Firewall log help needed

sjafka · August 7, 2019, 10:00am

Hello Dear MikroTIKERS!

I see in my log this->

firewall,info
input: in:ether-1-wan out:(unknown 0),scr-mac HERE IS A MAC ADDRESS,proto UDP,192.168.255.254:67->255.255.255.255:68,len 328

and i see this every second multiple times. 67-68 should be DHCP, and ether-1-wan is my WAN port, with a dhcp client on it.

What is this or how could i check out, what this is?!

Thank you in advance!

sjafka · August 7, 2019, 10:06am

whats strange, if i ping this ip address, 192168.255.254 i get answer (from wan port with PING in winbox) and i get an aswer like, every 10 second, like the rule i made for icmp, limit it to 6 per minute, so i get an aswer for ping every 10 sec, its like im “attacking myself”??? ill post updates i find out,whats going on

sjafka · August 7, 2019, 10:11am

i checked the src-mac what the log says, it begins with 64:XXXXXXXxxxxx
in interface wan, only my modem is connected to it, but its mac address is something else. what could this be?!

sjafka · August 7, 2019, 11:17am

update: we have 2 isp-s, i changed them, the “attack” of 192168.255.254:67 and port 68 stopped, but know it begins the same, but with other local ip: 10.10.0.1 now i begin to think, this is theese two are the two dhcp server ip local addresses of the ISP! but why does this happen? i get all the time my public ip on the “wan” interface… i dunno whats up, but this is strange for me. if anyone already encountered this and already knows why this works like this and could explain to i would be really happy!

thank you in advance guys

sjafka · August 7, 2019, 11:22am

if i check in winbox → ip → dhcp client → STATUS tab i see that my DHCP server is: 10.250.0.1, so im confused?! anyone could brighten me up?

sindy · August 8, 2019, 6:05pm

if you get your WAN address from your ISP via DHCP, it usually means you get it via an L2 network where you are not alone. So other clients of your ISP renew their DHCP leases, and if they do not get a response for some reason, they send the DHCPDISCOVER messages to the broadcast address 255.255.255.255 periodically, which means that it is received by every device on the L2 segment.

The above assumes that your modem is in bridge mode.

To learn the details, you can configure tool sniffer with a file name to sniff into, run /tool sniffer quick interface=ether-1-wan port=68 until you see a few such packets to get caught, then break it, download the file and open it using Wireshark. Just don’t confuse your own DHCPREQUEST and the server responses with your fellow client’s DHCPDISCOVERs, i.e. don’t break the sniff too early, check whether the packets caught are not related to your own IP/MAC address before stopping the sniff.

sjafka · August 9, 2019, 7:27am

Hey Sindy,

thank you again!

Thanks for the clarification! I cant fint the option to download the file, after stopped sniffing! Could you please help me out again?

Thank you

sindy · August 9, 2019, 9:00am

If you use Winbox, it’s drag and drop. If you use WebFig, press the [Download] button in the file list. If you use command line, use scp from your PC to download the file.

sjafka · August 9, 2019, 9:19am

i thought that it will work this way, but no, ill check later! thank you!!!