Community discussions

MikroTik App
 
jerogabe
just joined
Topic Author
Posts: 7
Joined: Sat Apr 09, 2022 1:14 pm

problem with public ip and connection tracking

Sun May 15, 2022 7:26 pm

Hello! First of all sorry for my English, I use google translator...

I have the following scenario and problems.
My ISP offers me /24 public addresses through its gateway, I have the private IP configured in my wan port to connect to my provider and a public IP through which my traffic goes.
/ip address add address=192.168.26.2/30 comment="PRIVATE CISCO - MIKROTIK AIRE NETWORK" interface=ether1-wan network=192.168.26.0
/ip address add address=17.15.10.1 comment="MIKROTIK PUBLIC IP" interface=ether1-wan network=17.15.10.1

My lan is 10.201.251.1/24

Nat:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT AIR NETWORK WITH PUBLIC IPs" out-interface=ether1-wan src-address=!17.15.10.0/24 to-addresses=17.15.10.1

Well, this is how my connection tracking is, the connection works, but I know something is wrong seeing so many connections here.
connectionsTracking.PNG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: problem with public ip and connection tracking

Sun May 15, 2022 11:02 pm

It may or may not be wrong, depending on what hosts are in your LAN subnet and what is their intended activity and what is your configuration.

Since your ISP routes traffic for 256 public IPs to you, chances are high that some of the connections are caused by attack attempts coming to these public IPs from the internet - /ip firewall connection print count-only where dst-address~"17.15.10." will show you whether it is the case.

If not, I'd proceed by filtering the connections by their source address - /ip firewall connection print count-only where src-address~"10.201.251.90", to see whether the intense traffic can be tracked down to one or just a few hosts or whether it is evenly spread among all of them. Then, I would look what kind of connections they are.
 
jerogabe
just joined
Topic Author
Posts: 7
Joined: Sat Apr 09, 2022 1:14 pm

Re: problem with public ip and connection tracking

Mon May 16, 2022 12:59 am

It may or may not be wrong, depending on what hosts are in your LAN subnet and what is their intended activity and what is your configuration.

Since your ISP routes traffic for 256 public IPs to you, chances are high that some of the connections are caused by attack attempts coming to these public IPs from the internet - /ip firewall connection print count-only where dst-address~"17.15.10." will show you whether it is the case.

If not, I'd proceed by filtering the connections by their source address - /ip firewall connection print count-only where src-address~"10.201.251.90", to see whether the intense traffic can be tracked down to one or just a few hosts or whether it is evenly spread among all of them. Then, I would look what kind of connections they are.
Hello, thanks for your interest in helping me, this is the output of /ip firewall connection print count-only where dst-address~"17.15.10."
3098
no such item (4)
 
jerogabe
just joined
Topic Author
Posts: 7
Joined: Sat Apr 09, 2022 1:14 pm

Re: problem with public ip and connection tracking

Mon May 16, 2022 8:24 pm

So it seems that the problem with the thousands of connections in the tracking was solved, but I don't know if I'm doing the right thing.

/ip route add blackhole comment="PUBLIC IPs" disabled=no distance=100 dst-address=17.15.10.0/24
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: problem with public ip and connection tracking

Mon May 16, 2022 11:45 pm

If this helps, it means that those thousands of connections are indeed initiated from the internet towards those addresses. Blackholing this destination means that no tracked connections are created in your firewall any more, but once you start actually using some of these the addresses, you'll have to override the blackholing for them, and if your device will not act as a firewall for them, the way to exempt the traffic from internet to these addresses from connection tracking will be action=notrack rules in /ip firewall raw. Depending on what type of attempts it is, your uplink bandwidth may get exhausted in case of (D)DoS towards one or more of these addresses no matter what you do at your end.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], joshnielsen and 64 guests