I have many packet 34916 are send via PPPoE client interface.

harn2412 · July 7, 2015, 6:04am

I have a new hAP router with RouterOS v6.29.1.

I setup internet with PPPoE client by Winbox tool (without default config and not easy setup).
Everything work fine in 1 day. But after that I see the Tx off PPPoE Client link go up without reason (don’t have any traffic from inter LAN) and CPU work more.
I have used sniffer tool on WinBox to check, and see many packet 34916 is send from my internet card’s MAC address to another MAC.

Does anyone know why this happen? Please tell me, thank you so much.

jarda · July 7, 2015, 6:10am

What port is the traffic from? If it is 53, secure your dns service by firewall rules.

harn2412 · July 7, 2015, 10:05am

Thank you for your help.

Could you show me the sample code or where I can get one, please?

And I don’t see any packet have source or dest post 53. This is the image of 1 packet I got.

The Src. MAC Address is my internet card on hAP.

jarda · July 7, 2015, 10:18am

Can’t see the picture on mobile from some reason. Will have a look later. See the torch and profiler meanwhile to know more about the traffic and what consumes the cpu. Is the line exhausted by the traffic?

Ape · July 7, 2015, 1:55pm

Hi,

in WinBox, go to “Interfaces”, open the PPPoE interface window by double-clicking and click on “Torch”.
There you can see what traffic is flowing on this interface.

The next steps depend on what kind of traffic you’ll see.

Ape

harn2412 · July 7, 2015, 2:59pm

Thank for your reply.

I have made an reboot hAP and the Tx traffic via PPPoE interface is normal now. So I will test with “torch” if the problem come again.

And the traffic is not full of my Tx bandwidth (it’s only 2-5Mbps over 21Mbps).

The problem happen after running 1 day so it’ll take a little time to know.

harn2412 · July 14, 2015, 2:33am

Yeah, you’re right. Today, I have the same problem and I have use “Torch” and see many packet UDP send to my DNS from WAN.

I have made a firewall rule block UDP packet send to port 53 from internet.

Could you show me some other firewall rule to protect my router?

Thank you so much.

jarda · July 14, 2015, 8:06am

see this:
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
and finally:
http://wiki.mikrotik.com/wiki/DDoS

You could find these pages using the google too.

My approach to port 53 in input chain from wan interface is to drop udp and tarpit tcp.

Using also bruteforce login prevention. And all other rules are mainly individual to my needs according to the places where the routers are and what traffic should pass trhu. None can give you general “secure” rule set that could fit your needs.

harn2412 · July 14, 2015, 10:08am

Thank for your reply.

Many usefull information I will research and find something I can use for my router.