Log shows different results than Sniffing (according to log firewall is bypassed)

RouterOS General
1

Hello,

I’m a bit stuck right now.

I run DNS on this mikrotik router - that act as a gateway for my network.

I added log rule like this one:

/system logging action add name=dnsRemote remote=192.168.0.10 remote-port=514 src-address=0.0.0.0 target=remote
/system logging add topics=dns,!packet action=dnsRemote

on 192.168.0.10 I run (ancient) MT_Syslog.exe

I have a simple firewall rule that:

input chain, drop, src.address=!192.168.0.0/24,proto=udp,dst_port=53,action=drop

Next I go to

Tools -> Packet Sniffer

setup file name, file limit, interfaces: all, direction: any, filter operation: or

I hit “start”

And in MT_Syslog I single Chinese IP is querying DNS, but then the dns is passing that request to outside dns, and respond with replay to that IP that is outside my network.

I wait a bit, then stop the sniffer, download that file, open wireshark, and there is no single packet that contain that IP address from outside my network.

What is going on? I would assume that Logging record the packet from IP asking my dns for query, then Firewall would drop that request, and it shouldn’t be giving response (aka not in log), but then again it bypass firewall somehow, get logged by logger but is not recorded by sniffing tool.

2

What do you see in the log? please show at leat one full log entry.
Run /tool sniffer quick ip-address=x.x.x.x, x.x.x.x is bad server address.

3

Log from logging:




And the sniff is empty… like I said it is… I also waited in case something had to buffer…

Edit:
Also When I add log rules on firewall where src-address=bad_address, action=log, chain=input/forward/output and move them on 0,1,2 position, nothing is captured there…

Edit2:
Tried disabling fast-path (http://forum.mikrotik.com/t/blocking-websites-not-working/135511/1) but with not results.

Edit3:
Added log rules for dst-address=bad_address for all 3 chains, still counter is 0…

This is getting weird

Edit4:
I never used those before but I also added NAT(src,dst),Mangle(prerouting,input,output),Raw(prerouting,output) log event for src-address=bad_address, annnddd NOTHING :open_mouth:

This indeed start to scare me… it’s in logs, yet it’s nowhere to be found… Is this router compromised? bug in firmware?