DEAR ALL
I WANT TO KNOW THAT THROUGH IP FIREWALL HOW CAN WE REJECT ANY NATED PACKET COMING ON USER INTERFACE?
MEANS IF ANY USER IS USING NATING AT HIS END, HOW CN MIKROTIK IDENTIFIES AND REJECT THAT PACKETS ?
THANKS
SATISH
well, there’s no precise ways to define whether the packet was natted or not. you can see TTL Matcher in Firewall Filter. for example, Windows’ default TTL is 128, and after a router it becomes 127. for Linux, default is 64, etc.
And if what you’re trying to do is keep customers from deploying routers try setting the TTL for packets into the customer (not from the customer) to 1 in firewall mangle. Unless the customer has the knowledge and hardware to rewrite the TTL themselves that will expire packets on the next hop - if that is a computer it will accept the packet, if it’s a router it will discard it.
Thanks for reply
We are unable to identify NAT packets, because in case of routers, TTL is change & brand specific and also unable to check if there is any ICS on windows machine.
ICS is also a NAT
So please help me
Thanks
Satish
If Windows ICS forwards a packet the TTL should still be reduced by one. TTL is “always” decreased by one even if it’s traversing NAT. Change outgoing TTL for client traffic to 1.
but TTL is not changed for proxied requests…
Thanks it is working fine with DSL and ICS but can you also suggest me if any client is using Linux based router or proxy
because i am unable to block that Proxies
Thanks
Satish Bharadia