Community discussions

 
notsuapps
just joined
Topic Author
Posts: 1
Joined: Thu Jun 13, 2019 4:45 pm

single IP constantly trying to log to my Mikrotik

Thu Jun 13, 2019 4:52 pm

Hi all,
i'm not very skilled in networking except that i know some basics.

Anyway, i set FW rule to drop incoming connections from this IP 141.98.80.115
But everyday i see in the logs that this IP is trying to get access to my router.
Added picture..

What can i do further to ban this IP ?

Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 14, 2019 4:37 pm

Create a firewall to drop it before any rules to accept PPTP input.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 14, 2019 4:40 pm

Add this
/ip firewall raw add action=drop src-address=141.98.80.115
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 14, 2019 9:32 pm

/ip firewall raw add action=drop src-address=141.98.80.115
Does not work. You need to tell what chain to use. example.
/ip firewall raw add action=drop src-address=141.98.80.115 chain=input
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 14, 2019 10:48 pm

right, that's what you get for writing commands from memory...
/ip firewall raw add action=drop src-address=141.98.80.115 chain=prerouting
Thx!
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 14, 2019 11:27 pm

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. Original idea with filter-input rule was was better. It was probably just incorrectly placed on the end of all rules.

Raw-prerouting is great for specific purpose - when you need to drop packets before conntrack, in order to minimize potential resource consumption in flood-type situations. Since this is not a (D)DoS, it will have more negative, than positive consequences because ROS can't peacefully skip the RAW table and has to test every single packet going through router against this rule
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 12:28 am

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections.
...
it will have more negative, than positive consequences because ...
This is based on what factual info / data?

It a rule base system like any other table (filter,nat,mangle) in linux kernel.
 
Emil66
just joined
Posts: 12
Joined: Tue Aug 28, 2018 2:09 am

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 1:29 am

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections.
...
it will have more negative, than positive consequences because ...
This is based on what factual info / data?

It a rule base system like any other table (filter,nat,mangle) in linux kernel.
The filter table firewall rules are usually structured so that packets which belong to established connections only hit a minimal number of rules: One of the first rules in the filter table input chain is to accept packets belonging to established and related connections. These are the vast majority of packets, so if they need to pass many rules before they are accepted, the CPU load will be high. You really want to base complicated decisions only on the first packet of a "connection". The raw table is checked before the filter table, so every packet will hit any rule you put there before it can be accepted in the filter table input chain by the "accept established, related" rule. This is bad even without fasttracking.

The order of rules matters: Rules which accept packets that occur frequently or with sensitive timing should be higher in the list of rules. Packets belonging to established connections occur much more frequently than any other type of packet, so these should be handled at the very top of the list unless something else absolutely needs to be done first. Filtering out SYN packets from one particular IP address which appear only infrequently is definitely not more important. The raw table rules are higher on the list than the filter table rules. Don't filter there.
Hex S
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 10:15 am

I asked for factual info & data, not some gut feelings and expectations!
...to pass many rules before they are accepted, the CPU load will be high...
Can you prove it? Tik can easily handle hundreds of rules with no / minimal impact (caveat: as long as no heavy matchers are used)
This is bad even without fasttracking.
Prove it!

Your logic is wrong (1) and I can prove it on real system(2).

(1)
One of the first rules in the filter table input chain is to accept packets belonging to established and related connections.
(BTW: that depends on configuration)
And how do you imagine all those packets are matched to existing table of connections? By MAGIC?
for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass

(2)
I DO have rules in raw table, and whether I enable them or disable there is NO measurable impact on cpu load with heavy traffic throughput.

So come with founded data + info, or don't bother...
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 11:55 am

for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass
.... which might be thousands of comparisons if that many connections are tracked by FW at given time. Compared to that, a few (hundred) raw rules is peanuts ...
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 1:47 pm

for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass
.... which might be thousands of comparisons if that many connections are tracked by FW at given time. Compared to that, a few (hundred) raw rules is peanuts ...
Actually, no.
Things like tracked connections (and also address lists) are stored in a clever way so the match can be made more quickly than by checking them all.
For example, by storing them in a sorted tree, often sorted by a hashvalue of the keys used to look them up. That way, to find the match in a collection of N items does not require N/2 comparisons (on average) but more like 2Log(N).
On the other hand, with a few hundred raw rules the only way to check them all is to check them one by one, top to bottom, because that is how they are defined to work.
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 2:05 pm

If we're speculating: why should raw rules be stored any differently than tracked connections? Because typically they only contain a fraction of information compared to tracked connections?

But then, the connection tracking engine should update state of the connection (to check if e.g. TCP connection got FIN or RST) and for that it has to touch individual connection in the list (however it might be sorted). Which indeed means that connection list should be searchable very efficiently. All of it doesn't mean that raw rules couldn't use similar mechanizm.
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 10:05 pm

If we're speculating: why should raw rules be stored any differently than tracked connections?
Because the manual states that raw rules are processed sequentially from top to bottom. So that is the only way they can be matched. First check the first rule, if it matches perform its action, then check the second rule, if it matches perform that action, etc etc. (or until the passthrough flag is not set for a matching rule).

Tracked connections, however, are not in any predetermined sequence. When a packet comes in and the corresponding connection is to be looked up, there is no need to touch them all. A clever method can find the correct connection in only a few tries, even when there are many.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 10:16 pm

@pe1chl Don't get me wrong, in fact everytime MKX is wrong I do a happy dance and treat myself to a nice cold beer! BUT......

"Things like tracked connections (and also address lists) are stored in a clever way so the match can be made more quickly than by checking them all."
Appears to be an assumption/speculation/opinion UNLESS one can provide references and/or threads were MT staff have stated such indepth knowledge of MT code.

Awaiting your clarification, music cued, opener poised on the beer bottle........ ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 11:08 pm

@pe1chl Don't get me wrong, in fact everytime MKX is wrong I do a happy dance and treat myself to a nice cold beer!
I try really hard not to be wrong too often because I don't want you to become alcohol-addict :wink:

What pe1chl writes makes much sense to me.
BR,
Metod
 
Emil66
just joined
Posts: 12
Joined: Tue Aug 28, 2018 2:09 am

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 15, 2019 11:41 pm

I asked for factual info & data, not some gut feelings and expectations!

The Linux kernel code is open source. You can look it up yourself. This is the Mikrotik Beginner Basics forum, not a technical debate club.

...to pass many rules before they are accepted, the CPU load will be high...
Can you prove it? Tik can easily handle hundreds of rules with no / minimal impact (caveat: as long as no heavy matchers are used)

Just because your router has enough CPU power to handle an inefficient firewall design doesn't mean it generally doesn't matter.

One of the first rules in the filter table input chain is to accept packets belonging to established and related connections.
(BTW: that depends on configuration)

Yes, it does depend on configuration. You can run without connection tracking, without a firewall or with just a stateless firewall, but the default configuration (not the blank configuration) comes with a stateful firewall configuration that has an "accept established, related" rule very high in the filter table input/forward chains. Beginner Basics forum, remember?

And how do you imagine all those packets are matched to existing table of connections? By MAGIC?

The Linux kernel (which is at the heart of every Mikrotik router) uses hash tables for connection tracking. The kernel does not search a list to find the matching connection for a packet. A hash table is a "constant time" data structure. In contrast, every packet needs to be checked against every firewall rule (in order) until a packet is accepted, rejected or dropped.

for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass

Yes, except it's not a comparison with a list but essentially a constant time lookup, and unless you don't use connection tracking for a particular packet, this happens anyway, so checking packets which belong to already established connections against additional rules adds unnecessary overhead to the processing of these packets. This matters when the router is operating close to its maximum throughput.

I DO have rules in raw table, and whether I enable them or disable there is NO measurable impact on cpu load with heavy traffic throughput.

So come with founded data + info, or don't bother...

It's really common sense that the order of firewall rules matters, if you've read the iptables documentation. Anyway, does Mikrotik documentation count?
https://wiki.mikrotik.com/wiki/Tips_and ... ngle_rules
Hex S
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Sun Jun 16, 2019 6:09 pm

Useless ref in regard to the question posed........................... looking for a reference that the router processes filter rules of accepted/related more efficiently than other firewall filter rules in general and specifically better than raw rules. If it was so important and so clear, then it would be in a wiki and not force users to learn linux, open up the source code and make the necessary conclusion.! What planet did you say you were from???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Emil66
just joined
Posts: 12
Joined: Tue Aug 28, 2018 2:09 am

Re: single IP constantly trying to log to my Mikrotik

Sun Jun 16, 2019 8:14 pm

looking for a reference that the router processes filter rules of accepted/related more efficiently than other firewall filter rules in general and specifically better than raw rules.

Nobody said anything like that. Each rule that needs to be checked takes some time, When processing a packet that belongs to an established connection, i.e. the vast majority of packets, a rule that comes before the "accept established, related" rule (regardless of the table it is in) takes more time than a rule that comes after it. The rather obvious reason for this is that a rule which comes before the "accept established, related" rule needs to be processed, but a rule that cames after it does not need to be processed, because the "accept established, related" rule has already accepted the packet.

If it was so important and so clear, then it would be in a wiki and not force users to learn linux, open up the source code and make the necessary conclusion.! What planet did you say you were from???

Once more, Mikrotik says the order of firewall rules matters, in their wiki: https://wiki.mikrotik.com/wiki/Tips_and ... ngle_rules


Here's what happens when you filter in the raw table and a packet belonging to an established connection arrives:

  • Rule in the raw table prerouting chain: Is the source address of this packet x.x.x.x? No, continue (and we know this rule won't match because it's a packet that belongs to an established connection)
  • Connection tracking: Look up matching connection (a matching connection exists, so this packet is marked as belonging to an established connection)
  • Rule in the filter table input or forward chain: Does the packet belong to an established or related connection? Yes, accept, end of processing.

Here's what happens when you filter in the filter table, after the "accept established, related" rule, and a packet belonging to an established connection arrives:

  • Connection tracking: Look up matching connection (a matching connection exists, so this packet is marked as belonging to an established connection)
  • Rule in the filter table input or forward chain: Does the packet belong to an established or related connection? Yes, accept, end of processing.

This takes less time. It's literally the same work minus the raw table filter rule checking. And because this affects the vast majority of all packets, this is the right way to do it. The other way works too, but it's less efficient.
Hex S
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: single IP constantly trying to log to my Mikrotik

Mon Jun 17, 2019 1:31 am

Filtering in the raw table can sometimes make sense in cases where an extreme amount of traffic arrives that is to be dropped before it can register a "connection", e.g. UDP traffic or traffic to be dst-natted ("portforwarding" in most router speak).
But in this case there is no extreme amount of traffic, and it is to be dropped mainly to keep the log clean. The proper place to do that indeed is after "accept established,related" and before "accept this traffic from everyone", in the filter table.

When there is more than one address to be filtered, the proper way of doing it is with a single rule in the firewall table using an "address list" for the source address match, with the addresses to be matched inserted in the address list.
That is because an entry in an address list can be looked up quite quickly and there is no (linear) increase in the processing time when there are more addresses in the table, as there would be when more and more rules are added to the firewall filter table.
Furthermore, with an address list you can configure the router to automatically insert the address in the list, temporarily or permanently, when some conditions are met. So you can auto-block addresses when you like.

(but always be very careful with that, certainly as a beginner. you need to know what you are doing and what can be the consequences when auto-blacklisting addresses!)
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Mon Jun 17, 2019 1:34 pm

Okay that makes more sense now.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Mon Jun 17, 2019 9:08 pm

@Emil66
It's a forum for technical assistance. Don't be offended when you "waltz in" post "some gut feelings and expectations" without any substations, and someone reacts on that...

Your opinions are incorrect.
 
Emil66
just joined
Posts: 12
Joined: Tue Aug 28, 2018 2:09 am

Re: single IP constantly trying to log to my Mikrotik

Mon Jun 17, 2019 9:53 pm

@Emil66
It's a forum for technical assistance. Don't be offended when you "waltz in" post "some gut feelings and expectations" without any substations, and someone reacts on that...

Your opinions are incorrect.

This thread could have been over when vecernik87 correctly informed you about the purposes of the raw table and the filter table, complete with the factually correct information that choosing the right position for the filter rule is a matter of performance. I have already posted the link to the relevant Mikrotik documentation twice now. READ IT. I have no tolerance for people who ignore the facts presented to them.
Hex S
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Mon Jun 17, 2019 10:19 pm

The point was I understand about the order of firewall rules and efficiency of checking packets.
What I was questioning and wanted to see a reference about was this line...........
"
Things like tracked connections (and also address lists) are stored in a clever way so the match can be made more quickly than by checking them all
."

That is wanted I wanted more clarity about.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Emil66
just joined
Posts: 12
Joined: Tue Aug 28, 2018 2:09 am

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 12:31 am

The point was I understand about the order of firewall rules and efficiency of checking packets.
What I was questioning and wanted to see a reference about was this line...........
"
Things like tracked connections (and also address lists) are stored in a clever way so the match can be made more quickly than by checking them all
."

That is wanted I wanted more clarity about.

As I already mentioned, the "clever way" is a hash table. That's a very common data structure with (in the average case) constant time complexity. Here's the Wikipedia entry about hash tables: https://en.wikipedia.org/wiki/Hash_table. The kernel takes all the information which identifies the connection from the packet, calculates a (much shorter) hash value and uses the hash value to look up the connection information in an array of linked lists. The hash table is tuned to use very short lists, ideally of length 1, so all of this usually takes a constant amount of time. The kernel does not walk a list of all connections to find the connection to which a packet belongs. And finally, to support that this is actually what the kernel does for connection tracking, here are slides from a presentation about the conntrack system in the Linux kernel: https://strlen.de/talks/netdev21_conntrack.pdf. The data structure is mentioned on page 7. There's no particular reason to choose this presentation, it was just one of the first results of a Google search. The definitive answer would be the Linux kernel source code, but I've been told not to use that as a reference. IP address list matching can be performed in multiple ways, with hash tables among those ways. See here: http://ipset.netfilter.org/ipset.man.html
Hex S
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 5:44 am

I feel almost bad for providing some feedback.
Sorry for not providing some hard data. And thanks @Emil66 for all explanations and patience. I don't have as much time recently, as I would like. And I would probably ragequit anyway in the process.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 1:20 pm

Som feedback to you vecernik87.
Always post image on the forum, not a link. I have had several problems when original site of photo goes away and we loose the original.
So use Attachments :)

Here is your feedback photo.
feedback.png
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
krisjanisj
MikroTik Support
MikroTik Support
Posts: 53
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 1:41 pm

Som feedback to you vecernik87.
Always post image on the forum, not a link. I have had several problems when original site of photo goes away and we loose the original.
So use Attachments :)
Or just use [image] tag ( [image=WIDTH(%)]URL[/image] ), that allows scaling images so it isnt displayed in the whole screen, like this:
* Wager of "The Holy War" against users who don't paste their config/export/print into [code][/code] blocks
* Avid coffee consumer
* Provider of stupid solutions for simple problems
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 2:52 pm

That is awesome!! Luv it.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 3:00 pm

Or just use [image] tag ( [image=WIDTH(%)]URL[/image] ), that allows scaling images so it isnt displayed in the whole screen, like this:
Dont post URL. My thread (Splunk for MT) stoped working since one person posted URL to a photo that was later removed and any who visited the thread was asked to login (to the remote site when open thread). It takes 5 second to upload photo to site, so again please not use URL. But we can take this in another thread.....
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 3:12 pm

I wanted to make it non-intrusive but okay - note taken and blame fully accepted :)

@krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - could you get Janis Megis (for those who don't know him, he is the genius behind "meet dave" presentations) to say the last word in this virtual battle of firewall rules?

@anav of course you do :wink: I didn't expect anything less.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 18, 2019 5:13 pm

@anav of course you do :wink: I didn't expect anything less.
What can I say, its a beautiful day here, went rowing this morning, and I have that rare urge to ride a pony! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
krisjanisj
MikroTik Support
MikroTik Support
Posts: 53
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 19, 2019 1:14 pm

@krisjanisj Could you please also react to the topic to clear it up? It seems that both sides are pretty confident about their truth and for future reference, it would be good to have a clear solution. Or ideally - could you get Janis Megis (for those who don't know him, he is the genius behind "meet dave" presentations) to say the last word in this virtual battle of firewall rules?
I managed to get some information from Janis Megis:
1) until CPU or CPU core hits 100% load all things disused doesn't really matter - all is fine!
in case of overload/problem:
if /tool profiler indicates that most load is from conntrack, you need to use RAW more to protect conntrack
if /tool profiler indicates that most load is from the filter, you need to optimize the number of rules and options that packet need to match against (in all firewall chains)
2) as soon as the connection is flagged for fasttrack, conntrack communicates with interface drivers and packets from those connections are fasttracked skipping all the firewall rules (RAW/mangle/filter)
3) conntrack by default is most expensive RouterOS facility, so it must be used only when necessary, so, for example, if 9 out of 10 networks managed by the device have public IPs, and one is Private network and requires NAT, it is common solution to disable conntrack and in RAW action=accept (a.k.a. send to conntrack anyway) traffic from private network, and configure stateless firewall for the rest of the traffic.

Dont post URL. My thread (Splunk for MT) stoped working since one person posted URL to a photo that was later removed and any who visited the thread was asked to login (to the remote site when open thread). It takes 5 second to upload photo to site, so again please not use URL. But we can take this in another thread.....
It depends where the image is hosted etc, but this indeed is a personal preference in the end. (and my "holy war" against posted pictures that are across the whole screen and You need to scroll down few seconds just to pass it fully)
* Wager of "The Holy War" against users who don't paste their config/export/print into [code][/code] blocks
* Avid coffee consumer
* Provider of stupid solutions for simple problems
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 19, 2019 10:18 pm

Very interesting update Sir.
@vecernik87 can you boil that down into simple english.
It seems to this poor befuddled brain that he is saying, it doesn't really matter which way the question is solved unless one is hitting 100% load.
He seems to pass on that if load is an issue, then established related etc........ may actually be more cpu intensive than a raw rule?
Anyway probably not even close but seems to be what is being said.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 19, 2019 10:45 pm

Hey @krisjanisj
2) as soon as the connection is flagged for fasttrack, conntrack communicates with interface drivers and packets from those connections are fasttracked skipping all the firewall rules (RAW/mangle/filter)
Don't you mean NAT? RAW is pre conntrack...
3) conntrack by default is most expensive RouterOS facility, so it must be used only when necessary, so, for example, if 9 out of 10 networks managed by the device have public IPs, and one is Private network and requires NAT, it is common solution to disable conntrack and in RAW action=accept (a.k.a. send to conntrack anyway) traffic from private network, and configure stateless firewall for the rest of the traffic.
My understanding is that settings (under https://wiki.mikrotik.com/wiki/Manual:I ... operties_2) are global: disabled there -> no conntrack at all.
We can by-pass conntrack with raw action=notrack (=do not send packet to connection tracking).
Can the global "off switch" be selectively "re-enabled"?
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Thu Jun 20, 2019 4:39 pm

Aha! I drive an old shitbox and i have the same questions as the Alfa Romeo driver (lucky dog) which proves that he has better taste for inanimate objects LOL ( and less frugal - no Catalan blood at all ).
Last edited by anav on Thu Jun 20, 2019 11:19 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Thu Jun 20, 2019 7:51 pm

OT: Alfa has cars for all kinds of paying customers ;-)
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1721
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 21, 2019 3:03 pm

Don't you mean NAT? RAW is pre conntrack...
NAT only work with first packets of the connection, registers it into conntrack, after that conntrack handles everything. NAT is out of the picture.
My understanding is that settings (under https://wiki.mikrotik.com/wiki/Manual:I ... operties_2) are global: disabled there -> no conntrack at all.
We can by-pass conntrack with raw action=notrack (=do not send packet to connection tracking).
Can the global "off switch" be selectively "re-enabled"?
that option is just default policy after RAW - you can do it 2 ways
1) use action=no-track in RAW and then "accept all remaining" connections into conntrack with enabled=yes
2) use action=accept in RAW to send selective connections to conntrack and the "drop everything else" with enabled=no in conntrack.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 21, 2019 3:37 pm

Thx for info

NAT might be used implicitly where applicable. RAW is applied before connection tracking and so doesn't belong in that list.

2) that use is undocumented. Did you use that method already?
/ip firewall connection tracking enabled = "Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features. Starting from v6.0rc2 default value is auto. Which means that connection tracing is disabled until at least one firewall rule is added."

On related note: how does one accept traffic "=let it pass" and not send it to connection tracking with "/ip firewall connection tracking enabled=no"? see https://wiki.mikrotik.com/wiki/Manual:I ... Raw#Chains
What am I missing?

Documentation needs fixing
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 21, 2019 6:06 pm

Ha, you think your confused. I will wait for the dust to settle on this one.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Fri Jun 21, 2019 8:34 pm

So given the insurmountable amount of evidence and documentation (hint: sarcasm), i've setup a GNS3 bench to test it.

When I disable connection tracking, here is what I find in raw table:
[admin@R-1] /ip firewall connection> /ip firewall raw print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; /ip firewall connection tracking set enabled=no
      chain=prerouting action=notrack 

 1  D ;;; /ip firewall connection tracking set enabled=no
      chain=output action=notrack
So the setting is just a "syntactic sugar" and is implemented by "notrack"-ing everything...
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 22, 2019 4:38 am

Translation please (Belgian to English)!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Sat Jun 22, 2019 10:41 am

Translation please (Belgian to English)!

The Belgian Alfa-Rome driver showed that french fries were actually invented by Belgians.

Uhmm, no, hold it. @sebastia showed that global firewall setting /ip firewall connection tracking set enabled=no actually introduces two raw firewall rules, shown in his [ code ] block.
Implication is that there is a way to selectively disable connection tracking according to admin's liking.
BR,
Metod
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 25, 2019 1:51 pm

Just to add to this This seems to be a widespread attack, i have it on 3 separate instances. Same IP
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 25, 2019 8:15 pm

Translation please (Belgian to English)!

The Belgian Alfa-Rome driver showed that french fries were actually invented by Belgians.

Uhmm, no, hold it. @sebastia showed that global firewall setting /ip firewall connection tracking set enabled=no actually introduces two raw firewall rules, shown in his [ code ] block.
Implication is that there is a way to selectively disable connection tracking according to admin's liking.
I dont speak Italien, Belgique, or MKX.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 25, 2019 9:04 pm

Just to add to this This seems to be a widespread attack, i have it on 3 separate instances. Same IP
I cannot confirm that....
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Tue Jun 25, 2019 10:19 pm

I dont speak Italien, Belgique, or MKX.
I can understand mentioning Belgique and Mkx in same sentence (neither are languages), but what do you hold against Italiano?
BR,
Metod
 
ik3umt
Member Candidate
Member Candidate
Posts: 247
Joined: Tue Jul 08, 2014 3:58 pm

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 26, 2019 12:45 pm

Imagine....if this wasn't the "Beginner Basics" section.......
 
mkx
Forum Guru
Forum Guru
Posts: 2932
Joined: Thu Mar 03, 2016 10:23 pm

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 26, 2019 3:52 pm

Imagine....if this wasn't the "Beginner Basics" section.......

Yup. The discussion should have ended after post #5. But then ... none of this interesting discussion would have happened as nobody would have opened new thread in another forum corner about the already solved problem.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 26, 2019 4:19 pm

MKX for this beginner. Please elucidate the trodden masses on how to use (practical applications) of this new information on how to control connection tracking when using filter rules and raw rules. There have been some really eye opening statments and facts presented in this thread and its really difficult for me to sort out what is real, what is important and how to apply such information. Yes, please hold my hand. Don't mind the rowing calluses (they are not warts). :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 26, 2019 11:38 pm

[/quote]

I cannot confirm that....
[/quote]

Well i can, i can give logs. About 3-4 attempts every day, usually 3 tries per attempt.

Also others are complaining about it here: https://whatismyipaddress.com/ip/141.98.80.115
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Wed Jun 26, 2019 11:57 pm

I have the IP in my logs as well.

Src_IP: 141.98.80.115
Dest_port: 1723/tcp

Since I do run a block for 24 hour for every IP that does try to access any none open port, I do get one hit pr day. (I do not need too logg all)
PS Turned on full logging, so I can see how often and what port it try to connect to. Then I do add it to my permanently blocked list.
Block_IP.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: single IP constantly trying to log to my Mikrotik

Thu Jun 27, 2019 12:26 pm

Be careful with that.
I see regular spoofed "attacks" from 1.1.1.1 for example.
Did not see that from 8.8.8.8 but maybe that is due to some reverse-path filtering at the ISP or similar.
Running such an autoblocker can easily make your connection fail in mysterious ways especially when you have it in the raw table instead of the filter table (after establshed/related).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Thu Jun 27, 2019 2:32 pm

That's why I have the rule in standard FW, not raw. And I do see 1.1.1.1 in there:

_time rule chain in_if out_if src_mac protocol src_ip src_port dest_ip dest_port City Country
2019-06-26 21:02:49 FW_Block_open_ports input ether1-Wan (unknown 0) 00:05:00:01:00:01 TCP 1.1.1.1 80 92.220.200.251 43628 Australia
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 259
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: single IP constantly trying to log to my Mikrotik

Thu Jun 27, 2019 3:48 pm

Hi all,
i'm not very skilled in networking except that i know some basics.

Anyway, i set FW rule to drop incoming connections from this IP 141.98.80.115
But everyday i see in the logs that this IP is trying to get access to my router.
A FYI;
MOAB has IP 141.98.80.115 listed as an attacker .... IP Location Belgium Belgium Brussels Flyservers S.a.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Mon Jul 01, 2019 3:40 pm

THis in the 6.45 release looks like it may apply to parts of this discussion......
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

This is the area where I am lost.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: single IP constantly trying to log to my Mikrotik

Mon Jul 01, 2019 10:31 pm

Yeah, noticed that too. maybe there were some bugs in handling...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: single IP constantly trying to log to my Mikrotik

Tue Jul 02, 2019 3:46 am

This is the area where I am lost.........
Only there?

I still struggle to understand VLAN full with MT
+ many other things ;)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: single IP constantly trying to log to my Mikrotik

Tue Jul 02, 2019 5:21 am

Well there is additional functionality onion layers now to the question do you use raw rules or filter rules to block things.
I simply thought raw was better because there was less load on the CPU. Apparently wrong headed thinking. Apparently connection tracking makes filter rules more efficient. Who knew??
At least thats what it started out as...........
Then the conversation went down a rabbit hole and since I am not a user of LSD I couldn't follow ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 30 guests