Community discussions

MikroTik App
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:02 am

I'm seeing on our firewalls that our test CHR is trying to connect to IP 169.254.169.254 with HTTP every few seconds (= over 250.000 connections attempts in 12h) . Google showed some old posts from 2015 where it was described as bug that will be fixed. As we're running 6.41.4, so it seems not.

I did following to not mess our firewall logs up:

/ip route add distance=1 dst-address=169.254.0.0/16 type=blackhole
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:18 am

You should have that anyway. Same for the RFC1918 networks and RFC6598.
/ip route
add distance=1 dst-address=10.0.0.0/8 type=unreachable
add distance=1 dst-address=100.64.0.0/10 type=unreachable
add distance=1 dst-address=169.254.0.0/16 type=unreachable
add distance=1 dst-address=172.16.0.0/12 type=unreachable
add distance=1 dst-address=192.168.0.0/16 type=unreachable
(or blackhole if you prefer)
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:24 am

If you add this:
/ip firewall filter add action=reject chain=output dst-address=169.254.169.254 protocol=tcp reject-with=tcp-reset
then it only tries once and gives up (according to the counters on the rule).
Blocking it in other ways means it's constantly trying.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:26 am

Are you using CHR on AWS?
This address is used by the Amazon EC2 system, Amazon gives your device the configuration and SSH keys from this IP.
The fetch will only be repeated if there is no route to this address. Otherwise it will stop at the first failure.
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:39 am

no, the CHR is on our own ESX in our datacenter.
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:40 am

@sid5632: thx, changed it to your version
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:41 am

Starting from v6.42 CHR will detect that it's inside AWS EC2 and will not do these checks. Upgrade should fix it.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: CHR still communicates with 169.254.169.254

Thu Apr 19, 2018 11:44 am

 
kriszos
just joined
Posts: 23
Joined: Thu Dec 21, 2017 3:08 pm

Re: CHR still communicates with 169.254.169.254

Wed May 25, 2022 1:58 pm

Starting from v6.42 CHR will detect that it's inside AWS EC2 and will not do these checks. Upgrade should fix it.
@Normis could you elaborate on what exactly is checked by CHR to detect that it is in AWS. I would like to leverage this feature of downloading user-data from 169.254.169.254 to auto provision CHR instances on our hyper-v or qemu cluster.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], collerok, CoMMyz, fibracapi, VinceKalloe and 91 guests