Community discussions

MikroTik App
 
pavlo
just joined
Topic Author
Posts: 14
Joined: Fri Apr 15, 2016 5:05 pm

53 port incoming connection

Sun May 29, 2016 10:53 am

Hello

I have Mikrotik RB951UI-2HND router. In firewall I see a lot of incoming connections to port 53. Firefox becomes slow responsive (few seconds to change router interface tab) when connections number more than 1000. What could cause such a lot connections number? Should I block incoming UDP to port 53 and how to do this?
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Tue May 31, 2016 7:10 pm

You should put correct wan interface into rule 3.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Jun 08, 2015 12:09 pm

Re: 53 port incoming connection

Tue May 31, 2016 8:01 pm

Will MikroTik ever fix the default firewall? It should be obvious that it is dangerous...
 
User avatar
acald3ron
just joined
Posts: 18
Joined: Tue Jan 06, 2015 8:26 am
Location: Rosarito, México
Contact:

Re: 53 port incoming connection

Tue May 31, 2016 8:28 pm

Do a address list so that certain networks used the DNS cache of mikrotik.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 53 port incoming connection

Tue May 31, 2016 9:09 pm

I think they need to make the out-of-the-box configuration use the interface-groups feature once it's been integrated into Winbox and Webfig.

Then it would be trivial to include a disabled pppoe1-out interface in the configuration, and have it already added to the WAN-interfaces group by default. All default rules could thus be written to use the interface groups instead of the interfaces themselves, and then it would be a lot easier to move configurations around inside the router w/o having to touch the firewall policy.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
pavlo
just joined
Topic Author
Posts: 14
Joined: Fri Apr 15, 2016 5:05 pm

Re: 53 port incoming connection

Sat Jun 04, 2016 10:03 pm

jarda - Thanks I see now what you mean. Nevertheless this should solve problem with port 53, I cannot do that, because connect to my LAN from world (RDP mostly, or VPN sometimes). Instead I add new rule and it closed 53 port.

pe1chl - yes right. Looks like it much more secured to get closed equipment by default, and open services when user need them. By the way. My router default password was empty. And it could be fine to setup internet from LAN. I have few absolutely trusted computers in my LAN. But I was surprised when was able to login to my router web UI from WAN with same empty password, and this could lead to easy hacker access to LAN from world.

acald3ron - not sure understand right. Why should I give access to router's DNS cache?

Have to say I like hardware part, and web UI works good (just hangs on large connections number). But router lacks some simple guides to make secured preset, and default setup not secure.
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Sun Jun 05, 2016 9:43 am

Closing only the port 53 leaves all others open. Do you feel secure in this case?
 
User avatar
dgnevans
Member
Member
Posts: 463
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: 53 port incoming connection

Sun Jun 05, 2016 7:03 pm

Best practice only open the ports your require. Close all others.
 
pavlo
just joined
Topic Author
Posts: 14
Joined: Fri Apr 15, 2016 5:05 pm

Re: 53 port incoming connection

Sun Jun 12, 2016 2:06 pm

Right. Actually just not have enough free time to dive in this stuff. I will try to close all ports. But will need few ports open. How should I setup on Mikrotik web UI? Should I close all and after that create accept rule for port I need? This mean I will have few rules, and one of them close port, and other will open... What rule will take over?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 53 port incoming connection

Thu Jun 16, 2016 2:51 am

Right. Actually just not have enough free time to dive in this stuff. I will try to close all ports. But will need few ports open. How should I setup on Mikrotik web UI? Should I close all and after that create accept rule for port I need? This mean I will have few rules, and one of them close port, and other will open... What rule will take over?
Rules are processed in order, first to last, and the first one that matches is the action taken.

So - to close all but a few ports:
Accept rules for things you want to allow
Then a simple rule with no criteria and action = drop

Things you want to accept:
(Separate rules for each)
Connection state= established, related
ICMP
in-interface=LAN
Ports for allowed services from WAN
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
dgnevans
Member
Member
Posts: 463
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: 53 port incoming connection

Fri Jun 17, 2016 8:50 pm

we can give you examples of working setups if it helps. 
 
pavlo
just joined
Topic Author
Posts: 14
Joined: Fri Apr 15, 2016 5:05 pm

Re: 53 port incoming connection

Sun Aug 28, 2016 4:33 pm

How to change rules order? I tried to pick up accept rules but not find this feature.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Jun 08, 2015 12:09 pm

Re: 53 port incoming connection

Sun Aug 28, 2016 5:46 pm

You can just drag them up and down using the mouse. It is also possible to do it in textmode but it requires first listing the
rules with their number and then using a command to move them.
 
Paternot
Long time Member
Long time Member
Posts: 645
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: 53 port incoming connection

Sun Aug 28, 2016 5:51 pm

Will MikroTik ever fix the default firewall? It should be obvious that it is dangerous...
As I understand, the routers with "WAN" and "LAN" marked ports (marked on the outside of the router) have a default config wich is quite secure: they drop every new incoming connection to the WAN port, and come with NAT enabled.

The routers that aren't for SOHO (the ones without outside WAN/LAN marks on the ports) don't have firewall enabled.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Jun 08, 2015 12:09 pm

Re: 53 port incoming connection

Sun Aug 28, 2016 5:57 pm

No, the problem mainly occurs when people add PPPoE configuration and don't change the WAN interface from
ether1-gateway to their newly added PPPoE interface, which is now the WAN interface.

It would work okay when they used the wizard to configure the router, but instead they seem to prefer using
Youtube movies that unfortunately are wrong.

However, it could be fixed by MikroTik by switching to a default-deny policy in the firewall and have an explicit
allow for traffic from the LAN, instead of relying on a specific deny for traffic from the WAN.
 
Paternot
Long time Member
Long time Member
Posts: 645
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: 53 port incoming connection

Mon Aug 29, 2016 2:29 am

No, the problem mainly occurs when people add PPPoE configuration and don't change the WAN interface from
ether1-gateway to their newly added PPPoE interface, which is now the WAN interface.
Ah, that makes sense. Didn't remember this one. True, that one would be wide open.
 
User avatar
danial898
just joined
Posts: 16
Joined: Tue Dec 30, 2014 4:54 pm
Location: United Arab Emirates
Contact:

Re: 53 port incoming connection

Mon Aug 29, 2016 8:27 am

jarda - Thanks I see now what you mean. Nevertheless this should solve problem with port 53, I cannot do that, because connect to my LAN from world (RDP mostly, or VPN sometimes). Instead I add new rule and it closed 53 port.

pe1chl - yes right. Looks like it much more secured to get closed equipment by default, and open services when user need them. By the way. My router default password was empty. And it could be fine to setup internet from LAN. I have few absolutely trusted computers in my LAN. But I was surprised when was able to login to my router web UI from WAN with same empty password, and this could lead to easy hacker access to LAN from world.

acald3ron - not sure understand right. Why should I give access to router's DNS cache?

Have to say I like hardware part, and web UI works good (just hangs on large connections number). But router lacks some simple guides to make secured preset, and default setup not secure.
hi
your problem "DNS attacke"

/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=tcp
Mikrotik Certified Consultant
[ MTCNA , MTCRE , MTCTCE , MTCUME , MTCWE , MTCINE , MTCIPv6E ]
 
pe1chl
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Jun 08, 2015 12:09 pm

Re: 53 port incoming connection

Mon Aug 29, 2016 11:47 am

/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=tcp
Not the best solution! Explained many times before.
 
pavlo
just joined
Topic Author
Posts: 14
Joined: Fri Apr 15, 2016 5:05 pm

Re: 53 port incoming connection

Tue Aug 30, 2016 5:41 pm

Hi

(2) pe1chl Thanks. Drag and drop worked for me.

As about youtube video suggestions... Well I would say It would be no reason to watch videos, if manuals would be more friendly. Let me explain. Of course first thing I did I checked router manual when take it out of the box. Do you know what I found there? Just one sheet of paper... But I thought, in 21 century it could be ok to find online manual.

Though please let me know what you feel about user interface? Is it intuitive? Why should I post on forum to know that rules can be dragged? Or I should check manual either? It is very easy to add few buttons for up, down and so. I have to say the software of router great, but UI... One more thing I struggled yesterday - how to save log file. There is no button on log page "Save". I used web UI and also installed winbox. And really I found youtube video, where I found: have to enter command line, save there file, after that come to files menu and save to my PC ... It is pity that I not find it in manual, or google better index youtube... I do not know.

I asked here on forum what to do if I need two incoming connections on router http://forum.mikrotik.com/viewtopic.php ... 60#p553760. I get just one very short answer and it point to manual ... but same manual states something different. What should I trust?

One more thing to add. If router come without default security rules it should be first that user see with big red letters!

May be I wrong somewhere, but it is obvious that software often just not clear and friendly. And such thing all the time.

I like router hardware part. I like it have many good software features, but it would be better to update manual and UI. Also it could be good if google index will point to some frequent use case articles from mikrotik team.

Thanks.
 
Eduardo
newbie
Posts: 45
Joined: Thu Aug 18, 2016 12:20 pm

Re:

Tue Aug 30, 2016 5:41 pm

You should put correct wan interface into rule 3.
Can you please explain why ether1 is not the correct one?
 
Eduardo
newbie
Posts: 45
Joined: Thu Aug 18, 2016 12:20 pm

Re: 53 port incoming connection

Tue Aug 30, 2016 5:43 pm

Things you want to accept:
in-interface=LAN
What do you mean with this?

Thanks for helping.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 53 port incoming connection

Tue Aug 30, 2016 6:01 pm

Things you want to accept:
in-interface=LAN
What do you mean with this?
This is so that you'll be able to access the router from inside your own network. If you don't put such a rule, then a default-deny rule at the end of the input chain would also block management from the LAN interface as well.

Basically, whatever interface is your LAN interface, you'd put that interface in the rule. (whether it's bridge-local, ether2-local-master, etc....)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Eduardo
newbie
Posts: 45
Joined: Thu Aug 18, 2016 12:20 pm

Re: 53 port incoming connection

Tue Aug 30, 2016 11:15 pm

This is so that you'll be able to access the router from inside your own network. If you don't put such a rule, then a default-deny rule at the end of the input chain would also block management from the LAN interface as well.
Thanks. So where in my firewall rules on http://forum.mikrotik.com/viewtopic.php?f=13&t=111378 is this?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 53 port incoming connection

Tue Aug 30, 2016 11:47 pm

That's rules 1 and 2 in your list.
1 is the fasttrack version (I didn't mention fasttrack in this thread)
2 is the non-fasttrack version. Some connecitons/protocols don't support fasttrack, so rule 2 gives the "regular" version of the same rule.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
danial898
just joined
Posts: 16
Joined: Tue Dec 30, 2014 4:54 pm
Location: United Arab Emirates
Contact:

Re: 53 port incoming connection

Wed Aug 31, 2016 9:22 am

/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
pppoe-out1 protocol=tcp
Not the best solution! Explained many times before.
what is best solution for "DNS Attacke" ?
Mikrotik Certified Consultant
[ MTCNA , MTCRE , MTCTCE , MTCUME , MTCWE , MTCINE , MTCIPv6E ]
 
pe1chl
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Jun 08, 2015 12:09 pm

Re: 53 port incoming connection

Wed Aug 31, 2016 10:54 am

what is best solution for "DNS Attacke" ?
The best solution is to focus on security in general, not "attack by attack".
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: 53 port incoming connection

Mon Sep 12, 2016 6:08 pm

... And by result unconditionally drop everything that touches the router and is not explicitly allowed.

Who is online

Users browsing this forum: ehbowen, oe5nip and 106 guests