Hallo,

My setup is as follows:

I have an ADSL Modem in bridged mode and then my mikrotik connects to it and does 2 PPPoe Connections out, one to my ISP and one for my VPN connection, ontop of the pppoe vpn connection I have a ppptp connection to establish a tunnel between me and the other end.

My problem is that for some reason In getting a lot of traffic comming into my router from outside. It does not enter my LAN, just get inot the PPPoe connection for my internet. The traffic is between 400-800kbps, not that much, but its only on my PPPoe ISP connection, dont go throuh the router. While that traffic is so much, my internet is extremely slow to unresponsive, this happens randomly. We used to have it alot at work and I then just add a firewall blocked rule to block it, that method does not work for me at home. I fllowed some online tutorials and added a lot of firewall rules to block all kinds of random stuff from outside, even with that it is not having a effect on the incomming traffic to the isp account.

I need to be able to block all access to my router from outside completely no exeptions

Here is a bunch of rules that I added:

/ip firewall filter

add action=drop chain=input in-interface=ISP1

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established\
disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp

I'm confused. You can't block traffic to your router before the router. If you want to stop it before it gets to you your isp will have to block it. You can only drop the traffic once it arrives

Sent from my SCH-I545 using Tapatalk

I'm confused. You can't block traffic to your router before the router. If you want to stop it before it gets to you your isp will have to block it. You can only drop the traffic once it arrives

Sent from my SCH-I545 using Tapatalk

agree, if the in coming traffic fills you uplink it doesn't matter whether you drop it on the router. try to find out what kind of traffic you're getting and why you are getting it. an attack? was there a open dns server running and someone is abusing it for a dns amplification attack? once you know it talk to your upstream isp. the isp might be able to drop it for you or give you a new ip address.

For example, if I look at my Interfaces, my ISP interface shows under tx the traffic, none of my other interfaces shows the traffic, looks like it goes just to the ISP Connection. It seems like some kind of attack as it comes in bursts and the router shows the traffic coming from 'eth protocol 800(ip)' and 'Internet IP:443 and 80' to my routers 'public ip', the ip is dynamic so it changes.

All the while it stays so high my internet connection is dead slow.

As for the open DNS server, I have nothing running on my router that has to be able to be accessed from the outside.

Im not very good at explaining this. I spoke tomy ISP awhile back and they asked me to provide them with an IP thats causing the problems, but it is never the same, they keep changing to net ones, not even the same type of ip, some for example starts with 197.242.x.x other from 87.230.x.x other from 112.209.x.x.

So your problem is on TX and not rx?

Sent from my SCH-I545 using Tapatalk

Post your firewall export.

Sent from my SCH-I545 using Tapatalk

Code: Select all

[admin@Hardus-Home-MikroTik] > /ip firewall export
# jan/06/1970 12:36:57 by RouterOS 6.7
# software id = 1WBS-904U
#
/ip firewall filter
add action=drop chain=input in-interface=ISP1
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp \
    psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=forward comment="allow established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=drop chain=forward comment="drop everything else" disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Group1 src-address=192.168.11.0/24
add action=mark-connection chain=prerouting new-connection-mark=Group1 src-address=192.168.11.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=ISP1 src-address=192.168.11.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

And where exactly are you seeing this "excessive traffic"? Have you tried to torch it?

With Torch, thats where I get all my info. Its mostly https traffic. Funny thing is I changed my ISP account to a different account but on the same ISP, still the same problem, If I look at the interfaces, theres only traffic on my bridged and ISP interface and my wifi where im connecting from, the rest stands on 0.

Post a screenshot

Sent from my SCH-I545 using Tapatalk

At this moment theres no problem, the network is quiet as you can see, I anyway took a screenshot and will do again when the traffic starts jumping again. Just to show you how I scan. Unlike normal traffic that fluxuates, this problem traffic stays more or less solid at a high speed. and I can see that its not coming fromt he LAN.

Last night I switched to my Capped Internet Account, Same ISP to get a different IP, didnt check, but I assume it would. Still I had the same traffic problem, I can see High Traffic on the PPPoE Interface and the ISP1 PPPoE Account. The other interfaces exept for my Wifi Router's Interface had 0bs traffic. The Wifi had very low, like 20-40kbps while the ISP had between 400-800kbps. Web pages even was crawling slow

A Thought just came to me that may be preventing my firewall rules from working, I dont know if it will have an effect. I had the router setup with 2 ADSL Accounts and 2 LANs (Capped + Uncapped) awhile ago and the mark routing is still on the router, maybe I must just add a mark to the rules?, I am going to setup those settings again once I sorted out this problem.

Hardus

HI,

Here is an example of the Traffic thats killing my internet connection:

Another Example, only a minuite on:
Then Again another minuite from that one a totally different IP:

Someone on upstairs router is streaming video from Amazon?

Traffic comes in from ISP1. Traffic goes out ether2, "Upstairs WiFi Router".

IP addresses of high traffic connections belong to Amazon.

/ip firewall nat
add action=masquerade chain=srcnat

Some machine connected to Upstairs WiFi Router requested the traffic. The NAT rule permits the traffic. Working as configured.