I want to see MAC address of the PC/Laptop

RouterOS General
1

Hi,

i have put a line in the FW to track weather ‘someone’ is trying to use port 53 in order to send SPAM messages.

add action=add-src-to-address-list address-list=53Drop17 address-list-timeout=1d chain=input comment=“Deny openDNS relay” dst-port=53 in-interface=pppoe-out1 log-prefix=53_drop protocol=udp

and i would like to log the MAC address of the Laptop/PC/Device who is causing this issue.

How can i do this? Must i use mangle?

tx

Korg

2

Hmm…

  • How do you use DNS to send spam?
  • You’re watching input to router from pppoe-out1, which looks like WAN interface. It doesn’t make sense to watch to incoming DNS queries there. They will of course come, because bots are trying hard all the time to find open resolvers. You should block incoming queries from internet anyway.
  • If previous is a mistake and you want to watch LAN hosts instead, you’d get completely useless list containing all active hosts, because all use DNS.
3

Hi Sob,

i have blocked also as you’ve said input part too… this line is only line with which i tried to log IP’s into address list in order to block them.

Is there a way to log MAC addresses from local machines to see who is causing this DNS issue?

Korg

4

Either I don’t understand you, or you don’t understand me. Or both.

If you block input from pppoe-out1 (which I assume is your WAN), you don’t really care about exact addresses, because those would be just some random public addresses from internet anyway. But if your problem is with local machines, you can’t log their requests on pppoe-out1.

Try to add some more details about what exactly is the problem, and hopefully it will be more clear then…

5

Hi Sob,

correct… my code is wrong.. i am blocking from WAN (no need to block) in order to log… not very elegant :slight_smile:… i’ve deleted it …

so… my issue.. or better to say.. my wish is.. to log the MAC address of the device (laptop/pc…) which is generating ‘traffic’ on port 53 resp which is triggering port 53. I am using this line of code in order to block those connections:

add action=drop chain=input comment=“Block openDNS relay” dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=53_drop protocol=udp

and its working… so, once i have blocked a ‘connection’ through the port 53… i would like to ‘see’ (resp to log) which device is triggering this port? i would like to log its MAC address.

I hope my description is now much clearer :slight_smile:

tx

korg

6

No, not really, sorry (but maybe it’s just me :slight_smile:).

If you want to log traffic from your devices, you’d need to do it on LAN port. But it won’t be very useful, because pretty much any device uses DNS.

If you’d do your logging on WAN port, the only MAC address you’d get would be from ISP’s gateway - even more useless.

I can’t tell for sure if that’s it, but if you’re seeing a lot of incoming DNS traffic on WAN, it’s not caused by any of your devices. It’s just the united army of bad bots trying to use your router for DNS amplification attack. It’s sort of “normal” these days.