Firstly i wish to ask a weird problem about caching. Recently i activated my web proxy and route all my client to port 8080 for transparent proxy, every thing was fine till i have a problem. The proxy sucks all my upload bandwidth. When i am torching my mikrotik, i found out that it keeps sucking my upload bandwidth on port 25.When i torch on local interface, no one are using port 25(smtp) for communication, but when i torch my public interface, many unknown traffic are communicating on port 25 which slows down my upload speed. Whenever i stop the web proxy, everthing goes to normal, but when i started the proxy, the traffic comes again. I ask mikrotik support whether there’re viruses on my proxy, but they said that it’s technically impossible for a proxy to be infected by viruses. So i am confused by this. Could anyone help me?
Secondly, i try to route my clients to 2 address. First i use masquarading to route 10.0.0.0/19 to xxx.xxx.xxx.114, secondly i use NAT to nat 10.10.0.0/19 to xxx.xxx.xxx.115. And both of them are working perfectly now. The problem is i wish to limit the bandwidth for the two connection. i wish to limit 512 kbps for 114 and 128 kbps for 115, and no limit to clients connected to it. Is there a way to do this? Please help me. Thank you.
Sounds like you may be being used as a mail relay. Put a rule in the input chain that blocks access to dst-port TCP:25. Or, better still, block all inbound TCP connections from the Internet.
Thank you very much for your kind reply andrew, but your suggestion i couldn’t do that. If i do so, all my clients would not be able to use email anymore. Are there any other ways? Please help.. thank you
Thank you denialsander and andrew for your reply. Would you please show me how to make the blocking rule and forward chain that you mention? Sorry because i am newbie so needs a lot of help…
Here’s a simple Input chain that will drop all incoming TCP connections from the Internet.
[admin@Net4501] ip firewall rule input> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop TCP Invalid packets
in-interface=Internet connection-state=invalid action=drop log=yes
1 ;;; Drop spoofed packets
src-address=192.168.1.0/24 in-interface=Internet action=drop log=yes
2 ;;; Permit local LAN traffic
in-interface=Internal action=accept
4 ;;; Accept Internet Established
in-interface=Internet connection-state=established action=accept
5 ;;; Accept Internet Related
in-interface=Internet connection-state=related action=accept
6 ;;; Drop & log everything else
in-interface=Internet action=drop log=yes
Rule 1 drops packets with local LAN addresses that have entered the router via the Internet interface.
You don’t need to mess with the Forward chain as it’s already created with a default action of ‘Accept’.
It’s easier for me to post these rule with a command line format, but once you’ve entered them I’d suggest using Winbox for looking at firewall rules as it’s far easier to understand what’s happening.
well shielder i have a small comment on your routing scenario.
you have to know that once you use “masquerade action” you will not be able to specify the nating source IP, that’s mean the field “to src addresses” is ignored.
