MikroTik

Community discussions
https://forum.mikrotik.com/

Mikrotik icmp traffic from itself?

https://forum.mikrotik.com/viewtopic.php?t=149080

Page 1 of 1

Mikrotik icmp traffic from itself?

Posted: Tue Jun 04, 2019 9:19 am
by sewlist
I Have switched on filter logging on output chain and ive noticed the router is pinging/ip scanning from itself random IPs

It has has no internet connectivity, but does passthrough traffic for customers

example on router

chain=output action=log protocol=icmp

logs on router, where my IP is 10.175.0.76

08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68
08:16:16 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->185.176.26.15, len 68

08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->190.224.213.30, len 68
08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->114.40.149.130, len 68
08:17:34 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.175.0.76->204.83.181.213, len 68

I have gone through all settings and not seen any intrusion on the router.


Any advise here?


S

Re: Mikrotik icmp traffic from itself?

Posted: Tue Jun 04, 2019 9:42 am
by Sob
Icmp type 11 is "Time Exceeded", so this would be packets from those addresses being routed through this router, their TTL reaching zero and router sending notification back to them.

Re: Mikrotik icmp traffic from itself?

Posted: Tue Jun 04, 2019 9:57 am
by sewlist
Thank you. I should have looked up ICMP codes

Will see if i can find the culprit customer/s

S

Re: Mikrotik icmp traffic from itself?

Posted: Wed Jun 05, 2019 1:34 am
by idlemind
Yes, the MikroTik is originating the reply from the IP based on routing so I assume your IP of 10.175.0.76 is either an IP meant for management and the router doesn't have a more preferred path on the Internet routing side or you're using RFC1918 IPs internally to route traffic to customers. If your routers are inline to customers and your acting as an ISP your links should use RFC 6598 address space where you service downstream customers in lieu of public IPv4 space.

Lastly ensure the correct ICMP messages are egressing your network back towards the destination. This is critical for may functions like path MTU discovery and traceroute.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/