Community discussions

MikroTik App
  4. RouterOS
  5. General

Mikrotik icmp traffic from itself?

Post Reply
 
sewlist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Fri Jun 02, 2006 3:48 pm

Mikrotik icmp traffic from itself?

Tue Jun 04, 2019 9:19 am

I Have switched on filter logging on output chain and ive noticed the router is pinging/ip scanning from itself random IPs

It has has no internet connectivity, but does passthrough traffic for customers

example on router

chain=output action=log protocol=icmp

logs on router, where my IP is 10.175.0.76

08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68

08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->190.224.213.30, len 68
08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->114.40.149.130, len 68
08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->204.83.181.213, len 68

I have gone through all settings and not seen any intrusion on the router.


Any advise here?


S
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik icmp traffic from itself?

Tue Jun 04, 2019 9:42 am

Icmp type 11 is "Time Exceeded", so this would be packets from those addresses being routed through this router, their TTL reaching zero and router sending notification back to them.
Top
 
sewlist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Fri Jun 02, 2006 3:48 pm

Re: Mikrotik icmp traffic from itself?

Tue Jun 04, 2019 9:57 am

Thank you. I should have looked up ICMP codes

Will see if i can find the culprit customer/s

S
Top
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Mikrotik icmp traffic from itself?

Wed Jun 05, 2019 1:34 am

Yes, the MikroTik is originating the reply from the IP based on routing so I assume your IP of 10.175.0.76 is either an IP meant for management and the router doesn't have a more preferred path on the Internet routing side or you're using RFC1918 IPs internally to route traffic to customers. If your routers are inline to customers and your acting as an ISP your links should use RFC 6598 address space where you service downstream customers in lieu of public IPv4 space.

Lastly ensure the correct ICMP messages are egressing your network back towards the destination. This is critical for may functions like path MTU discovery and traceroute.
Top
Post Reply

Who is online

Users browsing this forum: CGGXANNX and 36 guests
  4. RouterOS
  5. General