Suspicious Traffic on WAN (Help with Firewall Rules RB951G)

hitalfa · June 28, 2018, 11:54pm

I bought RB951G two months ago, I am kinda new in Mikrotik firewall rules. I am using the following rules:

/ip firewall filter
add action=accept chain=forward connection-state=established,related in-interface=WAN out-interface=Bridge
add action=accept chain=forward in-interface=Bridge out-interface=Bridge
add action=accept chain=forward in-interface=Bridge out-interface=WAN
add action=accept chain=input in-interface=Bridge
add action=accept chain=input connection-state=established,related in-interface=WAN
add action=drop chain=input log=yes
add action=drop chain=forward log=yes

but I get a lot of traffic being dropped on WAN especially if it has (unknown) interface name, the following is a sample of DROP log:

02:40:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:40:58 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 104.125.75.201:443->192.168.0.34:53709, len 71 
02:41:18 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:42:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:42:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:43:23 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:44:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:44:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:45:28 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:46:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:46:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:47:33 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:48:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:48:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:48:57 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,PSH), 104.125.75.201:443->192.168.0.34:53710, len 71 
02:49:00 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:67->192.168.0.34:68, len 328 
02:49:38 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:50:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:50:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:51:43 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:52:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:52:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:53:48 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:54:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:54:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:55:53 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:56:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:56:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:57:58 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
02:58:38 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.38:443->192.168.0.34:37152, len 91 
02:58:44 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.35:443->192.168.0.34:47956, len 91 
02:58:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
02:58:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
02:58:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.19:443->192.168.0.34:52966, len 91 
02:58:52 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.15:443->192.168.0.34:46552, len 91 
02:58:58 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.19:443->192.168.0.34:52965, len 91 
02:59:00 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.38:443->192.168.0.34:37152, len 91 
02:59:13 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.35:443->192.168.0.34:47956, len 91 
02:59:17 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.19:443->192.168.0.34:52966, len 91 
02:59:37 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 37.237.96.210:443->192.168.0.34:52936, len 91 
02:59:43 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 37.237.96.209:443->192.168.0.34:50773, len 91 
02:59:43 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 37.237.96.209:443->192.168.0.34:50774, len 91 
02:59:59 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 37.237.96.210:443->192.168.0.34:52936, len 91 
03:00:03 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto 2, 192.168.0.20->224.0.0.1, len 28 
03:00:13 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 37.237.96.209:443->192.168.0.34:59172, len 83 
03:00:47 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 192.168.0.20:53->192.168.0.34:5678, len 80 
03:00:49 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto UDP, 8.8.8.8:53->192.168.0.34:5678, len 80 
03:00:50 firewall,info input: in:WAN out:(unknown 0), src-mac dc:9f:db:39:7d:cb, proto TCP (ACK,FIN,PSH), 157.240.20.15:443->192.168.0.34:35004, len 83

I get internet service through a nanostation which its LAN is connected to WAN port (ether1) on the Mikrotik RB951G
ISP > Nanostation > RB951G > My PC

Nanostation IP address is 192.168.0.20
Nanostation LAN MAC is dc:9f:db:39:7d:cb
Mikrotik WAN IP address is 192.168.0.34
Mikrotik LAN IP address is 10.11.12.1

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                 TYPE       ACTUAL-MTU L2MTU
 0  RS   ether2            ether            1500  1598
 1  RS   ether3            ether            1500  1598
 2  S    ether4            ether            1500  1598
 3  S    ether5            ether            1500  1598
 4  R    WAN               ether            1500  1598
 5  RS   Wireless          wlan             1500  1600
 6  R    Bridge            bridge           1500  1598

Would you please help me to figure out why I have so much traffic being dropped? Also what is out:(unknown 0), am I supposed to have an interface called unknown??

hitalfa · July 2, 2018, 9:00pm

Anyone? HELP!!!

Sob · July 2, 2018, 10:49pm

You can allow established & related without any other conditions, there’s no need to limit it by interface or anything. It should be the very first rule in each chain, because it will match most packets. Then you might try to add:

/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid

right after accepting established & related, and it will probably take care of at least some of the packets you’re seeing.

It’s true that some of that traffic looks suspicious, e.g. what looks like replies from dns server, but coming to same port 5678. I don’t what RouterOS version you have, but quick test with mine shows random source ports used for dns queries.

And don’t worry about “unknown 0” in input. It’s input, it doesn’t have outgoing interface.

eXS · July 2, 2018, 11:55pm

I was thinking maybe he was missing NAT/masq rules or a misconfig there

hitalfa · July 3, 2018, 10:48pm

You can allow established & related without any other conditions, there’s no need to limit it by interface or anything. It should be the very first rule in each chain, because it will match most packets. Then you might try to add:
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
right after accepting established & related, and it will probably take care of at least some of the packets you’re seeing.

It’s true that some of that traffic looks suspicious, e.g. what looks like replies from dns server, but coming to same port 5678. I don’t what RouterOS version you have, but quick test with mine shows random source ports used for dns queries.

And don’t worry about “unknown 0” in input. It’s input, it doesn’t have outgoing interface.

I have tried your suggestion, but I am having the same kind of traffic being also dropped. By the way, the RouterOS am using is the latest one, v6.42.4.

hitalfa · July 3, 2018, 10:51pm

The following is the NAT rule I am using, is it correct?

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

vecernik87 · July 3, 2018, 11:28pm

This is common masquerade rule for many routers and it will work for normal LAN/WAN NAT.

I don’t want to explicitly say if it is correct because there are many ways to set it up and it may be correct for one purpose but incorrect for other purpose.

Your dropped traffic (at least the one which you are showing on first post) does not seem suspicious at all. It looks like normal responses - for example i can see response from google DNS…

It seems you are missing

/ip firewall filter 
add action=accept chain=forward connection-state=established,related

This will accept responses for your existing connections, which you initiated
Or maybe you placed some drop/reject rule before this?
Usually, default config come with basic but reasonably secure firewall rules. If you change this, it is hard to guess what could be wrong. Can you publish whole /ip firewall export ?

EDIT: i just realized your original list of firewalled connections is on INPUT chain instead for “forward”. That is weird. What is IP address of your device? (/ip address print)

hitalfa · July 4, 2018, 6:23pm

@vecernik87

ip address print

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE
 0   10.11.12.1/24      10.11.12.0      Bridge
 1 D 192.168.0.34/24    192.168.0.0     WAN

ip firewall export

/ip firewall filter
add action=accept chain=forward connection-state=established,related in-interface=WAN out-interface=Bridge
add action=accept chain=forward in-interface=Bridge out-interface=Bridge
add action=accept chain=forward in-interface=Bridge out-interface=WAN
add action=accept chain=input in-interface=Bridge
add action=accept chain=input connection-state=established,related in-interface=WAN
add action=drop chain=input log=yes
add action=drop chain=forward log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes