Community discussions

MikroTik App
 
abi
just joined
Topic Author
Posts: 17
Joined: Mon Nov 04, 2019 4:08 pm

Local address is routed to WAN and something is replying.

Mon Jul 12, 2021 12:32 am

Hello,
today I tried to scan my own local network (10.0.0.0/16) and found that I scanned something else as well.
/ip firewall filter
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN

[code]/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
Here is rather boring part of firewall rules, so I have vlan_16 subnet (10.0.16.0/24) that can access internet, but not other vlans.
The problem that if I ping, for example 10.0.12.1, it's routed to WAN. This address exists (somewhere?) and I get echo reply.
prerouting: in:vlan-16 out:(unknown 0), src-mac bc:ae:c5:91:74:2c, proto ICMP (type 8, code 0), 10.0.16.177->10.0.12.1, len 60
prerouting: in:ether5 out:(unknown 0), src-mac 80:38:bc:0e:65:1f, proto ICMP (type 0, code 0), 10.0.12.1->xxx.xxx.xxx.xxx, len 60
xxx.xxx.xxx.xxx - is my ipv4 external IP and ether5 is WAN interface. The problem is that I've scanned 10.0.0.0/16 and got a lot of data, so I'm scared if this can trigger IDS somewhere. =/ I never saw any firewall rules examples to prevent this behavior.

How can I avoid this in future? I have ~ 20 vlans in my home network, some of them are connected through ipsec, some of them have inter-vlan routing, so I can't simply ban 10.0.0.0/16 on WAN interface as I filter out ipsec as well.

I tried this code, but it obviously cuts replies, not requests.
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN ipsec-policy=in,none src-address-list=local

Who is online

Users browsing this forum: holvoetn, mkx, Semrush [Bot], Sirajs, xaar and 53 guests