HOW TO PROTECT THE IP GATEWAY ROUTER???

Kniffe · April 9, 2011, 8:57pm

Hi everyone!.
excuse my english, I have the mikrotik rb750g and the other day a customer put the IP address of the gateway (192.168.1.1) on your computer, the router (rb) allowed this IP and fail (internet not walked more). My query is a rule that protects the IP of the gateway mikrotik.
I try with a buffalo router with dd-wrt and no happen this problem, the buffalo not allowed to get that ip.
Thanks!.

fewi · April 9, 2011, 9:58pm

Can you post a network diagram that identifies devices, ports, and IPs?

Kniffe · April 9, 2011, 11:50pm

Thanks for reply…
Well, the diagram is very simple
Modem(Adsl)—RB750G–Switch—Clients pc.
Modem(adsl -------|

RB750G
eth0 : WAN1 (ADSL)
eth1 : WAN2 (ADSL)
eth2 : Master port(switch) (192.168.1.2) (192.168.133.2) (Local Gateway)
eth3 : slave (AP1 only bridge) (192.168.169.202)
eth4 : slave (AP2 only bridge) (192.168.169.203)
eth5 : slave (8 port Switch)

SWITCH:
port1: Mikrotik
port2: PC1 (192.168.1.10)
port3: PC2 (192.168.1.11)
port4: PC3 (192.168.1.12)
port5: AP3 (only bridge) (192.168.169.200)
port6: AP4 (only bridge) (192.168.169.201)
port7 :Sony Bravia TV. (192.168.169.204)
port8 :Web server (192.168.169.205) but still not running. this is my next question.

Wireless clients are distributed to the respective gateway (192.168.1.2 and 192.168.133.2)
The ip are configured as static and not use dhcp. The route is marked for two ranges of ip and two gateways. (192.168.1.2 and 192.168.133.2)
Everything is fine, the problem is when the double the router IP in other computer, the router fails.

These are the rules of mikrotik

apr/09/2011 20:11:30 by RouterOS 4.11

software id = F89Y-VKDP

/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5F:XX:XX
master-port=none mtu=1500 name=ether1-Public-WAN1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5F:XX:XX
master-port=none mtu=1500 name=ether2-Public-WAN2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5F:XX:XX
master-port=none mtu=1500 name=ether3-Local-Master speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5F:XX:XX
master-port=ether3-Local-Master mtu=1500 name=ether4-Local-Slave speed=
100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5F:XX:XX
master-port=ether3-Local-Master mtu=1500 name=ether5-Local-Slave speed=
100Mbps

/interface pppoe-client
add ac-name=“” add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=
“” dial-on-demand=no disabled=no interface=ether1-Public-WAN1 max-mru=
1480 max-mtu=1480 mrru=disabled name=PPPoE-WAN1 password=XXXX profile=
default service-name=“” use-peer-dns=yes user=XXXX@chile.t
add ac-name=“” add-default-route=no allow=pap,chap,mschap1,mschap2 comment=“”
dial-on-demand=no disabled=no interface=ether2-Public-WAN2 max-mru=1480
max-mtu=1480 mrru=disabled name=PPPoE-WAN2 password=XXXX profile=
default service-name=“” use-peer-dns=yes user=XXXX@tchile
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=XX:26:35:02:XX:XX
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

/ip address
add address=192.168.1.2/24 broadcast=192.168.1.255 comment=“” disabled=no
interface=ether3-Local-Master network=192.168.1.0
add address=192.168.133.2/24 broadcast=192.168.133.255 comment=“” disabled=no
interface=ether3-Local-Master network=192.168.133.0

/ip firewall connection tracking
set enabled=yes generic-timeout=5m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=2h
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“INPUT CHAIN - Router”
connection-state=established disabled=no
add action=accept chain=input comment=“” connection-state=related disabled=no
add action=drop chain=input comment=“” connection-state=invalid disabled=no
add action=accept chain=input comment=“” disabled=no src-address=
192.168.1.0/24
add action=accept chain=input comment=“” disabled=no src-address=
192.168.133.0/24
add action=accept chain=input comment=“” disabled=no limit=10,2 protocol=icmp
add action=drop chain=input comment=“” disabled=no protocol=icmp
add action=drop chain=input comment=“” disabled=no protocol=igmp
add action=drop chain=input comment=“” disabled=no
add action=accept chain=forward comment=“FORWARD CHAIN - Clients”
connection-state=established disabled=no
add action=drop chain=forward comment=“” connection-state=invalid disabled=no
add action=accept chain=forward comment=“” disabled=no protocol=gre
add action=drop chain=forward comment=“” disabled=no dst-port=10000-65535
protocol=tcp src-address-list=!192.168.1.10
add action=drop chain=forward comment=“” disabled=no dst-port=10000-65535
protocol=udp src-address-list=!192.168.1.10
/ip firewall mangle
add action=mark-connection chain=prerouting comment=
“Marca conexiones para Ruteo” disabled=no dst-address-type=!local
new-connection-mark=WAN1_conn passthrough=yes src-address=192.168.1.0/24
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes
src-address=192.168.133.0/24
add action=mark-routing chain=prerouting comment=
“Marca de ruteo a WAN1 y WAN2” connection-mark=WAN1_conn disabled=no
new-routing-mark=route-611056 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment=“” connection-mark=WAN2_conn
disabled=no new-routing-mark=route-618087 passthrough=yes src-address=
192.168.133.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerade WAN1” disabled=no
out-interface=PPPoE-WAN1
add action=masquerade chain=srcnat comment=“Masquerade WAN2” disabled=no
out-interface=PPPoE-WAN2

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
PPPoE-WAN1 routing-mark=route-611056 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
PPPoE-WAN2 routing-mark=route-618087 scope=30 target-scope=10

fewi · April 10, 2011, 12:20am

No router can prevent any other device not directly connected to itself on an TCP/IP network from responding to ARP for an address the router has itself. TCP/IP simply doesn’t work that way. The DD-WRT router couldn’t possibly have prevented it, either. You would need to protect against this directly on the ports people connect to, which would usually mean using smart managed switches that can inspect the traffic that flows through them and drop them if they don’t meet policy.

Kniffe · April 10, 2011, 12:56am

Thank you fewi…
Ok, but considering this possibility of attack to the router from a malicious client, how to resolve this problem?.
Although I still have the doubt, before had two di704up dlink router and under the same diagram and even to try to place the ip of the router, my computer was waiting forever an ip address.
Now I’m checking the ip tables of buffalo (dd-wrt) for telnet to get some idea about it.

fewi · April 10, 2011, 1:04am

Use switches that can inspect traffic flowing through them and drop packets sourced from the router IP coming into ports the router isn’t connected to.

Kniffe · April 10, 2011, 11:41pm

Hi again!.
Reviewing again the buffalo router that has installed dd-wrt, it using vlans and bridges to create the ethernet switch between the ports, there are also some IP in the routing table as 169.254.0.0. I think it uses something called “fallback” (ifconfig) to not allow static ip occupy the switch.
I’m thinking it might be something in the configuration of the /switch of rb750g take this IP avoid indiscriminately.
The switch menu in the terminal doesn’t exist?.

Best regards from Chile

Kniffe · April 12, 2011, 11:23pm

fewi… is possible that the router’s ARP implementation have missed something or is deficient?. Will be a subject for deployment to a new version of mikrotik.
I’ve been reading this http://tools.ietf.org/pdf/rfc5227.pdf and see if there is way to solve my problem.

PS: I found the menu in the terminal “/interface ethernet switch” ..