Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Firewall doesn't block IP ?

Tue Mar 27, 2018 3:05 pm

I have a strange problem
even if nothing is connected to my router , I can see that there is a RX of 3-5Mbps
when I do torch I can see that IP is connecting to my router in 3 port
and downloading from it 2M in each port
firewall.PNG
when I make a firewall rule and try to block this IP
/ip firewall filter
add action=drop chain=input src-address=212.29.225.141
I can see the counter is increasing but the data is still growing , and the IP is still connected
how could it be?
what am I missing\ doing wrong?

Thanks ,
You do not have the required permissions to view the files attached to this post.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 5:52 pm

counter is increasing but the data is still growing
you mean the 4.9GB data? It is increasing because those traffic is still arriving your router, then being dropped at the router.

try reject instead of drop.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 6:09 pm

Tried it ,
still I can see connections and data
12.PNG
You do not have the required permissions to view the files attached to this post.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 9:24 pm

This is expected behaviour. Torch shows all traffic even if it later gets filtered by the firewall.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 9:38 pm

I think the question here is how to get rid of this connection. yes it get dropped but still use some of the uplink bandwidth, isn't it?
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 9:52 pm

Someone correct me if I'm wrong, but I see no evidence so far that the 5Mbps of inbound traffic is not destined for an internal host. Check IP > Firewall > Connections for a traffic flow being initiated by an internal host to that IP.

If not, then you may be receiving DoS traffic.

The 459kbps outbound in the screenshot where you are rejecting the traffic seems excessive for ICMP unreachables. The ICMP packets are about 574 bytes each. I don't recall offhand if some of the original packet contents are included in the ICMP packet or not. Perhaps so. In any case, I'd switch back to drop. No need to send unreachables if the sending host is going to ignore it. If you're seeing DoS traffic, the 212.29.225.141 is probably not the source anyway.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall doesn't block IP ?

Tue Mar 27, 2018 11:21 pm

what am I missing\ doing wrong?
What you are missing is that once the packets have arrived to your machine, the firewall filter on it can only prevent them from being processed there, but not from coming.
I think the question here is how to get rid of this connection. yes it get dropped but still use some of the uplink bandwidth, isn't it?
Correct, it is using part of your download bandwidth. How to get rid of it depends on why it is coming. As @tippenring suggests, it may be a machine in your LAN which actually initiates that traffic. If outbound traffic is src-nat'ed to the IP address of your WAN interface, the response incoming traffic comes to that IP, so it is handled by firewall filter chain input.

To know for sure, go to command line mode (the
[Terminal]
button in WebFig or WInbox), and write the following:
/ip firewall connection print where dst-address~"212.29.225.141"
If you get a non-empty list in return, some machine in your LAN is actively connecting to 212.29.225.141 which subsequently responds, and you'll see the IP address of that machine as src-address in the list. To get rid of that, you would have to add a firewall rule:
/ip firewall filter add chain=forward dst-address=212.29.225.141 action=drop
and move it, using the Winbox or WebFig GUI, as high in the list of rules in chain forward as RouterOS lets you.

Otherwise the packets are coming from 212.29.225.141 either because 212.29.225.141 itself is spamming you, or because someone else is sending packets to 212.29.225.141 indicating your address as source one, and 212.29.225.141 responds, making the real attacker invisible to you. But the latter scenario is not very likely as DoS attacks usually use multiplication effects (for one packet sent by the attacker, the amplifier sends many packets to the victim) and this is not easy with changing ports as seen in your screenshots.

As @tippenring has suggested, revert back from
action=reject
to
action=drop
as there is no point in sending back icmp rejects and waste your upload bandwidth once the remote side ignores them.

Then, the next step is suggested by
which 212.29.225.141
:
% Abuse contact for '212.29.224.0 - 212.29.225.255' is 'nvabuse@013netvision.co.il'
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: Firewall doesn't block IP ?

Wed Mar 28, 2018 9:55 am

1. I have check the firewall connection - and nothing is going to this address , I have even turn off the ethernet&Wlan connection - and still there is a data going on the ppp-out.
2. the problem is that it's "wasing" all my data plan - and I ahve notice in the last 4 days it's been 190GB........ , so I need to turn it off
3. it there any way to know which address from this IP is doing the spam? , for example to see that computer with IP 192.168.1.5 - he is the one that sending it?
4. what are this ports? never seen them ?
5. what can be done in order to disable this activity ? - I can't belive it can be fix.....

Thanks ,
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Firewall doesn't block IP ?

Wed Mar 28, 2018 10:35 am

if you have checked your connection, and see no outgoing traffic towards that IP, then this traffic is originated from WAN. If changing your own public IP is not an option, then you have to contact whoever owns 212.29.225.141.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall doesn't block IP ?

Wed Mar 28, 2018 10:36 am

1. I have check the firewall connection - and nothing is going to this address , I have even turn off the ethernet&Wlan connection - and still there is a data going on the ppp-out.
2. the problem is that it's "wasing" all my data plan - and I ahve notice in the last 4 days it's been 190GB........ , so I need to turn it off
3. it there any way to know which address from this IP is doing the spam? , for example to see that computer with IP 192.168.1.5 - he is the one that sending it?
4. what are this ports? never seen them ?
5. what can be done in order to disable this activity ? - I can't belive it can be fix.....
As 1. means nothing in your network asks for that traffic, you have just two options:
  • to contact your provider and ask them to either assign you a different address or to block the traffic from that source address before sending it towards you
  • to send a mail to
    nvabuse@013netvision.co.il
    , indicate the particular address of the source and ask them to take measures. But the sad truth is that those packets may actually not come from their machine because it is easy to forge a source IP address if you are not actually interested in any response traffic.
As for 4., if the goal is to bother you, the ports need not be meaningful.
 
User avatar
jspool
Member
Member
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Firewall doesn't block IP ?

Thu Mar 29, 2018 7:19 am

I would say drop that IP in the RAW firewall table but from the screenshot you must be using an old RouterOS if you don't have RAW.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall doesn't block IP ?

Thu Mar 29, 2018 6:50 pm

I would say drop that IP in the RAW firewall table but from the screenshot you must be using an old RouterOS if you don't have RAW.
Dropping it after it has already passed through your uplink and got accounted into your monthly allowance is a hop too late.
 
User avatar
jspool
Member
Member
Posts: 468
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Firewall doesn't block IP ?

Thu Mar 29, 2018 7:38 pm

If its a metered data plan maybe he can get a different IP. But mobile networks are not likely to offer blackhole routing for such problems.
OP needs to understand that he cannot control what traffic is sent to him. That's like yelling at the sky for raining on you. Try a new IP address and run Wireshark and try to understand what the traffic consists of and work backwards.

Who is online

Users browsing this forum: bananaboy1101, Bing [Bot], dido1236, Michiganbroadband, tinodj and 79 guests