I have this filter in my firewall settings from the howto. Any other suggestion to see if it's an ip type of problem?
/ip firewall rule input add connection-state=invalid action=drop \
comment="Drop invalid connections"
/ip firewall rule input add connection-state=established \
comment="Allow established connections"
/ip firewall rule input add connection-state=related \
comment="Allow related connections"
/ip firewall rule input add protocol=udp comment="Allow UDP"
/ip firewall rule input add protocol=icmp comment="Allow ICMP Ping"
/ip firewall rule input add src-address=192.168.0.0/24 \
comment="Allow access from our local network."
/ip firewall rule input add src-address=192.168.5.0/24
/ip firewall rule input add src-address=192.168.60.0/24
/ip firewall rule input add src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
comment="This is web proxy service for our customers.!"
/ip firewall rule input add src-address=192.168.5.0/24 protocol=tcp dst-port=8080
/ip firewall rule input add src-address=192.168.60.0/24 protocol=tcp dst-port=8080
/ip firewall rule input add action=drop log=yes \
comment="Log and drop everything else"
But it still does not seem to help. Tho I noticed in syslog that their was a major spam of the line below...
wlan2 - sector: unauth or missing data sender, 00:10:E7:F5:C5:E4
now this is not one of our users but the problem is it doesn't even have time to show the normal disconnected message it just shows that line over 80 times. Possible virus or trojan on that persons system that could be causing this lockup? And if so is their any other filter or firewall setting we could implement to protect us from this happening again? It's locked up over 3 times in past several hours already.
Possible cause their is a mac address that is connecting and disconnecting so fast that the log file is full of nothing but it within a minute. I believe it's happening so fast that eventually it locks up. How can we stop this? I put it in the authorization table that mac not to authenticate or forward but that doesn't prevent it from initially connecting.
That mac address is registered to Breeze Com also known as Alvarion.
BreezeACCESS™ II systems which operates in Time Division Duplex (TDD) mode utilizing Frequency Hopping. Could be the reason that it is filling up your log file.
They also carry a line called the BreezeNet which is DS.
Do you have any competitors in your area using this equipement. It isn't cheap so most likely isn't used in a home based setup.
I am getting that same error from one of our clients. We just replaced an AP with Mikrotik and one customer won't associate. Haven't confirmed but might be the particular cpe we are using. Waiting to here what that error means in detail.
BreezeACCESS™ II systems which operates in Time Division Duplex (TDD) mode utilizing Frequency Hopping. Could be the reason that it is filling up your log file.
They also carry a line called the BreezeNet which is DS.
Do you have any competitors in your area using this equipement. It isn't cheap so most likely isn't used in a home based setup.
I am getting that same error from one of our clients. We just replaced an AP with Mikrotik and one customer won't associate. Haven't confirmed but might be the particular cpe we are using. Waiting to here what that error means in detail.
Yes we do have a competitor and no he's not use FS but he could be intentionally trying to kill our AP since he doesn't use FS himself but he is an asshole and won't play nice. So it's very possible he's intentionally doing this. He doesn't like us because we don't charge $60/month for the service and almost $400 for equipment, so he's not happy with us and has put up AP to purposely block our towers already.
Re: AP keeps locking up
This is just a wild guess but i would think that log entry said it picked up a packet from a unit transmitting on same channel.wlan2 - sector: unauth or missing data sender, 00:10:E7:F5:C5:E4
Something which happens every day (and happened before you upgraded).
I dont see how a message about the wireless system has anything to do with the firewall.
Sten, I was saying that it was spamming so fast that it didn't even have a chance to be disconnected by the system. I see normal messages like that everyday but it takes a few seconds to reconnect and be disconnected. This was a so fast that the lines just flew by and the last time it happened it was over 200 times I couldn't even begin to count how much over except that I could barely read the lines the messages were happening so fast. Could some type of trojan or virus cause messages or someones client to act like that? And I was asking if their is some type of filter or firewall setting I could do to help protect against it because it eventually seems to cause the mikrotik AP to completely lock up.
Unless there have been major advances that i dont know about (which is not too unlikely) then it is not a virus.
Many clients are configured to do first a full scan attempting to connect if ap permits. If not able to connect it tries the next one. If a client is badly programmed or is programmed to connect to that one specific AP and only that one it might retry connecting as many times as it wants without doing the full scan.
Could be a malicious user, could be badly behaving clients.
I'd go with "Never attribute to malice what can adequately be explained by incompetence." (ie. badly behaved clients).
Many clients are configured to do first a full scan attempting to connect if ap permits. If not able to connect it tries the next one. If a client is badly programmed or is programmed to connect to that one specific AP and only that one it might retry connecting as many times as it wants without doing the full scan.
Could be a malicious user, could be badly behaving clients.
I'd go with "Never attribute to malice what can adequately be explained by incompetence." (ie. badly behaved clients).
Hmm.. Ok I see in log file that I setup that I am getting attacked. How do I tell log to dump itself when it's full? I'm getting a ton of emails saying log full..
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:53065 dst:68.202.46.225:48818 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:44513 dst:68.202.46.225:45373 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:33129 dst:68.202.46.225:4928 Packet Dropped
Apr/30/2005 01:02:27
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:53065 dst:68.202.46.225:48818 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:44513 dst:68.202.46.225:45373 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:33129 dst:68.202.46.225:4928 Packet Dropped
Apr/30/2005 01:02:27
Log is full? I have never gotten that message before.Hmm.. Ok I see in log file that I setup that I am getting attacked. How do I tell log to dump itself when it's full? I'm getting a ton of emails saying log full..
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:53065 dst:68.202.46.225:48818 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:44513 dst:68.202.46.225:45373 Packet Dropped
Apr/30/2005 01:02:27
TearDrop Attack Detect src:64.224.17.144:33129 dst:68.202.46.225:4928 Packet Dropped
Apr/30/2005 01:02:27
This attack would could easily explain why a client keeps connecting and then disconnecting. Equipment does that when the amount trying to be pushed through it is greater than what it can deliver.
About the attack, you can either drop all fragments in a core router (which will impact the service you deliver) or additionally shape all traffic to any of the IP's to an upper limit. If your customers have a 1-4 mbit service then perhaps shape each ip to 5 mbit download on core gateway such that no attack against one IP can bring the network down. This in addition to shaping their service to real speed on AP (or wherever you do that).
You could potentially get a firewall that would filter out bad fragments but let good fragments through but that would still leave the network open for unknown attacks and you would have to run a stateful firewall which in itself is a weakness.