Page 1 of 1
I have many packet 34916 are send via PPPoE client interface.
Posted: Tue Jul 07, 2015 9:04 am
by harn2412
I have a new hAP router with RouterOS v6.29.1.
I setup internet with PPPoE client by Winbox tool (without default config and not easy setup).
Everything work fine in 1 day. But after that I see the Tx off PPPoE Client link go up without reason (don't have any traffic from inter LAN) and CPU work more.
I have used sniffer tool on WinBox to check, and see many packet 34916 is send from my internet card's MAC address to another MAC.
Does anyone know why this happen? Please tell me, thank you so much.
Posted: Tue Jul 07, 2015 9:10 am
by jarda
What port is the traffic from? If it is 53, secure your dns service by firewall rules.
Re:
Posted: Tue Jul 07, 2015 1:05 pm
by harn2412
What port is the traffic from? If it is 53, secure your dns service by firewall rules.
Thank you for your help.
Could you show me the sample code or where I can get one, please?
And I don't see any packet have source or dest post 53. This is the image of 1 packet I got.
The Src. MAC Address is my internet card on hAP.
Posted: Tue Jul 07, 2015 1:18 pm
by jarda
Can't see the picture on mobile from some reason. Will have a look later. See the torch and profiler meanwhile to know more about the traffic and what consumes the cpu. Is the line exhausted by the traffic?
Re: I have many packet 34916 are send via PPPoE client interface.
Posted: Tue Jul 07, 2015 4:55 pm
by Ape
Hi,
in WinBox, go to "Interfaces", open the PPPoE interface window by double-clicking and click on "Torch".
There you can see what traffic is flowing on this interface.
The next steps depend on what kind of traffic you'll see.
Ape
Re:
Posted: Tue Jul 07, 2015 5:59 pm
by harn2412
Can't see the picture on mobile from some reason. Will have a look later. See the torch and profiler meanwhile to know more about the traffic and what consumes the cpu. Is the line exhausted by the traffic?
Hi,
in WinBox, go to "Interfaces", open the PPPoE interface window by double-clicking and click on "Torch".
There you can see what traffic is flowing on this interface.
The next steps depend on what kind of traffic you'll see.
Ape
Thank for your reply.
I have made an reboot hAP and the Tx traffic via PPPoE interface is normal now. So I will test with "torch" if the problem come again.
And the traffic is not full of my Tx bandwidth (it's only 2-5Mbps over 21Mbps).
The problem happen after running 1 day so it'll take a little time to know.
Re:
Posted: Tue Jul 14, 2015 5:33 am
by harn2412
What port is the traffic from? If it is 53, secure your dns service by firewall rules.
Yeah, you're right. Today, I have the same problem and I have use "Torch" and see many packet UDP send to my DNS from WAN.
I have made a firewall rule block UDP packet send to port 53 from internet.
Could you show me some other firewall rule to protect my router?
Thank you so much.
Re: I have many packet 34916 are send via PPPoE client interface.
Posted: Tue Jul 14, 2015 11:06 am
by jarda
see this:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router
http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
http://wiki.mikrotik.com/wiki/Basic_uni ... all_script
http://wiki.mikrotik.com/wiki/Manual:IP ... c_examples
and finally:
http://wiki.mikrotik.com/wiki/DDoS
You could find these pages using the google too.
My approach to port 53 in input chain from wan interface is to drop udp and tarpit tcp.
Using also bruteforce login prevention. And all other rules are mainly individual to my needs according to the places where the routers are and what traffic should pass trhu. None can give you general "secure" rule set that could fit your needs.
Re: I have many packet 34916 are send via PPPoE client interface.
Posted: Tue Jul 14, 2015 1:08 pm
by harn2412
Thank for your reply.
Many usefull information
I will research and find something I can use for my router.