Community discussions

MikroTik App
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Mikrotik ASN Public IP question

Thu May 13, 2021 4:31 pm

Hi guys

we have obtained recently ASN block IPv4 /22 on our ISP.. and we have setup BGP .. after a couple of weeks of testing this IPs blocks, updating the Region/country of the ASN ip block, aparently this block was accquired from another region country to our country so after setting up the ASN and all our testing was done on the ips.

We have decided to setup and announce on BGP, and setup de pppoe-servers to distribute the public IPS to our clients..on pppoe-client mode.

the problem is that 35% os customers started complaining about downtime on the internet, routers disconnecting and slowliness on the navigation.. wifi´s connected with no internet displayed. customers having to reboot routers several times per day to get internet going.. so we have decided to migrate those clients to previous pppoe-nated private ips like they were connected before, and internet started working normal again.. and we noticed that our filter rules displaying blocking several attempts of attacks on the ports added to filter rules for viruses, worms, trojans etc...

whilst on the public ips on ASN we have created the accept rule to pass all traffic without blocking ports on the public ips.. so i am guessing that these types of attacks must be hammering the clients routers with attempts to access the devices.. i have seen on the net that there could be a ton of attacks types syn flood, dns, upnp..

so my question is, is there any approach on how to block this known famous ports of viruses and trojans.. also on the public ips alocated to our clients on pppoe-server mode? if so should this be done on the PPPOE server mikrotik side? or it could be done on the BGP machine side?

is there a way to secure the ASN IP block for the most common known virus ports on the mikrotik side?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik ASN Public IP question

Fri May 14, 2021 1:05 am

Yes, use FIREWALL on pppoe-server
Drop any incoming unsolicited connection from outside directed to IP of clients.
If some clients required open ports DO NOT OPEN 20,21,22,23,53,80,443 and open only what requested, and on firewall rule add the expected IP of remote source.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik ASN Public IP question

Mon May 31, 2021 3:02 am

Yes, use FIREWALL on pppoe-server
Drop any incoming unsolicited connection from outside directed to IP of clients.
If some clients required open ports DO NOT OPEN 20,21,22,23,53,80,443 and open only what requested, and on firewall rule add the expected IP of remote source.
Problem is we have ASN IPV4/22 and we have top firewall rule to accept for our src asn ipv4/22 ... so all rules on firewall filters and nat are only applied to Internal Private IPs non public ips..

because we supply public ips for 80% os our wisp customers.. so i guess only option will be blocking it via firewall / raw.. which blocks on all internal private and public ips.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Mikrotik ASN Public IP question

Mon May 31, 2021 3:16 am

whilst on the public ips on ASN we have created the accept rule to pass all traffic without blocking ports on the public ips.. so i am guessing that these types of attacks must be hammering the clients routers with attempts to access the devices.. i have seen on the net that there could be a ton of attacks types syn flood, dns, upnp..
I doubt this is the issue. We have always provided our customers with public IPs and they mostly use off the shelf D-Link and TP-Link routers as we only started providing routers a few years back. We have had issues in a couple cases with uPnP ports open causing trouble, but it is rare. We have about 1500 customers.

I suspect there is some other issue that is the actual cause of the problems.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik ASN Public IP question

Mon May 31, 2021 9:47 pm

whilst on the public ips on ASN we have created the accept rule to pass all traffic without blocking ports on the public ips.. so i am guessing that these types of attacks must be hammering the clients routers with attempts to access the devices.. i have seen on the net that there could be a ton of attacks types syn flood, dns, upnp..
I doubt this is the issue. We have always provided our customers with public IPs and they mostly use off the shelf D-Link and TP-Link routers as we only started providing routers a few years back. We have had issues in a couple cases with uPnP ports open causing trouble, but it is rare. We have about 1500 customers.

I suspect there is some other issue that is the actual cause of the problems.

Hi mducharme

We have the following scenario, BGP mikrotik router with with ASN and IPV4/IPV6 blocks setup.. and below bgp we have 3 CCRs with pppoe-servers for each city

on firewall NAT we have the following accept rule

/ip firewall nat
add action=accept chain=srcnat comment="## DO NOT DO NAT on the following ASN IPV4 block ##" src-address=1xx.1xx.113.0/24 (1xx.1xx.113.0/24 is ASN ipv4 block 1 /24)

on ccr 2 we have the same rule just different block 1xx.1xx.114.0/24

on ccr3 we have the same rule just different block 1xx.1xx.115.0/24


also on the BGP firewall NAT router we have the same accept rule.. 1xx.1xx.113.0/22

on TOP on all ccr devices.. so firewall NAT.. its working on incomming connections from backaul transit ISP on backhaul transit ip 177.1xx.2xx.0/30 and all my internal lans private ips..

its working and blocking all ports, port scanners etc.. all filter rules working .. but not on the public ips.. because we set up on first rule accept traffic on all ports for the public ips.. we do not use CGNAT yet.. as 25% of our customers are small companies.. they need IP static dedicated connections without CGNAT and ports blocked.. but for home residencial users.. we do see that some customers have routers with outdated firmware versions etc.. and some with default ports like telnet , etc.. open with default login credentials.. só we are trying to create a firewall rule to block those standar ports also on the Public ips from the ASN block.

Who is online

Users browsing this forum: FlowerShopGuy, johnson73, loloski and 74 guests