I beginner here with Mikroitk in general, I got my RB5009 connect with 2 CAP XL ac for quite some time now, I always try to check any logs just to make sure everything is ok with the network environment.
In the last week I get a lot of caps.info logs showing different IP addresses are trying to connect throught capsman, but the router is basically disconnecting them, I will add a screenshot of you to check what I mean.
I checked the IP addresses online, they are definitely malicious and I understand my router are blocking the connection, but I need to know how can I check the actual port of the person who is trying to connect, and how can I stop this, kindly note that this is not only one IP address, but I want to show you an example of the log.
Bad actors/bots are constantly hammering ALL routers, nature of the beast. There is no point logging it and nothing you can do.
However it would not hurt to have your setup/config reviewed to ensure its not getting special attention for some reason.
Well, the fact that logs are written by CAPsMAN (topic caps,info) indicates that firewall of your router is not effective. Default firewall setup would block attempts to connect to CAPsMAN through WAN port and CAPsMAN would not even see those attempts. If there were log entries about that, they would have different topic.
So by all means check your firewall filter config, the chain=input in particular. You may want to export settings (use /ip/firewall/export file=anynameyouwish) and post them here for peer review.
My best guess is that interfaces is set to all (is that an option), meaning the CAPsMAN service is available through the WAN interface.
Your firewall needs soms improvements, you’ll probably get some feedback soon.
Danger Danger: Its amazing your ISP has not blocked you yet. WELL you attract flies with honey and you lay a big fricken goose egg here add action=log chain=input connection-state=new dst-port=53 log-prefix=“TCP 53” protocol=tcp
Inviting the whole world to use your router for DNS.
I would seriously consider unplugging the router and netinstalling to the latest firwmare.
Also I dont know what you are attempting to do with this obvious non-copy and paste attempt to show firewall rules. add action=accept chain=input comment="Admins accept " src-address-list= admins
This is not the name of the address list as indicated by the applicable post /ip firewall address-list
add address=10.10.10.0/24 list=**Admin**_
Duplicate Srcnat rules needs to be cleaned up get rid of one in orange. /ip firewall nat add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
NONSTANDARD FW rules… why did you change from defaults… you dont understand them and yet willing to make all kinds of bloatware rules…
Here is a decent set of starter rules for you and order is important within a chain.
/ip firewall filter
{ default rules to keep } add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
(admin rules) add action=accept chain=input comment=“Kyiv WG” dst-port=13234 protocol=udp
add action=accept chain=input comment=“Dnipro WG” dst-port=13232 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Admin
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { insert this rule here, but last of all rules so you dont lock yourself out }
+++++++++++++++++++++++++ add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
NOTE1: Until we know what ports 5246 and 5247 are used for ( aka if not VPN ) then they should not be in the config in the input chain. NOTE2: Port forwarding rules themselves, belong in the ip firewall NAT in dstnat rules! NOTE2: Remove raw rule.
They explicitly allow CAPsMAN access through ether1 and WAN interfaces (have to be at the same time … already this combination of rule properties indicates that whoever set these rules didn’t know what he was doing). Yes, these two ports are for CAPsMAN, read the end of this CAPsMAN manual section.
Do you still wonder why are random internet hosts trying to connect?
Another nail in the coffin for Capsman if you ask me, if the directions are so vague or out there that this happens, its not worth its weight in chicken feathers or whatever… argg disgusted… https://help.mikrotik.com/docs/spaces/ROS/pages/7962638/CAPsMAN
Nary a peep I could find about creating capsman input chain firewall rules??
Updated firewall
the passthrougth I’m leaving it till the end of the day just to check the actual log if an IP trying to connect, but after the changes that I made yesterday, everything seems normal, no abnormal logs or anything updated.rsc (1.58 KB)
