So my firewall started spewing thousands of log messages recently, they vary but look mostly like this:
As you can see this is coming from one specific client 10.0.0.091, I also have it happening for another client at 10.0.0.92. I'm not very experienced with firewall stuff but it would appear that these events are being logged because of some firewall rules being activated. My guess was that these clients have some kind 'spam virus' trying to take advantage of their devices, one is an Android phone, the other a Windows PC.Mar/19/2021 15:52:33 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45570->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45571->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:40 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:41 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:42 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:44 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:44 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:39846->108.177.122.154:443, len 60
Mar/19/2021 15:52:45 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:39847->108.177.122.154:443, len 60
Is there anything I can do but tell the users to clean up their devices? Other ways to strengthen the firewall in regards to this? is this actually getting out to the WAN or (hopefully) being blocked?
Here's a copy of my config, please feel free to ask clarifying questions, and thanks for the help, I'm trying to avoid spending hundreds on consulting and would like to learn more as well.
Thx,
Dan
Code: Select all
----------config export / compact / hide sensitive----------------------
# mar/19/2021 17:35:02 by RouterOS 6.44.3
# software id = CKED-AUWZ
#
# model = RB1100x4
# serial number = 91D80AE30458
/interface bridge
add fast-forward=no name=bridge1 priority=0x2000
/interface ethernet
set [ find default-name=ether1 ] name="ether1_Spectrum WAN" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] name=ether3_SolplexSE speed=100Mbps
set [ find default-name=ether4 ] name=ether4_PossiblyBadPort speed=100Mbps
set [ find default-name=ether5 ] name=ether5_SolPlexNW speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Community speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] name=ether12_Lukas speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/queue simple
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=UnifiController target=\
10.0.0.250/32
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=AttilaDesktop target=\
10.0.0.251/32
add dst="ether1_Spectrum WAN" max-limit=10M/100M name=Lukas target=\
10.0.0.252/32
add disabled=yes dst="ether1_Spectrum WAN" max-limit=24M/500M name=Master \
target=10.0.0.0/24
/queue type
add kind=pcq name=pcq-download-fastest pcq-classifier=dst-address pcq-rate=\
100M pcq-total-limit=5000KiB
set 6 pcq-rate=18M pcq-total-limit=5000KiB
set 7 pcq-rate=35M pcq-total-limit=5000KiB
/queue simple
add dst="ether1_Spectrum WAN" max-limit=24M/500M name=EveryoneElse queue=\
pcq-upload-default/pcq-download-default target=bridge1
add disabled=yes max-limit=12M/100M name="Unifi Controller PC" queue=\
pcq-upload-default/pcq-download-fastest target=10.0.0.250/32
add disabled=yes max-limit=15M/100M name="Attila Office" queue=\
pcq-upload-default/pcq-download-fastest target=10.0.0.251/32
add disabled=yes max-limit=15M/100M name="Lukas Desktop" queue=\
pcq-upload-default/pcq-download-fastest target=10.0.0.252/32
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=10
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes \
src-mac-address=80:7B:3E:37:9C:E5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=\
00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF log=yes src-mac-address=\
00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3_SolplexSE
add bridge=bridge1 interface=ether4_PossiblyBadPort
add bridge=bridge1 interface=ether5_SolPlexNW
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10_Community
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12_Lukas
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=\
"ether1_Spectrum WAN"
/ip dhcp-server alert
add disabled=no interface=bridge1 valid-server=74:4D:28:01:2F:35
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,71.10.216.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=71.10.216.1,8.8.8.8
/ip firewall filter
add action=drop chain=forward comment="Drop everything from 192.168.1.1" \
disabled=yes log=yes src-address=192.168.1.1
add action=drop chain=input comment="DROP SSH from WAN requests" dst-port=22 \
in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP webconfig from WAN requests" \
dst-port=8081 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP Winbox from WAN requests" dst-port=\
8291 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=jump chain=forward comment="Prevent UDP flooding attack" \
connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="Prevent UDP flooding attack" \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=drop chain=forward comment="Prevent UDP flooding attack" \
connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
53 in-interface="ether1_Spectrum WAN" protocol=udp
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
53 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
disabled=yes dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
disabled=yes dst-port=53 protocol=udp
add action=add-src-to-address-list address-list="SMTP spammer" \
address-list-timeout=none-dynamic chain=forward comment=\
"SMTP spammer gets added to SMTP spammer address list." connection-limit=\
30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=drop chain=forward comment=\
"Drop packets from SMTP spammer address list." log=yes src-address-list=\
"SMTP spammer"
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=yes distance=1 gateway=208.85.239.109
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTikLV
/system logging
set 0 action=disk topics=info,!dhcp
set 1 action=disk
set 2 action=disk
set 3 action=disk
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add down-script=":log info \"Internet Down\"" host=71.94.234.1 interval=5s \
up-script=":log info \"Internet Up\""
add down-script=":log info \"Gentech Down\"" host=10.0.0.204 interval=10s \
up-script=":log info \"Gentech Up\""
add down-script=":log info \"small dorm down\"" host=10.0.0.209 interval=10s \
up-script=":log info \"small dorm Up\""
add down-script=":log info \"Lodge Down\"" host=10.0.0.216 interval=10s \
up-script=":log info \"Lodge Up\""
add down-script=":log info \"Office Down\"" host=10.0.0.201 interval=10s \
up-script=":log info \"Office Up\""
add down-script=":log info \"Solplex NW Down\"" host=10.0.0.202 interval=10s \
up-script=":log info \"Solplex-NW Up\""
add down-script=":log info \"Solplex-SE Down\"" host=10.0.0.203 interval=10s \
up-script=":log info \"Solplex-SE Up\""
add down-script=":log info \"ping not reaching 8.8.8.8\"" host=8.8.8.8 \
interval=5s up-script=":log info \"ping reaching 8.8.8.8\""
add down-script=":log info \"ODK Down\"" host=10.0.0.210 interval=10s \
up-script=":log info \"ODK Up\""
add down-script=":log info \"cabin 11 Down\"" host=10.0.0.211 interval=10s \
up-script=":log info \"cabin 11 Up\""
add down-script=":log info \"Upper Large Dorm DOWN\"" host=10.0.0.206 \
interval=10s up-script=":log info \"Upper Large Dorm UP\""
add down-script=":log info \"Nursery Down\"" host=10.0.0.215 interval=30s \
up-script=":log info \"Nursery Up\""
add down-script=":log info \"Lower Large Dorm DOWN\"" host=10.0.0.207 \
interval=10s up-script=":log info \"Lower Large Dorm UP\""
add down-script=":log info \"Maintenance Shop Down\"" host=10.0.0.212 \
interval=10s up-script=":log info \"Maintenance Shop Up\""
add down-script=":log info \"Chris DOWN\"" host=10.0.0.205 interval=10s \
up-script=":log info \"Chris UP\""
add down-script=":log info \"NANOBEAM AT LODGE DOWN!!!\"" host=10.0.0.246 \
interval=5s up-script=":log info \"NANOBEAM AT LODGE UP\""
add down-script=":log info \"NANOBEAM AT SOLPLEX DOWN\"" host=10.0.0.247 \
interval=5s up-script=":log info \"NANOBEAM AT SOLPLEX UP\""
add down-script=":log info \"CORE SWITCH DOWN\"" host=10.0.0.239 interval=10s \
up-script=":log info \"CORE SWITCH UP\""
add down-script=":log info \"MikroTik NURSERY SWITCH DOWN\"" host=10.0.0.238 \
interval=10s up-script=":log info \"MikroTik NURSERY SWITCH UP\""
add down-script=":log info \"cabin 13 Down\"" host=10.0.0.217 interval=10s \
up-script=":log info \"cabin 13 Up\""