I have setup some "blackhole" rules on one of my Mikrotik routers. However, it doesn't seem to be working correctly. I have it setup so it adds the src-address to an address list called "blackhole" if there is any traffic to a specific dst-address (i.e. 192.168.1.45). Then I have another rule to drop all packets in the address list "blackhole".

The problem we are seeing is a lot of places like Google, Yahoo mail, etc. are getting added to the blackhole list usually within an hour of having the rule setup.

Here are the two rules:

7 X ;;; Drop blackhole IP's
chain=forward src-address-list=blackhole action=drop

8 X chain=forward in-interface=ether1 src-address=!69.20.128.0/18
dst-address=192.168.1.45 action=add-src-to-address-list
address-list=blackhole address-list-timeout=1d

I was previously doing this same thing with an ETINC bandwidth manager box and never had problems of "false positives" from any locations (with it running for over a year).

Any help would be appreciated.

Is the IP address 192.168.1.45 the router that the users are passing through? If so, try adding an allow rule on the forward chain just above rule #8 to allow established connections.

What are you natting to 192.168.1.45? If its port 80 then you will see anyone and everyone getting blacklisted...

Sam

No, I only used 192.168.1.45 as an example. It's a real IP address on our network (not on the router) that has no device associated with it.

The idea is someone scanning our network will hit that IP and then be blocked for 1 day.

I wonder if a broadcast from the client might be tripping this? It doesn't seem like it should, but I really don't see how else it could get triggered. Do clients get blocked soon after being connected, or is it random?

Hi,

I found the problem... one of our customers had transposed the numbers on their IP address (we use static IP's) and was trying to use an IP that was in the blackhole list.

Thanks for all the help.

Travis