Community discussions

MikroTik App
 
mrigi
just joined
Topic Author
Posts: 10
Joined: Sat Aug 07, 2021 2:47 pm

Unknown external IP's in ARP list

Thu May 19, 2022 9:24 pm

Hello,
Just noticed strange IP's in my ARP list. See attached.
Any ideas how these could get into ARP table? Some sort of attack? Or malware inside LAN? Or maybe that's fine at all. But I haven't seen this before.
A bit worried if I am hacked somehow through the router.

The firewall looks like this:
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=bogon
add address=172.16.0.0/12 comment=RFC6890 list=bogon
add address=192.168.0.0/16 comment=RFC6890 list=bogon
add address=10.0.0.0/8 comment=RFC6890 list=bogon
add address=169.254.0.0/16 comment=RFC6890 list=bogon
add address=127.0.0.0/8 comment=RFC6890 list=bogon
add address=224.0.0.0/4 comment=Multicast list=bogon
add address=198.18.0.0/15 comment=RFC6890 list=bogon
add address=192.0.0.0/24 comment=RFC6890 list=bogon
add address=192.0.2.0/24 comment=RFC6890 list=bogon
add address=198.51.100.0/24 comment=RFC6890 list=bogon
add address=203.0.113.0/24 comment=RFC6890 list=bogon
add address=100.64.0.0/10 comment=RFC6890 list=bogon
add address=240.0.0.0/4 comment=RFC6890 list=bogon
add address=192.88.99.0/24 list=bogon
/ip firewall filter
add action=accept chain=forward comment="Accept estabilished, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept new from LAN" connection-state=new dst-address-list=!bogon in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow VPN to access LAN" in-interface-list=LAN log-prefix="dyn if" out-interface-list=LAN
add action=accept chain=forward comment="Accept port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=allow
add action=drop chain=forward comment="Drop the rest" log-prefix=drop
add action=accept chain=input comment="Accept estabilished, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Accept all from LAN" in-interface-list=LAN
add action=accept chain=input log=yes log-prefix=ipsec protocol=ipsec-esp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec log=yes log-prefix=ipsec protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=ipsec protocol=udp
add action=accept chain=input dst-port=4500 log=yes log-prefix=ipsec protocol=udp
add action=jump chain=input comment="Run ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=input comment="Drop the rest" log=yes log-prefix=drop
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=output connection-nat-state="" connection-state=new
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Thanks.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unknown external IP's in ARP list

Thu May 19, 2022 9:43 pm

/ip firewall filter
add action=accept chain=input comment="Accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=invalid
add action=accept chain=input comment="Accept all from LAN" in-interface-list=LAN
add action=accept chain=input log=yes log-prefix=ipsec protocol=ipsec-esp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec log=yes log-prefix=ipsec protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=ipsec protocol=udp
add action=accept chain=input dst-port=4500 log=yes log-prefix=ipsec protocol=udp
add action=drop chain=input comment="Drop the rest" log=yes log-prefix=drop

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Accept established, related, untacked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment="Accept new from LAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept port forwarding" connection-nat-state=dstnat log=yes log-prefix=allow
add action=drop chain=forward comment="Drop the rest" log-prefix=drop

I prefer to this
add action=accept chain=input comment="Accept all from LAN" in-interface-list=LAN


Something more targetted so that only the admin on the LAN has access to the router.
add action=accept chain=input in-interface-list=LAN src-address-list=authorized

WHere authorized is a firewall address list of static IPs the admin may use (desktop, laptop, iphone, ipad, VPN subnet IP etc........)

YOu will need to add additional rules to LAN user have access to the services they require typically only DNS, sometimes NTP.
..................
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp

THis rule is strange and removed until it can be sorted.
add action=accept chain=forward comment="Allow VPN to access LAN" in-interface-list=LAN log-prefix="dyn if" out-interface-list=LAN

The LAN if one subnet already has access to itself. What you should do is either
a. identify the vpn interface (such as wireguard) with access to the LAN, or
b. the faux IP address of the VPN with access to the LAN.....

The more elegant way of dealing with bogons instead of forward chain is through IP routes.......
/ip route
add  blackhole disabled=no dst-address=10.0.0.0/8 
add  blackhole disabled=no dst-address=172.16.0.0/12 
add  blackhole disabled=no dst-address=192.168.0.0/16

(NOTE1: add more bogon addresses as you see fit.)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Unknown external IP's in ARP list

Thu May 19, 2022 9:48 pm

I have also a strange IP in ARP that I can't explain except is is also in my address-list. The IP you are showing seems not to be in you address-lsit.
oneBridge.JPG
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: GoogleOther [Bot] and 66 guests