I recently installed a mikrotik (hEX) router in my homenetwork. So by all intends and purposes, I am not familiar with the ins and outs of network-admins, but i do know my networks.
My current setup has some VLANs to divide IoT devices from "normal" devices and from the solar panels. Pretty standard stuff.
The mikrotik router is not the first router. The situation:
ISP Router ==> Mikrotik Router ==> Home network
From the viewpoint of my ISP, only one device is on my home network: the Mikrotik router.
I have however a VPN server on my NAS (synology), which is open to the WAN on port 443 ( ISP PortForward: 443, mikrotik 1194). Just so traffic won't get blocked on certain networks.
And I started to notice a lot of connections being made to it. Like 300+. Not wanting these connections i jumped into this forum (and wiki) and found some rules to limit TCP-SYN.
(I know, mikrotik has a VPN server as well, and that is on my to-do list, but i first wanted to make sure everything works like before :p)
Code: Select all
/ip firewall filter
add action=jump chain=forward comment="SYN Flood protect" connection-state=new in-interface="ether1 [WAN]" jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=SYN-Block address-list-timeout=2d chain=SYN-Protect
add action=drop chain=forward src-address-list=SYN-Block
The SYN-Block list contains like 1888 ip's.
During the day, no new packets get dropped. It only starts at night.
So my questions :
- Is this normal? Should i be concerned?
- Is this the right way of doing things? Can the list get too big? Or are there better ways of handling this kind of situations.