Community discussions

MikroTik App
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:02 am

I'm seeing on our firewalls that our test CHR is trying to connect to IP 169.254.169.254 with HTTP every few seconds (= over 250.000 connections attempts in 12h) . Google showed some old posts from 2015 where it was described as bug that will be fixed. As we're running 6.41.4, so it seems not.

I did following to not mess our firewall logs up:

/ip route add distance=1 dst-address=169.254.0.0/16 type=blackhole
 
pe1chl
Forum Guru
Forum Guru
Posts: 6675
Joined: Mon Jun 08, 2015 12:09 pm

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:18 am

You should have that anyway. Same for the RFC1918 networks and RFC6598.
/ip route
add distance=1 dst-address=10.0.0.0/8 type=unreachable
add distance=1 dst-address=100.64.0.0/10 type=unreachable
add distance=1 dst-address=169.254.0.0/16 type=unreachable
add distance=1 dst-address=172.16.0.0/12 type=unreachable
add distance=1 dst-address=192.168.0.0/16 type=unreachable
(or blackhole if you prefer)
 
sid5632
Member
Member
Posts: 398
Joined: Fri Feb 17, 2017 6:05 pm

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:24 am

If you add this:
/ip firewall filter add action=reject chain=output dst-address=169.254.169.254 protocol=tcp reject-with=tcp-reset
then it only tries once and gives up (according to the counters on the rule).
Blocking it in other ways means it's constantly trying.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24609
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:26 am

Are you using CHR on AWS?
This address is used by the Amazon EC2 system, Amazon gives your device the configuration and SSH keys from this IP.
The fetch will only be repeated if there is no route to this address. Otherwise it will stop at the first failure.
No answer to your question? How to write posts
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:39 am

no, the CHR is on our own ESX in our datacenter.
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:40 am

@sid5632: thx, changed it to your version
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24609
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:41 am

Starting from v6.42 CHR will detect that it's inside AWS EC2 and will not do these checks. Upgrade should fix it.
No answer to your question? How to write posts
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:44 am

Who is online

Users browsing this forum: Google [Bot], meazz1, Onigma, sindy and 115 guests