Community discussions

MikroTik App
 
lelmus
newbie
Topic Author
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

ipv4 LAN activity on WAN port w/o NAT on sniffer??

Mon Mar 07, 2022 8:29 pm

Please see enclosed image for more details.

Can anyone explain why I'm seeing ipv4 LAN port activity on the WAN port in the Packet Sniffer with no NAT, and Interface is constantly incrementing byte/packet counter on the sfp1 tx direction? Please ignore the sfp1 rx activity, that's just unrelated activity on the WAN network. The ping is correctly failing as it always does time out.

The reason I'm doing this because I was seeing byte/packet counter constantly incrementing on the interface when I had an LTE module installed and I have a very low amount of data on the cellular plan so I need to watch that. It seems that I cannot trust the interface counter if its incrementing when no LAN packets pass though. Unless LAN packets are really leaking through, then that's a bigger problem.

I reduced the setup to this after a Reset Configuration with No Default Configuration enabled. My PC with ip address 10.1.10.59 is on LAN port ether1, and WAN port is sfp1. Using firmware 7.2rc4 on RB922UAGS. WLAN is disabled.

EDIT: RB922UAGS is behind another private network that’s running 192.168.0.0/24. So /ip dhcp-client will get 192.168.0.X.

/ip pool
add name=ipv4_pool1 ranges=10.1.10.20-10.1.10.59

/ip dhcp-server
add address-pool=ipv4_pool1 interface=ether1 name=server1

/queue simple
add dst=ether1 limit-at=64k/64k max-limit=64k/64k name=queue1 priority=6/6 \
queue=pcq-upload-default/pcq-download-default target=sfp1

/ip address
add address=10.1.10.1/24 interface=ether1 network=10.1.10.0

/ip cloud
set update-time=no

/ip dhcp-client
add interface=sfp1 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=10.1.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.10.1

/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=output
add action=drop chain=input

/ipv6 firewall raw
add action=drop chain=prerouting
add action=drop chain=output

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.1.10.0/24
set api-ssl disabled=yes

/tool sniffer
set filter-direction=tx filter-interface=sfp1

image.png
You do not have the required permissions to view the files attached to this post.
Last edited by lelmus on Tue Mar 08, 2022 4:44 am, edited 5 times in total.
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Tue Mar 08, 2022 12:27 am

As far as I can see you are using your local private IP as source for outgoing public internet traffic, because no NAT.
Private IPs are not routed in public Internet, so there will never be a resonse from any server with public IP.

The outgoing traffic visible in your screenshot is your ping request to public IP 142.251.41.4. Interleaved with outgoing DNS requests to 8.8.8.8:53 and 8.8.4.4:53 (as distributed by your DHCP) from your PC. Windows tries to resolve a DNS name. Because there is never a response, it constantly retries on both configured DNS adresses.

So nothing unexpected. Or am I missing your point?
Last edited by jbl42 on Tue Mar 08, 2022 12:32 am, edited 1 time in total.
 
rplant
Member Candidate
Member Candidate
Posts: 287
Joined: Fri Sep 29, 2017 11:42 am

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Tue Mar 08, 2022 12:32 am

Hi,
No Nat doesn't mean packets don't go through the router. They still do they just don't get Natted.
So packets from 10.1.10.59 still leave via the SFTP1 port but with a source IP of 10.1.10.59, and the next router (the ISP) will look at the 10.1.10.59 and drop it immediately.
(So you wont get anything back)

I would start with the default mikrotik config (mostly for its firewall), rejig services, firewall service ports, ip ranges, dhcp/dns a bit.and then add some IP firewall filter rules to get what you want.
And leave Nat enabled.

eg.
/ip firewall filter
add action=drop chain=forward comment="drop everything from lan" in-interface-list=LAN

or perhaps just

add action=drop chain=forward comment="no forwarding at all"

Then before the above rule you can add a few exceptions for the really must get through traffic.
 
lelmus
newbie
Topic Author
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Tue Mar 08, 2022 1:05 am

ether1 port and sfp1 port should be isolated since they are not bridged, so there should not be any 10.1.10.0/24 seen on sfp1.

After adding NAT the sfp1 source must have the /ip dhcp-client address (in my case 192.168.0.X), and destination is the ping address 142.251.41.4. See enclosed image of what happened after I added this line.

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT disabled=no dst-address=\
!10.1.10.0/24 dst-address-type=unicast out-interface=sfp1 src-address=\
10.1.10.20-10.1.10.59 src-address-type=unicast

I think seeing 10.1.10.59 on sfp1 when there is no NAT has something to do with “ip route”, cause it’s the only link. I’m not sure.
image2.png
You do not have the required permissions to view the files attached to this post.
 
rplant
Member Candidate
Member Candidate
Posts: 287
Joined: Fri Sep 29, 2017 11:42 am

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Tue Mar 08, 2022 11:39 pm

I think seeing 10.1.10.59 on sfp1 when there is no NAT has something to do with “ip route”, cause it’s the only link. I’m not sure.
That is what routers do...

I still recommend you put some filtering into the forward chain of the firewall if you want to stop traffic from your Lan going out the LTE port.
Presumably you want something inside to be able to connect to somewhere outside, so you will need accept rules for that traffic.
 
lelmus
newbie
Topic Author
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Wed Mar 09, 2022 8:43 pm

rplant, I think your right that even w/o the NAT the default ip route links all 0.0.0.0/0 packets to go somewhere, resulting in sfp1 activity.

So I finally figured it out. Dam Mikrotik, that was a brain twister.

After tinkering with the firewall filter, nat, mangle, raw to no avail. Either everything got dropped or everything passed through, because I noticed it was filtering before post-processing and not after it. So, I resorted to the dreadful Packetflow Diagram.

The Packetflow Diagram shows that the src-nat routing box happens at the last stages and to drop specific packets at the post-processing is not offered. But what is offered is a place to add a bridge between the src-nat routing box and sfp1, and finally add the filter in the bridge. So what I now have is bridge1 in Bridge, and only sfp1 in Bridge ports, and bridge filter, that's it. Worked like a charm, and now I have the ability to block anything that's unwanted from racking up data bytes and still let through some things automatically.
 
savage
Forum Guru
Forum Guru
Posts: 1263
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: ipv4 LAN activity on WAN port w/o NAT on sniffer??

Fri Mar 11, 2022 3:27 pm

So I finally figured it out. Dam Mikrotik, that was a brain twister.
Nothing to do with Mikrotik. This is networking 1-0-1... Any router, will give you the exact same result.

Who is online

Users browsing this forum: No registered users and 19 guests