Community discussions

MikroTik App
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

RAW filter: Drop from a network IPs

Mon May 31, 2021 5:21 pm

Hi
I have seen a behaviour I didn't expect in a raw firewall rule.
I was looking to block all IP traffic coming in on an interface that does not have a correct IP.
This is my configuration:
/interface list
add name=LAN
/interface list member
add interface=ether1 list=LAN
/ip firewall address-list
add address=192.168.88.0/24 comment=Local_LAN list=local-addr
/ip firewall raw
add action=drop chain=prerouting comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!local-addr
Topology:

[192.168.0.0/24 network] <> [Tplink wr850 router with 192.168.88.254 WAN] <> [dhcp server ether1: 192.168.88.1/24 Mikrotik Lite5 device]

when I enable log on the firewall rule I see that it blocks connections with IP range 192.168.0.0/24.
In theory all traffic coming out of the tplink should be masked with 192.168.88.254 not with 192.168.0.0/24 network IP.

if I remove the rule in RAW and put it in filter rules:
/ip firewall filter
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!local-addr
add action=drop chain=input comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!local-addr
The counter of the rules is 0

Is that normal?
is malfunctioning Raw rule?
could someone explain me what I'm doing wrong?

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RAW filter: Drop from a network IPs

Tue Jun 01, 2021 3:31 pm

Raw is before all, including nat/masquerade,
it's obvious than traffic is dropped

The rule do exactly what you have write: drop all non 192.168.88.0/24
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: RAW filter: Drop from a network IPs

Tue Jun 01, 2021 7:28 pm

Raw is before all, including nat/masquerade,
it's obvious than traffic is dropped

The rule do exactly what you have write: drop all non 192.168.88.0/24
Thank for your answer.

I think that I have not explained it well.
In theory all traffic coming into the tplink over the LAN and going out over the WAN should be masked, so everything coming into the mikrotik should have IP 192.168.88.254 and the RAW rule should not have any match but it doesn't.
The masquerade is in the TPLINK WR850. All its traffic is going to the mikrotk.
192.168.0.0/24 ->>>>> tplink [192.168.88.254 wan] >>>>>>>> ether1 mikrotik: in=ether1 ipsrc!=192.168.88.0/24 then drop BUT, everything from tplink should have ip inside 192.168.88.0/27?

I find it strange that the RAW rule detects unmasked traffic from tplink but the "normal" filter rules didn't detect unmasquerade traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RAW filter: Drop from a network IPs

Tue Jun 01, 2021 11:24 pm

Raw is a useful/powerful tool, in the right hands, in the wrongs hands DISASTER.

Unless you understand the packet diagrams inside out, I would refrain from using RAW.
https://help.mikrotik.com/docs/display/ ... n+RouterOS
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 12:05 pm

Thank Anav

"The PREROUTING chain: Rules in this chain apply to packets as they just arrive on the network interface"
So to the mikrotik arrive packets from tplink. which ips have those packets 192.168.88.0/24 or 192.168.0.24/24? 192.168.88.0/24 (.254) right? Normal behavior of a home router: masquerade all out from wan.
My RAW rule only match packets in from interface "ether1" of Mikrotik
I still don't understand, how can the mikrotik detect packets coming in on ether1 with IP 192.168.0.0/24?

Are there packets that the tplink does not maskerade for some reason?
tplink failure?
mikrotik failure?

Are there packets that should not be masked that leave the tplink? In this case, shouldn't the filter rules detect it?

I hope that the diagram in the attached figure will help me to better understand my doubt.
schema.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 12:13 pm

You should indeed first investigate the root-cause.
I would think no packets may leave the TPLink still having 192.168.0.0/24 as a source IP !! I would expect this home-router to indeed hide/masq all outbound IP-packets

Did you use /tools "torch" on the ether1 side on the Mikrotik so SEE what packets these 192.168.0.0/24 are ? What type, what destination ?
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 7:04 pm

Thank jvanhambelgium
I have obtained the following from different mikrotik devices with the same topology described above:
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac f8:1a:67, proto TCP (RST), 192.168.0.103:50600->31.13.83.51:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac f8:1a:67, proto TCP (RST), 192.168.0.103:50600->31.13.83.51:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac f8:1a:67, proto TCP (RST), 192.168.0.103:50600->31.13.83.51:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:37090->142.250.184.1:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36816->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36816->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36818->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36818->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36812->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:36812->142.250.200.86:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:37082->142.250.184.1:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.101:37082->142.250.184.1:443, len 40"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62987->23.214.201.13:443, len 416"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62988->23.214.201.13:443, len 388"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62988->23.214.201.13:443, len 388"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62987->23.214.201.13:443, len 416"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62987->23.214.201.13:443, len 416"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62988->23.214.201.13:443, len 388"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62988->23.214.201.13:443, len 388"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.106:62987->23.214.201.13:443, len 416"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,RST), 192.168.0.106:62988->23.214.201.13:443, len 40"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,RST), 192.168.0.106:62987->23.214.201.13:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,FIN), 192.168.0.107:37124->142.250.184.4:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,FIN), 192.168.0.107:37124->142.250.184.4:443, len 52"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN,PSH), 192.168.0.101:54070->47.74.174.53:443, len 71"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,RST), 192.168.0.105:44414->142.250.200.118:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,RST), 192.168.0.105:44730->142.250.184.10:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,RST), 192.168.0.103:43254->54.172.173.144:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN), 192.168.0.100:46012->216.58.209.74:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,FIN), 192.168.0.100:46020->216.58.209.74:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac a4:2b:b0, proto TCP (ACK,FIN), 192.168.0.102:48710->142.250.201.78:80, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac a4:2b:b0, proto TCP (ACK,FIN), 192.168.0.102:48710->142.250.201.78:80, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac a4:2b:b0, proto TCP (ACK,FIN), 192.168.0.105:44020->80.158.2.190:6447, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,RST), 192.168.0.105:44652->172.217.168.165:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,RST), 192.168.0.105:41140->142.250.184.5:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (RST), 192.168.0.105:42220->172.217.168.161:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:56391->90.163.126.39:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:56391->90.163.126.39:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:56391->90.163.126.39:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:56391->90.163.126.39:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:56391->90.163.126.39:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac 18:a6:f7:c5:ca:3f, proto TCP (RST), 192.168.0.103:54571->54.182.252.172:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac 18:a6:f7:c5:ca:3f, proto TCP (RST), 192.168.0.103:54571->54.182.252.172:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,FIN), 192.168.0.107:37124->142.250.184.4:443, len 52"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:54133->90.163.126.41:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:54133->90.163.126.41:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:54133->90.163.126.41:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:54133->90.163.126.41:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac c4:6e:1f, proto TCP (RST), 192.168.0.104:54133->90.163.126.41:443, len 40"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (RST), 192.168.0.103:45906->69.171.250.60:443, len 40"
LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (RST), 192.168.0.103:45906->69.171.250.60:443, len 40"
But, I don't know if this clarifies anything for me
Could anyone help?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 8:15 pm

For sure you should be able to stop them with the filter on the FORWARD chain. The destination IP of the packets leaving the TPLINK do not seem to "hit" any interface of Mikrotik so "input" chain is not relevant here.

Can you adjust your rules and use actual values for the incoming interface + src-range ? And not refer to lists.
Who knows something is off there.

/ip firewall filter
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=ether1 log=yes log-prefix=LAN_!LAN src-address-list=!192.168.88.0/24


In your logs earlier I see entries like : I don't know the difference between "ether1" and "ether1-local" ?? Perhaps others know that.

LAN_!LAN prerouting: in:ether1 out:(unknown 0), src-mac f4:f2:6d, proto TCP (ACK,RST), 192.168.0.106:62987->23.214.201.13:443, len 40"
LAN_!LAN prerouting: in:ether1-local out:(unknown 0), src-mac ec:08:6b, proto TCP (ACK,FIN), 192.168.0.107:37124->142.250.184.4:443, len 52"
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 8:18 pm


In your logs earlier I see entries like : I don't know the difference between "ether1" and "ether1-local" ?? Perhaps others know that.
Interface name is ether1 at one mikrotik device and ether1-local at another. The log that I wrote is from several mikrotik devices with the same configuration.

I have changed In-interface-list=LAN to in-interface=ether1 and I have the same result. :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RAW filter: Drop from a network IPs

Wed Jun 02, 2021 10:09 pm

RST packet than instruct the source than the connection must be closed are not natted,
neither mikrotik nat that packet because are useless because no one must reply to TCP packet with RST (reset) flag
the same can happen with FIN (finish / end) flag for some routers
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: RAW filter: Drop from a network IPs

Tue Jun 08, 2021 12:46 pm

Thank you Rextended

if I have understood correctly:
So tplink router doesn't bother to nat those packets.... in that case, those packets should be marked by mikrotik always as invalid, right?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RAW filter: Drop from a network IPs  [SOLVED]

Tue Jun 08, 2021 12:57 pm

Thank you Rextended

if I have understood correctly:
So tplink router doesn't bother to nat those packets.... in that case, those packets should be marked by mikrotik always as invalid, right?
yes, thanks

Who is online

Users browsing this forum: GoogleOther [Bot], Renfrew and 65 guests