Community discussions

MUM Europe 2020
 
angboontiong
Forum Guru
Forum Guru
Topic Author
Posts: 1115
Joined: Fri Jan 16, 2009 9:59 am

why the ip can pass through all mikrotik firewall...

Fri Aug 02, 2019 5:55 pm

Hi, my mikrotik version is 6.43.8
i got a mikrotik as pppoe server and the WAN is 192.168.1.x/24. then the ppoe pool is 10.5.255.x/15.

i facing a very weird thing is, customer router LAN DHCP is 192.168.100.x/24.

but i keep received the following log from many customer:

The surprised thing is, the 192.168.1.x/24 network is not from my network at all.
i had use the filter to filter this, but it still can pass through...

22:42:18 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:42:28 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:43:08 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:43:18 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:43:28 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:44:08 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:44:19 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:44:29 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:45:08 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:45:19 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:45:29 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:46:08 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
22:46:19 firewall,info forward: in:<pppoe> out:ether2, src-mac xx:xx:xx:85:86:12, proto UDP, 10.5.255.209:49672->192.168.1.101:161, len 106
 
Sob
Forum Guru
Forum Guru
Posts: 5026
Joined: Mon Apr 20, 2009 9:11 pm

Re: why the ip can pass through all mikrotik firewall...

Fri Aug 02, 2019 6:06 pm

Something in customer's network is trying to access snmp on 192.168.1.101. It could be for example some printer monitoring software on someone's laptop, configured for device in their home network (other than this one). So when they are in this network, it's non-local address and packets are simply sent to default gateway. And because their router doesn't filter outgoing traffic to private subnets (that's pretty common), it reaches your router.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
angboontiong
Forum Guru
Forum Guru
Topic Author
Posts: 1115
Joined: Fri Jan 16, 2009 9:59 am

Re: why the ip can pass through all mikrotik firewall...

Fri Aug 02, 2019 7:20 pm

Something in customer's network is trying to access snmp on 192.168.1.101. It could be for example some printer monitoring software on someone's laptop, configured for device in their home network (other than this one). So when they are in this network, it's non-local address and packets are simply sent to default gateway. And because their router doesn't filter outgoing traffic to private subnets (that's pretty common), it reaches your router.
There is another mikrotik on top of this PPPOE mikrotik act as load balancer..
from the load balancer u can see the traffic is from public ip by pass the load balancer, then by pass the PPPOE mikrotik, and by pass again the wifi router.

something is not right i feel that but had no ideal how to solve this as both mikrotik firewall cannot filter this ip range.
 
flynno
Member Candidate
Member Candidate
Posts: 247
Joined: Wed Aug 27, 2014 8:11 pm

Re: why the ip can pass through all mikrotik firewall...

Sat Aug 03, 2019 3:24 pm

Set PPPOE to WAN interface and ether1 to LAN if it's an SXT device you are using

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

/ip firewall filter
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet

Who is online

Users browsing this forum: No registered users and 6 guests