I have many log entries stating drop not from lan. It's a constant flow of dropped packets. Is this hackers (normal) or is this an error in my config?
Here is my config, hope this is sufficient and the best way to make the information available:
Log sample:
Code: Select all
jan/21 10:41:24 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 138.199.32.100:58804->122.60.239.110:465, len 44
jan/21 10:41:47 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55269, len 44
jan/21 10:41:50 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59004->23.77.145.95:443, len 40
jan/21 10:41:50 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59004->23.77.145.95:443, len 40
jan/21 10:41:57 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac c8:d0:83:df:d4:01, proto TCP (RST), 192.168.2.222:58287->184.27.81.116:443, len 40
jan/21 10:41:57 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac c8:d0:83:df:d4:01, proto TCP (RST), 192.168.2.222:58287->184.27.81.116:443, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60089, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60094, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60093, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60090, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60091, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60092, len 40
jan/21 10:41:58 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.94.225.123:443->122.60.239.110:60104, len 40
jan/21 10:42:02 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55213, len 44
jan/21 10:42:13 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59019->23.77.153.39:443, len 40
jan/21 10:42:13 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59019->23.77.153.39:443, len 40
jan/21 10:42:19 dhcp,info dhcp-168.2 deassigned 192.168.2.217 from F4:1B:A1:89:D7:0F
jan/21 10:42:19 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,FIN), 192.168.2.216:60104->52.94.225.123:443, len 40
jan/21 10:42:19 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,RST), 192.168.2.216:60104->52.94.225.123:443, len 40
jan/21 10:42:25 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto UDP, 45.134.144.124:5075->122.60.239.110:5060, len 444
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59023->23.77.159.200:443, len 40
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59023->23.77.159.200:443, len 40
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59027->184.27.89.102:443, len 40
jan/21 10:42:27 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59027->184.27.89.102:443, len 40
jan/21 10:42:28 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 205.209.159.201:43721->122.60.239.110:28017, len 52
jan/21 10:42:28 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 89.248.165.97:51573->122.60.239.110:55463, len 44
jan/21 10:42:29 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59024->23.77.159.200:443, len 40
jan/21 10:42:32 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59040->17.253.67.203:443, len 40
jan/21 10:42:32 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59040->17.253.67.203:443, len 40
jan/21 10:42:35 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 48:89:e7:41:38:68, proto TCP (ACK,RST), 192.168.2.216:60100->52.98.140.2:443, len 40
jan/21 10:42:37 firewall,info drop-invalid-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto TCP (ACK,RST), 52.98.140.2:443->122.60.239.110:60100, len 40
jan/21 10:42:40 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59070->184.27.81.116:443, len 40
jan/21 10:42:40 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59070->184.27.81.116:443, len 40
jan/21 10:42:45 dhcp,info dhcp-168.2 assigned 192.168.2.217 to F4:1B:A1:89:D7:0F
jan/21 10:42:46 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 194.26.29.195:57621->122.60.239.110:8158, len 44
jan/21 10:42:57 dhcp,info dhcp-168.2 deassigned 192.168.2.204 from 50:02:91:48:63:F8
jan/21 10:42:57 dhcp,info dhcp-168.2 assigned 192.168.2.204 to 50:02:91:48:63:F8
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59029->23.55.38.26:443, len 40
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59087->23.77.154.17:443, len 40
jan/21 10:42:58 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59087->23.77.154.17:443, len 40
jan/21 10:42:59 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:pppoe-spark, src-mac 2a:d4:56:96:39:25, proto TCP (RST), 192.168.2.218:59031->23.55.38.26:443, len 40
jan/21 10:43:03 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 167.248.133.69:43513->122.60.239.110:7999, len 44
jan/21 10:43:04 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), src-mac 00:21:05:72:9d:7e, proto UDP, 112.173.52.216:123->122.60.239.110:123, len 32
jan/21 10:43:07 system,info,account user admin logged in via local
jan/21 10:43:08 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether9) out:bridge-ap_9_10(ether10), src-mac 58:d3:49:e9:04:46, proto TCP (RST), 192.168.2.200:56421->192.168.2.222:58687, len 40
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:52429->31.13.78.13:443, len 40
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:52429->31.13.78.13:443, len 40
jan/21 10:43:09 firewall,info drop-invalid-- forward: in:bridge-ap_9_10(ether10) out:pppoe-spark, src-mac d2:a2:77:5f:cd:22, proto TCP (RST), 192.168.2.215:51506->31.13.78.19:443, len 40
jan/21 10:43:10 firewall,info drop-not--from-lan-- input: in:pppoe-spark out:(unknown 0), proto TCP (SYN), 92.149.45.21:58800->122.60.239.110:23, len 44
Code: Select all
# model = RB4011iGS+
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
add comment="bridge access point 9 - upstairs" disabled=yes name=bridge-ap9
add name=bridge-ap_9_10
/interface vlan
add comment="eth1 not part of the bridge" interface=ether1 loop-protect=on name=vlan-spark vlan-id=10
/interface pppoe-client
add add-default-route=yes comment=SPRK disabled=no interface=vlan-spark keepalive-timeout=disabled name=pppoe-spark password="XX" user=xxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge-ap_9_10 comment=defconf interface=ether8
add bridge=bridge-ap_9_10 comment=defconf interface=ether9
add bridge=bridge-ap_9_10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-spark list=WAN
add interface=bridge-ap9 list=LAN
add interface=bridge-ap_9_10 list=LAN
Code: Select all
# model = RB4011iGS+
/ip firewall address-list
add address=192.168.1.200-192.168.1.253 list=addr-list-ap9
add address=192.168.0.10-192.168.0.199 list=addr-list-lan
add address=192.168.2.200-192.168.2.253 list=addr-list-ap10
add address=192.168.0.0/16 list=addr-list-local
/ip firewall filter
add action=accept chain=input comment="1: defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="2: defconf: drop invalid" connection-state=invalid log=yes log-prefix=drop-invalid--
add action=accept chain=input comment="3: defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="4: defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" connection-nat-state="" in-interface-list=!LAN log=yes log-prefix=drop-not--from-lan--
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix=drop-tcp-ports-blocked-- protocol=tcp src-address-list=!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix=drop-udp-ports-blocked-- protocol=udp src-address-list=!addr-list-local
add action=accept chain=forward comment="8: defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="9: defconf: accept out ipsec policy" ipsec-policy=out,ipsec
// not enabled -- add action=fasttrack-connection chain=forward comment="10: defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="11: defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="12: defconf: drop invalid connection state" connection-state=invalid log=yes log-prefix=drop-invalid--
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=drop-not-dst-nat--
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=pppoe-spark passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-connection chain=output comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=output comment=" DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Generic Voice Traffic, DSCP EF 46" connection-state=new dscp=46 new-connection-mark=voip out-interface=pppoe-spark passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts Audio/Video, DSCP 40" connection-state=new dscp=40 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts, UDP DstPort" connection-state=new dst-port=19302-19309 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Google Hangouts, TCP DstPort" connection-state=new dst-port=19305-19309 new-connection-mark=gvc out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=SSH connection-state=new dst-port=22 new-connection-mark=ssh out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="HTTP, HTTPS" connection-state=new dst-port=80,443 new-connection-mark=http-https out-interface=pppoe-spark passthrough=no protocol=tcp
add action=mark-connection chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https connection-state=new dst-port=80,443 new-connection-mark=http-https-ap10 passthrough=no protocol=tcp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="btsync targeted TCP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-spark passthrough=no port=4242 protocol=tcp
add action=mark-connection chain=forward comment="btsync targeted UDP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-spark passthrough=no port=4242 protocol=udp
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns new-packet-mark=dns out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns-ap10 dst-address-list=addr-list-ap10 new-packet-mark=dns-ap10 passthrough=no
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack out-interface=pppoe-spark passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap_9_10 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack out-interface=pppoe-spark packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap_9_10 packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=VoIP connection-mark=voip new-packet-mark=voip out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment="Google Hangouts" connection-mark=gvc new-packet-mark=gvc out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment=SSH connection-mark=ssh new-packet-mark=interactive out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=forward comment="HTTP, HTTPS" connection-mark=http-https new-packet-mark=http-https out-interface=pppoe-spark passthrough=no
add action=mark-packet chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https-ap10 new-packet-mark=http-https-ap10 out-interface=bridge-ap_9_10 passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=icmp-ap10 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=icmp passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp new-packet-mark=icmp passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="\?\?\?\?" src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade - wrong also need nat between interfaces" ipsec-policy=out,none out-interface-list=WAN