Community discussions

MikroTik App
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Blocked external IP

Wed Feb 05, 2020 10:20 am

Hello!
How good is it to block a specific external IP address? I did the following but it does not work because access attempts are repeated every night!
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 src-address-list=Block-address (in address list this IP- 216.218.206.0/24)
Thanks for your help.
You do not have the required permissions to view the files attached to this post.
 
User avatar
ingdaka
Trainer
Trainer
Posts: 452
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Blocked external IP

Wed Feb 05, 2020 10:25 am

Try it with chain input!
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Wed Feb 05, 2020 10:30 am

At first I had an entry on -Input, but that didn't help. Red log messages appeared unchanged. If the rule works correctly then the log section shows these red statements or not?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocked external IP

Wed Feb 05, 2020 10:49 am

Log entries and firewall rules have only slight correlation. Assuming that firewall filter rules work as entered (could be that it's not as they were meant to but that's another problem) and I've not seen any report in contrary, then log entries only state that something doesn't work. And if it doesn't work, then it's probably per design.

One obvious conceptual error is to have block rule with "log=yes" and then get concerned because there are many log entries about that block rule. Which is expected because just because there's a block rule it doesn't make people stop trying to get in. And loging blocked connection attempts is useless after initial debugging is finished.
This is not exactly your case (logs are about IPsec), but same principle applies: you blocked connections and IPsec complains it can't establish connection. So you need to find out why RB tries to establish IPsec connections to the blocked subnet.
 
erlinden
Forum Guru
Forum Guru
Posts: 1921
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Blocked external IP

Wed Feb 05, 2020 11:11 am

Interesting as I get these logging entries as well at around 3:00 AM, on a daily base. Does anyone have a clue who is behind these automated attempts?
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Wed Feb 05, 2020 11:34 am

Yes, these connection attempts take place regularly every night! In my case L2tp ipsec is used. Special logging is not turned on but red notifications are displayed. This IP address has been displayed for a very long time on some 30 mikrotik machines that use ipsec vpn. If tunnel mode is used and explicitly allowed IPs are displayed, then these red messages will not show. They appear when not in tunnel mode and use L2tp ipsec with connection from any address.
Watched web ip location - Presented by United States of America, Calofornia, Fremont, ISP - Hurricane Electric LLC
There's probably someone doing bad things ...
If there is a rule input chain where this subnet is blocked, maybe it doesn't make sense to worry?
 
aoakeley
Member Candidate
Member Candidate
Posts: 171
Joined: Mon May 21, 2012 11:45 am

Re: Blocked external IP

Wed Feb 05, 2020 4:12 pm

Yes, these connection attempts take place regularly every night! In my case L2tp ipsec is used. Special logging is not turned on but red notifications are displayed. This IP address has been displayed for a very long time on some 30 mikrotik machines that use ipsec vpn. If tunnel mode is used and explicitly allowed IPs are displayed, then these red messages will not show. They appear when not in tunnel mode and use L2tp ipsec with connection from any address.
Watched web ip location - Presented by United States of America, Calofornia, Fremont, ISP - Hurricane Electric LLC
There's probably someone doing bad things ...
If there is a rule input chain where this subnet is blocked, maybe it doesn't make sense to worry?
.
If you are seeing the IP in the IPSEC LOG then it is making it through your firewall. If the firewall rule was working you would not see that IP in the IPSEC log

Try this

#Create Block List
/ip firewall address-list
add address=216.218.206.0/24 list=Block-address-list

# Add firewall rule,
/ip firewall filter
add action=drop chain=input src-address-list=Block-address-list comment="BlockList (Secured with address list)"

# Make sure you move it above any rules that allow IPSEC traffic, otherwise it wont do anything. This will move it to rule 1 in your firewall list (or use winbox to drag it up the list)
move [/ip fire filter find comment~"BlockList"] 1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocked external IP

Wed Feb 05, 2020 6:23 pm

MKX, the question I have is why didnt his RAW rule drop that incoming traffic ???????
In other words, why would an input chain rule be any more effective???
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Thu Feb 06, 2020 11:05 am

# #Make sure you move it above any rules that allow IPSEC traffic, otherwise it wont do anything. This will move it to rule 1 in your firewall list (or use winbox to drag it up the list)##

You were right. After this action, the 'raw' policy started to work.
Thank you very much aoakeley!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocked external IP

Thu Feb 06, 2020 11:40 am

MKX, the question I have is why didnt his RAW rule drop that incoming traffic ???????

Can't say. One reason might be that OP's WAN is actually pppoe-out1 (running on top of ether1 ... I've seen same mental error before) and in-interface used in firewall raw rule is thus not correct ... Or, as latest post by OP implied, the order of rules was not correct. And I'm sure there are some other reasons for rule to fail, but it's hard to tell without knowing full router config.
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Thu Feb 06, 2020 3:57 pm

please tell me - maybe i can add 'BOGON address' in the 'raw' section as well? https://wiki.mikrotik.com/wiki/BOGON_Address_List
Isn't it more efficient than using the 'input' section? What is your experience?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocked external IP

Thu Feb 06, 2020 8:10 pm

There isn't a simple answer to the question about using raw vs. "normal" firewall to drop packets.

When using raw to drop, each and every packet will be examined. However check is fairly simple.

When using "normal" firewall to drop, all the usual "accounting" will already be done. With usual SOHO type of setup this means that connection tracking machinery already did its job and this is single most resource-expensive operation of a firewall. However this makes possible to take a few shortcuts, such as fast-tracking, meaning that usually only a small fraction of packets actually get examined.

Then the decission about which method if dropping packets depends on overall configuration of a device and mix of traffic passing through.
If the offending packets occur rarely (which is most of times with usual port scanners), then the additional processing overhead caused by raw filter is relatively high for little effect.
If, OTOH, rate if offending packets is high (which is usually case during a typical DDOS), then the only way to sustain the episode is to use raw firewall processing as high incoming rate of (according to connection tracking state) invalid or new packets can easily overload firewall.
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Thu Feb 06, 2020 9:36 pm

My firewall ... I'm no expert. Default rules with additions.
The question is simple - do you need to use a chain in the '' Bogon '' Input section or not? Does anyone use this at all?
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="boggon input drop" in-interface=WAN \
    src-address-list=BOGON
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocked external IP

Thu Feb 06, 2020 10:28 pm

In your case check against BOGON address list only affects the establishment of IPsec tunnels - these are the only rules after "drop BOGON" and before "drop all from not LAN". Meaning that this rule explicitly protects only a select service against a list of select potential attackers.

So it depends what addresses you have in BOGON address list. Usually BOGON address list contains addresses which won't reach your WAN interface if your ISP does its job properly (and I'm not saying that defence against low-probability attacks are not necessary), then those two rules won't get hit at all. If you added some other addresses to that address list, then rules may kick in ...

So IMHO such rule makes sense if there's some mechanizm which updates the list membership. Either the list gets updated from an external source of known trespassers or it's updated by router itself by detecting port knockers or some such ...
 
johnson73
Member Candidate
Member Candidate
Topic Author
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: Blocked external IP

Fri Feb 07, 2020 9:43 am

Thanks for the help mkx!

Who is online

Users browsing this forum: Bing [Bot] and 54 guests