Why DNS servers are knocking port 5678 of pppoe-out1 interface?

Hi MikroTikers,

I discovered that DNS servers are knocking the Neighbor Discovery port (5678, UDP) of my MikroTik.
This packets are dropped by my firewall filter.

in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 193.110.56.8:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 159.148.147.229:30000->91.xxx.yyy.zzz:5678, len 60
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 193.110.56.8:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 8.8.8.8:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 193.110.56.8:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 193.110.57.4:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 159.148.147.229:30000->91.xxx.yyy.zzz:5678, len 60
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 1.0.0.2:53->91.xxx.yyy.zzz:5678, len 80
in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 00:25:90:xx:yy:zz, proto UDP, 1.1.1.2:53->91.xxx.yyy.zzz:5678, len 80

Neighbor discovery is set to none, detect-internet feature is enabled on all interfaces.
The strange thing the SRC-MAC address is the same in both cases and belongs to Super Micro Computer, Inc.
I could not find that MAC-address on my LAN.
Do you have any idea why they want to connect?

Update:
If I turn off detect-internet the incoming packets disappear.
The question is still open why the DNSs want to connect from their port 53 UDP back to my MikroTik port 5678 when detect-internet is activated?
Update2:
I found out how to utilize lists generated by detect-internet.

# Detect Internet is a tool that categorizes monitored interfaces into the following states - Internet, WAN, LAN, unknown, and no-link.
# Detected interfaces will appear under /interface/list/member/print
/interface/detect-internet/set detect-interface-list=all
/interface list add name=AUTODETECTED_INTERNET comment="INTERNET state assigned by detect-internet automatically"
/interface/detect-internet/set internet-interface-list=AUTODETECTED_INTERNET
/interface list add name=AUTODETECTED_LAN comment="LAN state assigned by detect-internet automatically"
/interface/detect-internet/set lan-interface-list=AUTODETECTED_LAN
/interface list add name=AUTODETECTED_WAN comment="WAN state assigned by detect-internet automatically"
/interface/detect-internet/set wan-interface-list=AUTODETECTED_WAN

Can you tell more real life use cases of detect-internet? ( the related help page doesn’t mention too much )
Does it worth to use detect-internet?

We advise setting internet detect to NONE.

Thx I disabled it.
( /interface/detect-internet/set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none )

That’s your ISP’s equipment. Every packet you receive from WAN should have this source MAC Address.

Hello I just noticed the same behaviour today.
1.1.1.1 and 8.8.8.8, my current DNS, are trying to make a new UDP connection to 5678 port.
It happens exactly every 2 minutes 120 seconds.

I have the detect internet option on as it is used by the Mikrotik Pro app to display internet speed and connections details as shown in the image that I attach.

The problem is that my current firewall configuration DROPS the incoming new connection.

Do you think I should make a rule to accept these connections only from the DNS addresses?

Thank you!
Giorgio

From what you observe, I would assume that the detect internet sends the DNS requests it uses for the detection directly from the PPPoE interface, bypassing the firewall rules, whereas it lets the responses of the DNS servers reach the firewall; since the connection tracking has not seen the queries, it treats the responses treated as initial packets of incoming connections. Sniffing on the Ethernet interface atop which the PPPoE one is running and analysing the result using Wireshark would confirm or deny this assumption.

I added a rule to accept anything from my DNSs then I made a capture:

      chain=input action=accept connection-state="" src-address-list=DNSmikrotik log=yes log-prefix="accept DNSmiktorik"

/tool sniffer set file-limit=10000KiB file-name=DNSpxniff3.pcap filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address=8.8.8.8/32,1.1.1.1/32,9.9.9.9/32 filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-src-ip-address="" filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=10000KiB memory-scroll=yes only-headers=no streaming-enabled=yes streaming-server=10.10.10.56:37008)

My DNS are 8.8.8.8, 1.1.1.1 and 9.9.9.9

It looks like the detect internet function makes a query to cloud.mikrotik.com

From the result in the attached image by tracking a single DNS ID through the capture it seems like the query and response are keeping the same ID but other queries are just query-response ending in few seconds while these queries are minutes long.
So at one point the port is closed and the router responds with a Destination unreachable ICMP.

I’m not an expert though!

Sounds like a good reason to turn it off… Maybe needed for BTH?
In any case if a hacker can intercept your traffic and mimic being an mt cloud server perhaps its a good VECTOR to close down.

Not used for BTH so I turned it off.

Thank you