today I tried to scan my own local network (10.0.0.0/16) and found that I scanned something else as well.
Code: Select all
/ip firewall filter
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN
[code]/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
The problem that if I ping, for example 10.0.12.1, it's routed to WAN. This address exists (somewhere?) and I get echo reply.
Code: Select all
prerouting: in:vlan-16 out:(unknown 0), src-mac bc:ae:c5:91:74:2c, proto ICMP (type 8, code 0), 10.0.16.177->10.0.12.1, len 60
prerouting: in:ether5 out:(unknown 0), src-mac 80:38:bc:0e:65:1f, proto ICMP (type 0, code 0), 10.0.12.1->xxx.xxx.xxx.xxx, len 60
How can I avoid this in future? I have ~ 20 vlans in my home network, some of them are connected through ipsec, some of them have inter-vlan routing, so I can't simply ban 10.0.0.0/16 on WAN interface as I filter out ipsec as well.
I tried this code, but it obviously cuts replies, not requests.
Code: Select all
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN ipsec-policy=in,none src-address-list=local