Quantcast
Channel: MikroTik
Viewing all articles
Browse latest Browse all 19714

Beginner Basics • Constant, similar packets being dropped by raw filter rule

January 19, 2024, 3:33 pm
$
0
0
I'm posting this here because while it may not be basic, I am very much a beginner to networking and RouterOS alike.

Mikrotik gear: hAP ax3
Cable modem: Motorola MB8611, with a fixed private address of 192.168.100.1
Use case: Simple home (apartment), several VLANs, wifi, internet access.

I've set up the hAP ax3 more or less according to pcunite's Using RouterOS to VLAN Your Network guide, along with some guides on Reddit for firewall rules and address lists. Everything seems to work just fine.

However, I noticed that one of my raw filter rules was dropping a pretty large number of packets, so I enabled logging:
Code: 
add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 log=yes \    log-prefix=dropbaddst

...and ever since, the log has been full of identical messages, a new one every few seconds:

Code: 
dropbaddst prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:fd:22:**:**:**, proto UDP, 10.81.236.1:67->255.255.255.255:68, len 344

(where the unredacted src-mac is the same as the MAC in the dynamically created ARP corresponding to the ISP-assigned IP on ether1).

My aim in posting this is humbly to seek advice on the following:

1) Where might these packets be coming from? The modem? I don't recognize the address 10.81.236.1. I believe that's normally a private address?

2) Should I care? Everything seems to function just fine. It just bothers me that I can't figure out what these packets are.

3) If I should care, what to do-- presumably I should find a way to let the packets in if they're benign and useful, continue to drop them if they're not. And of course, how to do so securely.

I hope this has made sense.

Here is my full configuration. It probably has errors, contradictions, and/or useless bits. If anyone happens to spot any, please feel free to point them out.

Code: 
[myusername@MikroTik] > /export# 2024-01-19 15:20:28 by RouterOS 7.13# software id = NVGV-VFF5## model = C53UiG+5HPaxD2HPaxD# serial number = **********/interface bridgeadd admin-mac=78:9A:18:10:06:46 auto-mac=no name=bridge1 port-cost-mode=short protocol-mode=none \    vlan-filtering=yes/interface wifiset [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \    configuration.country="United States" .mode=ap .ssid=Samuel disabled=no security.authentication-types=\    wpa2-psk,wpa3-pskset [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \    configuration.country="United States" .mode=ap .ssid=Samuel disabled=no security.authentication-types=\    wpa2-psk,wpa3-pskadd configuration.mode=ap .ssid=SWF-guest disabled=no mac-address=7A:9A:18:10:06:4A master-interface=wifi1 \    name=wifi3 security.authentication-types=wpa2-psk,wpa3-pskadd configuration.mode=ap .ssid=SWF-guest disabled=no mac-address=7A:9A:18:10:06:4B master-interface=wifi2 \    name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk/interface vlanadd interface=bridge1 name=BASE_VLAN vlan-id=99add interface=bridge1 name=BLUE_VLAN vlan-id=10add interface=bridge1 name=GREEN_VLAN vlan-id=20/interface listadd name=WANadd name=VLANadd name=BASE/ip pooladd name=GREEN_POOL ranges=10.0.20.2-10.0.20.254add name=BASE_POOL ranges=192.168.13.10-192.168.13.254add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254/ip dhcp-serveradd address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCPadd address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCPadd address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP/queue typeadd cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-mpu=64 cake-overhead=18 kind=cake name=cake-downadd cake-ack-filter=filter cake-flowmode=dual-srchost cake-mpu=64 cake-nat=yes cake-overhead=18 kind=cake \    name=cake-up/queue treeadd bucket-size=0.01 max-limit=55M name=cake-upload-test packet-mark=no-mark parent=ether1 queue=cake-upadd bucket-size=0.01 max-limit=550M name=cake-download-test packet-mark=no-mark parent=bridge1 queue=cake-down/interface bridge portadd bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 \    path-cost=10 pvid=20add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 \    path-cost=10 pvid=99add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 internal-path-cost=10 \    path-cost=10 pvid=20add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 internal-path-cost=10 \    path-cost=10 pvid=20/ip settingsset tcp-syncookies=yes/interface bridge vlanadd bridge=bridge1 tagged=bridge1 vlan-ids=20add bridge=bridge1 tagged=bridge1 vlan-ids=99add bridge=bridge1 tagged=bridge1 vlan-ids=10/interface list memberadd interface=ether1 list=WANadd interface=BASE_VLAN list=VLANadd interface=GREEN_VLAN list=VLANadd interface=BASE_VLAN list=BASEadd interface=BLUE_VLAN list=VLAN/ip addressadd address=192.168.13.1/24 interface=BASE_VLAN network=192.168.13.0add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.0.10.0/24 dns-server=192.168.13.1 gateway=10.0.10.1add address=10.0.20.0/24 dns-server=192.168.13.1 gateway=10.0.20.1add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1/ip dnsset allow-remote-requests=yes/ip firewall address-listadd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internetadd address=255.255.255.255 comment=RFC6890 list=not_in_internetadd list=ddos-attackersadd list=ddos-targetsadd list=not_in_internetadd address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4add list=vlan_subnetsadd address=10.0.10.0/24 comment="VLAN subnets" list=vlan_subnetsadd address=10.0.20.0/24 comment="VLAN subnets" list=vlan_subnetsadd address=192.168.13.0/24 comment="VLAN subnets" list=vlan_subnetsadd address=224.0.0.0/4 comment="RAW Filtering - multicast" disabled=yes list=bad_src_ipv4add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" disabled=yes list=bad_dst_ipv4add list=bad_ipv4add list=bad_src_ipv4add list=bad_dst_ipv4/ip firewall filteradd action=accept chain=input comment="Accept DHCP from GREEN_VLAN" dst-port=67 in-interface=GREEN_VLAN \    protocol=udp src-port=68add action=accept chain=input comment="Accept DNS from GREEN VLAN" dst-port=53 in-interface=GREEN_VLAN \    protocol=udpadd action=drop chain=input comment="Drop all else from GREEN_VLAN" in-interface=GREEN_VLANadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment="Allow VLAN" in-interface-list=VLANadd action=accept chain=input comment="Allow BASE_VLAN full access" in-interface=BASE_VLANadd action=drop chain=input comment=Drop log-prefix=dropalladd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\    established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\    established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=forward comment="VLAN Internet access only" connection-state=new in-interface-list=\    VLAN out-interface-list=WANadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \    connection-state=new in-interface-list=WANadd action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN \    jump-target=detect-ddosadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10sadd action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddosadd action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddosadd action=drop chain=forward comment=Dropadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack/ip firewall natadd action=masquerade chain=srcnat comment="default masquerade" ipsec-policy=out,none out-interface-list=WAN/ip firewall rawadd action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackersadd action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 \    dst-port=67 in-interface-list=VLAN protocol=udp src-address=0.0.0.0 src-port=68add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 log=yes \    log-prefix=dropbaddstadd action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN log=yes \    log-prefix=nonglobfromwan src-address-list=not_in_internetadd action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=\    lan_subnets in-interface-list=WANadd action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=\    VLAN src-address-list=!vlan_subnetsadd action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udpadd action=accept chain=prerouting comment="accept all else from VLAN" in-interface-list=VLANadd action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WANadd action=drop chain=prerouting comment="defconf: drop the rest"add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ackadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,synadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rstadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ackadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urgadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rstadd action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urgadd action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6add address=::/104 comment="defconf: other" list=bad_ipv6add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6add address=fd12:672e:6f65:8899::/64 list=allowedadd address=fe80::/16 list=allowedadd address=ff02::/16 comment=multicast list=allowedadd address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6add address=::/128 comment="RAW Filtering" list=bad_src_ipv6add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \    protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="drop everything else not coming from VLAN" in-interface-list=!VLANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\    established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="drop everything else not coming from VLAN" in-interface-list=!VLAN/ipv6 firewall rawadd action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yesadd action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=\    bad_src_ipv6add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=\    bad_dst_ipv6add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN \    src-address-list=not_global_ipv6add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WANadd action=accept chain=prerouting comment="accept everything else from VLAN" in-interface-list=VLANadd action=drop chain=prerouting comment="defconf: drop the rest"/system clockset time-zone-name=America/My_City/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=BASE/tool mac-server mac-winboxset allowed-interface-list=BASE

I appreciate any help, and if there's other info I can provide feel free to let me know. Thanks!

Statistics: Posted by QueaSea — Sat Jan 20, 2024 1:33 am

Search
Viewing all articles
Browse latest Browse all 19714

Trending Articles

Bath man appears in court charged with attempted murder of a man...

March 16, 2015, 7:37 am

MACLEAN, Allan

July 30, 2019, 6:00 am

Black Angus Grilled Artichokes

July 16, 2016, 4:37 pm

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Police blotter for Jan. 12

January 12, 2018, 3:30 am

99 God Status for Whatsapp, Facebook

June 5, 2016, 11:46 pm

Rajasthan Board 12th Science Result 2018 name wise- RBSE 12th commerce result...

May 26, 2018, 9:35 pm

Notorious Naushad of Ippa gang nabbed

July 19, 2019, 6:37 am

Child Kidnapping: Amy McNeil was kidnapped on her way to school by 5 adults;...

February 5, 2017, 10:40 am

Sonible Smartlimit v1.1.5-R2R

April 16, 2024, 7:10 am

NCERT Solutions for Class 9th Sanskrit Chapter 3 पाथेयम्

December 22, 2016, 3:50 am

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Arrow Flash 2 – Sinhala Dubbed – Episode 23 – 20th March 2016

March 20, 2016, 9:39 am

[GET] AI Traffic Goldmine

July 6, 2025, 4:23 am

[E² Plugin] HDF-Radio

January 26, 2025, 9:02 am

Universal Multi-Patch v1.3 By RADIXX11

January 29, 2018, 2:45 pm

IWAN – Thanks and Praise ( Throw Back Thursday )

March 9, 2016, 11:43 pm

RONALD P SONDERGAARD Arrested by Miami-Dade County Corrections on Mar 03, 2017

March 3, 2017, 6:25 am

मुख मैथुन से उठाएं सेक्स का भरपूर मज़ा, जानें क्या है इसका सही तरीकामुख मैथुन...

May 17, 2020, 2:04 pm

HSSC Excise & Taxation Inspector Result 2017 Scorecard/ Category Wise Merit List

July 29, 2017, 2:44 am
Search