выключен
Паразитный трафик на wan интерфейсе
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
А socks?
Правила dst-nat ещё покажите.
Правила dst-nat ещё покажите.
Telegram: @thexvo
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Скриншоты ни о чем мне не скажут, делайте экспорт.
Telegram: @thexvo
-
remalex
- Сообщения: 19
- Зарегистрирован: 05 сен 2023, 21:56
/ip firewall filter
add action=add-src-to-address-list address-list=ddos-black-list address-list-timeout=30m chain=input \
comment=" DDoS - Limit incoming, black list" connection-limit=100,32 disabled=yes in-interface=\
sfp1-wan protocol=tcp
add action=tarpit chain=input comment="DDoS - Hold connections" connection-limit=3,32 disabled=yes \
protocol=tcp src-address-list=ddos-black-list
add action=accept chain=input in-interface=vlan2504-sfp-gaiduk src-address=176.122.19.0/25
add action=accept chain=input src-address=176.122.19.179
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.0/30
add action=accept chain=forward disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.0/30
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.8/30
add action=accept chain=forward disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.8/30
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.40.40.0/30
add action=drop chain=forward dst-address-list=!DNS protocol=udp src-address=10.101.104.2 src-port=53
add action=drop chain=forward dst-port=53 in-interface=vlan2504-sfp-gaiduk protocol=udp src-address-list=\
!DNS
add action=drop chain=input dst-port=53 in-interface=vlan2504-sfp-gaiduk protocol=udp src-address-list=!DNS
add action=drop chain=input dst-port=53 protocol=udp src-address-list=!DNS
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input disabled=yes \
dst-address=185.18.111.90 dst-port=53 protocol=udp src-address-list=!allow-list
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=forward disabled=\
yes dst-address=176.122.19.0/25 dst-port=53 protocol=udp src-address-list=!allow-list
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input disabled=yes \
dst-address=176.122.19.0/24 dst-port=53 protocol=udp src-address-list=!allow-list
add action=drop chain=forward disabled=yes in-interface=sfp1-wan src-address-list="dns flood"
add action=drop chain=input disabled=yes src-address-list="dns flood"
add action=jump chain=forward comment=" DDos - SYN flood protect" connection-limit=300,32 \
connection-state=new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new disabled=yes limit=200,5:packet protocol=tcp \
tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=tcp tcp-flags=syn
add action=accept chain=input comment=l2tp disabled=yes port=1701,500,4500 protocol=udp
add action=jump chain=input connection-state=new disabled=yes in-interface=sfp1-wan jump-target=SYN-Protect \
protocol=tcp tcp-flags=syn
add action=accept chain=input comment=IPsec disabled=yes protocol=ipsec-esp
add action=jump chain=forward disabled=yes jump-target=reductor_forward
add action=jump chain=forward disabled=yes jump-target=reductor_forward
add action=drop chain=input src-address-list=!allow-list
add action=drop chain=forward disabled=yes dst-address=176.122.19.0/25 protocol=udp src-port=53
add action=drop chain=reductor_forward comment=reductor_ip_block dst-address-list=reductor_ip_block_list
add action=drop chain=forward in-interface=vlan2504-sfp-gaiduk src-address-list=drop_list
add action=drop chain=forward dst-address-list=drop_list out-interface=vlan2504-sfp-gaiduk
add action=add-src-to-address-list address-list=ddos-black-list address-list-timeout=30m chain=input \
comment=" DDoS - Limit incoming, black list" connection-limit=100,32 disabled=yes in-interface=\
sfp1-wan protocol=tcp
add action=tarpit chain=input comment="DDoS - Hold connections" connection-limit=3,32 disabled=yes \
protocol=tcp src-address-list=ddos-black-list
add action=accept chain=input in-interface=vlan2504-sfp-gaiduk src-address=176.122.19.0/25
add action=accept chain=input src-address=176.122.19.179
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.0/30
add action=accept chain=forward disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.0/30
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.8/30
add action=accept chain=forward disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.30.30.8/30
add action=accept chain=input disabled=yes in-interface=vlan2504-sfp-gaiduk src-address=10.40.40.0/30
add action=drop chain=forward dst-address-list=!DNS protocol=udp src-address=10.101.104.2 src-port=53
add action=drop chain=forward dst-port=53 in-interface=vlan2504-sfp-gaiduk protocol=udp src-address-list=\
!DNS
add action=drop chain=input dst-port=53 in-interface=vlan2504-sfp-gaiduk protocol=udp src-address-list=!DNS
add action=drop chain=input dst-port=53 protocol=udp src-address-list=!DNS
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input disabled=yes \
dst-address=185.18.111.90 dst-port=53 protocol=udp src-address-list=!allow-list
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=forward disabled=\
yes dst-address=176.122.19.0/25 dst-port=53 protocol=udp src-address-list=!allow-list
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input disabled=yes \
dst-address=176.122.19.0/24 dst-port=53 protocol=udp src-address-list=!allow-list
add action=drop chain=forward disabled=yes in-interface=sfp1-wan src-address-list="dns flood"
add action=drop chain=input disabled=yes src-address-list="dns flood"
add action=jump chain=forward comment=" DDos - SYN flood protect" connection-limit=300,32 \
connection-state=new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new disabled=yes limit=200,5:packet protocol=tcp \
tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=tcp tcp-flags=syn
add action=accept chain=input comment=l2tp disabled=yes port=1701,500,4500 protocol=udp
add action=jump chain=input connection-state=new disabled=yes in-interface=sfp1-wan jump-target=SYN-Protect \
protocol=tcp tcp-flags=syn
add action=accept chain=input comment=IPsec disabled=yes protocol=ipsec-esp
add action=jump chain=forward disabled=yes jump-target=reductor_forward
add action=jump chain=forward disabled=yes jump-target=reductor_forward
add action=drop chain=input src-address-list=!allow-list
add action=drop chain=forward disabled=yes dst-address=176.122.19.0/25 protocol=udp src-port=53
add action=drop chain=reductor_forward comment=reductor_ip_block dst-address-list=reductor_ip_block_list
add action=drop chain=forward in-interface=vlan2504-sfp-gaiduk src-address-list=drop_list
add action=drop chain=forward dst-address-list=drop_list out-interface=vlan2504-sfp-gaiduk
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Не та секция: /ip firewall nat
Telegram: @thexvo
-
remalex
- Сообщения: 19
- Зарегистрирован: 05 сен 2023, 21:56
add action=netmap chain=dstnat disabled=yes dst-port=53 protocol=tcp src-address=!10.101.104.2 to-addresses=10.101.104.2 to-ports=53
add action=netmap chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=!10.101.104.2 to-addresses=10.101.104.2 to-ports=53
add action=src-nat chain=srcnat comment=office dst-address-list=!LOCAL src-address=192.168.10.122 to-addresses=176.122.19.250
add action=src-nat chain=srcnat comment=office dst-address-list=!LOCAL src-address=192.168.10.0/24 to-addresses=176.122.19.129
add action=src-nat chain=srcnat comment=CM+ disabled=yes src-address=192.168.11.0/24 to-addresses=176.122.19.141
add action=src-nat chain=srcnat comment=DNS dst-address-list=!LOCAL src-address=10.101.104.2 to-addresses=176.122.19.129
add action=masquerade chain=srcnat comment=l2tp disabled=yes out-interface=sfp1-wan src-address=10.90.91.0/24
add action=dst-nat chain=dstnat comment="Carbon Reductor" disabled=yes dst-port=9998 in-interface=sfp1-wan protocol=tcp to-addresses=192.168.10.122 to-ports=22
add action=netmap chain=dstnat dst-address-list=reductor_ip_block_list protocol=tcp to-addresses=192.168.10.122 to-ports=80
add action=dst-nat chain=dstnat dst-address=176.122.19.129 dst-port=2221 protocol=tcp to-addresses=192.168.10.122 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8080 protocol=tcp to-addresses=192.168.10.122 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8081 protocol=tcp to-addresses=192.168.10.122 to-ports=8081
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8083 protocol=tcp to-addresses=192.168.10.122 to-ports=8083
add action=dst-nat chain=dstnat comment=zabbix disabled=yes dst-address=176.122.19.129 dst-port=8090 protocol=tcp to-addresses=10.101.104.2 to-ports=80
add action=dst-nat chain=dstnat comment=zabbix disabled=yes dst-address=176.122.19.129 dst-port=10051 protocol=tcp to-addresses=10.101.104.2 to-ports=10051
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=9090 protocol=tcp to-addresses=192.168.10.122 to-ports=9090
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=10000 protocol=tcp to-addresses=192.168.10.122 to-ports=10000
add action=netmap chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=!10.101.104.2 to-addresses=10.101.104.2 to-ports=53
add action=src-nat chain=srcnat comment=office dst-address-list=!LOCAL src-address=192.168.10.122 to-addresses=176.122.19.250
add action=src-nat chain=srcnat comment=office dst-address-list=!LOCAL src-address=192.168.10.0/24 to-addresses=176.122.19.129
add action=src-nat chain=srcnat comment=CM+ disabled=yes src-address=192.168.11.0/24 to-addresses=176.122.19.141
add action=src-nat chain=srcnat comment=DNS dst-address-list=!LOCAL src-address=10.101.104.2 to-addresses=176.122.19.129
add action=masquerade chain=srcnat comment=l2tp disabled=yes out-interface=sfp1-wan src-address=10.90.91.0/24
add action=dst-nat chain=dstnat comment="Carbon Reductor" disabled=yes dst-port=9998 in-interface=sfp1-wan protocol=tcp to-addresses=192.168.10.122 to-ports=22
add action=netmap chain=dstnat dst-address-list=reductor_ip_block_list protocol=tcp to-addresses=192.168.10.122 to-ports=80
add action=dst-nat chain=dstnat dst-address=176.122.19.129 dst-port=2221 protocol=tcp to-addresses=192.168.10.122 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8080 protocol=tcp to-addresses=192.168.10.122 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8081 protocol=tcp to-addresses=192.168.10.122 to-ports=8081
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=8083 protocol=tcp to-addresses=192.168.10.122 to-ports=8083
add action=dst-nat chain=dstnat comment=zabbix disabled=yes dst-address=176.122.19.129 dst-port=8090 protocol=tcp to-addresses=10.101.104.2 to-ports=80
add action=dst-nat chain=dstnat comment=zabbix disabled=yes dst-address=176.122.19.129 dst-port=10051 protocol=tcp to-addresses=10.101.104.2 to-ports=10051
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=9090 protocol=tcp to-addresses=192.168.10.122 to-ports=9090
add action=dst-nat chain=dstnat disabled=yes dst-address=176.122.19.129 dst-port=10000 protocol=tcp to-addresses=192.168.10.122 to-ports=10000
-
Illinory
- Сообщения: 100
- Зарегистрирован: 23 окт 2019, 15:08
На Ваш микротик провайдер маршрутизирует всю 176.122.19.0/24 или часть адресов?
Или Вы сами провайдер и анонсите куда-то 176.122.19.0/24 или ее часть?
Или Вы сами провайдер и анонсите куда-то 176.122.19.0/24 или ее часть?
-
remalex
- Сообщения: 19
- Зарегистрирован: 05 сен 2023, 21:56
Мы получаем канал по BGP, 176.122.19.0/24 наши адреса
есть два роутера в сети первый, который подключен по BGP и второй (проблемный) на него идет часть адресов
-
Illinory
- Сообщения: 100
- Зарегистрирован: 23 окт 2019, 15:08
Имхо, у вас возникает петля маршрутизации.
Вам нужен маршрут 176.122.19.0/24 на blackhole, чтобы трафик по TTL там не умирал просто.