

vpls is outside my limited knowledge sphere, perhaps sindy or sob or mkx can inspect and advise.

mkx · January 16, 2023, 7:02am

vpls is not my pie either …