hello, i've learnt a lot with your help in last posts. About security, networking, and many other things. Today i have the problem that i need to add a mikrotik as a "shield" to protect my network against the attacks. im going to introduce the schema in order to explain the situation. Cctu...

In most cases, you have to go to your upstream provider for assistance with a DDoS-type of attack. Even if you're dropping the packets, they still consume your bandwidth to get to your router, so your circuit is still saturated. You might consider why your network is being attacked. For example, if...

https://forum.mikrotik.com/viewtopic.php?f=2&t=152953 You should watch inconnections what adresses they come from snd which ports are targetted. The working I used worked great for me and if you see the same then try my suggestion. it seems he is scanning all my network's ips. trying to attack,...

Hi everyone, hope you are doing and having it great! I posted a few times before, and i'm very grateful to the community that helped a noob on this mikrotik system, I consider noob because there's always something new to learn about. This time i'm suffering an attack, that causes my Rx packets go hi...

if 2 pc works but only one is not with same settings... 1. anycase try to make src-nat add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN protocol=tcp to-addresses=192.168.2.205 to-ports=3389 add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-address...

Specify the IP you want to exclude (192.168.20.8) in the port scanner rule General > Src Address, ticking the invert field in front of it, so that the rule logic applies as long as source ip isn't 192.168.20.8 Have a look at the address-list that rule is adding to, to remove 192.168.20.8 if its alr...

If you use Winbox to connect to the router via MAC address rather than IP, Winbox sends the packets to the IP broadcast address of the subnet on that UDP port. https://wiki.mikrotik.com/wiki/Manual:IP/Services#Protocols_and_ports i use mac addres yes, cause with that port scanner once i couldn't co...

I think only you need, your server ip (src-address) is exception for port scanner
eg; src-address = !your server ip

sorry for my poor english

ye same here, im from uruguay jaja.
but i understood you.
thank you so much!

Hi.

port scanner drop: 192.x.x.x:59842->192.x.x.255:20561.

I think, UDP20561 is your router MAC telnet port...

Best regards: CsXen

Hello men, thank u for answering.
Should i disable telnet from my router ? or what do you mean?
thanks again.

Hi people, i'm here with an issue after upgrading my mikrotik RB2011 UiAS-2HnD. version 6.42.7 I have a port scanner rule, that adds ip scanners, and then drop packages. Now in my log, i'm seeing that mikrotik is blocking with this rule a port scanner (UDP) from my server ip. the log is this: port s...

ether1 is LAN interface or WAN? your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out What rule exacly? Maybe your LAN interface belongs to some master port or bridg...

ether1 is LAN interface or WAN? your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out What rule exacly? Maybe your LAN interface belongs to some master port or bridg...

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out

Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN. First rule is ip firewall nat add action=dst-nat chain=dstnat dst-port=80 in-interface="your gl...

It is better to do src-nat with specified IP instead of masquarade. how would you change what he said? also i tried this add action=masquerade chain=srcnat comment="Hairpin NAT Masq" disabled=yes out-interface=ether1 src-address-list=Local add action=netmap chain=dstnat disabled=yes dst-a...

after you dst-nat from global to LAN, add these 2 rules: ip firewall nat add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80 add ...

try to add this one

Code: Select all

/ip firewall nat add action=netmap chain=dstnat dst-address=WAN_IP dst-port=443,80 protocol=tcp to-addresses=192.168.10.10

thanks for your reply, but still can not enter from local lan.. i can from outside of the office..

here is my config, i can access via internet, but not from the local lan! can someone help me? add action=dst-nat chain=dstnat comment="OPEN 443 WEB, RULE 25-40 PACKETS PER SECOND" dst-address-type="" dst-limit=25,40,dst-address/1m dst-port=443 \ in-interface=all-ethernet log=yes...

No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish

oh nice! may be at this time of year it's a bit cold, isn't it? jaja
also, do you know why i can not enter to web page from my local network, but if i try from another place i enter without any problems?

Add this to your dst-nat rule: dst-limit=25,40,src-address/1m This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you're running a GUI packed with graphics and CSS). The timeout is...

"Open" port e.g. 43389 and forward it to 3389 in LAN.

GREAT idea! you are my guru men jaja.

is there a way to count how many access per minute are allowed to enter to my page? everything to avoid attacks to my web page...

Oh boy ... again? Have you checked forum for that? https://forum.mikrotik.com/search.php?keywords=open+port Have you checked wiki for that? https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping.2Fforwarding OK, i read it. Sorry man, im worried, cause i'm having constant attacks via 338...

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection req...

There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them. To specify particular MAC you need to just specify it in the rule .. example: chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH...

Code: Select all

/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop

-Chris

Chris, im trying this. thank you so much for your fast answer!
Best for you.

Hi friends, a few days ago you solved me a problem very effectively. Now i think i have a similar one, that "disgusting" attacker.. he's driving me crazy. Via log in mikrotik i detected de mac address of the attacker.. and i'm blocking the ip's he uses.. but i want to block directly the ma...

So many times on forum: Enable DNS server and add these lines to filters ... assuming ether1 is the name of WAN interface ... if not substitute it with proper one: /ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input dst-port=53 in...

Hello friends. Im here because i'm having a problem that is driving me crazy. Im new on Mikrotik, I have a model RB2011-uIaS. The problem is that i have a network, controlled by a Windows Server 2012 R2, with DHCP. I've been having attacks of ddos i think, cause when i activate "ALLOW REMOTE RE...