Portscan within the local network (DROP)

RouterOS General
1

Hello guys.

I’m having a bit of trouble in blocking port scanning within my local network.
I use HOTSPOT within of a local network, I would like to prevent a client within this network from scanning another client. Aside from avoiding, I would block this ip for a few days.

Many rules I searched on the Internet are not working when I apply to my Routerboard 6.42.6.

Does anyone have any tips to prevent this?

Some rules I’ve tried and it did not work:

First rule sequence I tried to apply
port scanners “address-list-timeout = 2w comment =” Port scanners to list "add-on = disabled = no
Various combinations of TCP flags can also indicate port scanner activity.

add-action = add-src-to-address-list address-list = “port scanners” address-list- timeout = 2w comment = “NMAP FIN Stealth scan”
add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list address-list = “port scanners” address-list-timeout = 2w comment = “SYN / FIN scan”
add chain = input protocol = tcp tcp-flags = syn, rst action = add-src-to-address-list address-list = “port scanners” address-list-timeout = 2w comment = “SYN / RST scan”
add-address-list-address-list = “port-scanners” address-list-timeout = address-list-add = protocol-tcp-flags = end, psh, urg,! syn,! rst, 2w comment = “END / PSH / URG scan”
add-in = address-list = input-tcp-flags = sync, rst, psh, ack, url action = add-src-to-address- “ALL / ALL scan”
add chain = input protocol = tcp tcp-flags =! end,! syn,! rst,! psh,! ack,! urgent action = add-src-to-address-list address-list = “port scanners” address-list -timeout = 2w comment = “NMAP NULL scan”

Then you can drop those IPs:
add chain = input src-address-list = “port scanners” action = drop comment = “dropping port scanners” disabled = no

Second rule sequence that I tried to apply
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=PortScanner Block address-list-timeout=4w2d log=no log-prefix=“”
chain=input action=drop src-address-list=PortScanner Block log=no log-prefix=“”
chain=forward action=drop src-address-list=PortScanner Block log=no log-prefix=“”

2

I’ve been curious about using packet flags/state to detect port scans but i went the cheap route - I use (input) fw rules to ban IPs trying to connect to ports that aren’t in use. With some exceptions anything <= 1024 essentially, using ranges. I also then add many (one-off) ports above that range that are known to get hit for not-so-great reasons. I’ve found it to be pretty effective - i’ve done diff types of external scans that get banned before detecting any legitimately open ports (such as an open web server.)