While researching adding a blacklist address list for blocking outside traffic I came accross this advice from msatter:
Since I don’t really need to access my home router from outside my LAN, I implemented the rule, but wanted to double check if this won’t interfere with normal traffic in any way.
Also, since the implementation of the firewall rule, I get a log entry every 2-3min from the same mac address: firewall,info input-new-drop input: in:lte1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto 2, 0.0.0.0->224.0.0.1, len 32
Is this normal and how should I interpret this?
I planned on turning it off, just wanted to make sure that it actually filters something.
But is it normal to have someone trying to access my router every 2-3 min.? Also, what does this means proto 2, 0.0.0.0->224.0.0.1 in this case?
I’m pretty sure this is coming from your ISP equipment…however strangely enough the 5e:aa:8e:zz:xx:yy is not from any known vendor today.
Apart from that, the 224.0.0.1 is a non-routable, multicast on the local subnetwork. Your Mikrotik will not “leak” them further onto your network ever.
But I see interface “lte1” ? You have a 4G-card/modem attached to the Mikrotik ?
I’m seeing this also where my ISP PPPoE access-server emits occasionally some traffic hitting the input-chain.
The MAC-address I found in the PPPoE section as the access-gateway it is connected to.
Still funny in your case the first 3 octets of the MAC , 5e:aa:8e is a non existant vendor OIU…
It’s not really “someone”: something in your provider’s network searching for multicast subscribers.
No idea what exactly for. If you also don’t know - just drop it
Out of curiosity why would that rule NOT BLOCK an initial negotiation with ones ISP to get an IP for example?
Is it because the routers outgoing communication (looking for an ISP) is what triggers the sequence???
