I've recently installed Marius YO2LOJ's RIPv2 AMPR Gateway Setup Script 2.2 on a Mikrotik RB450G. RouterOS is version 6.37.3, I have 44.131.56.241 configured on the ucsd-gw interface and 44.131.56.9/29 on ether5 for my LAN. It seems to work well and I can access 44net hosts from a 44net machine on the LAN.
I'm filtering traffic on the WAN interface of the router to only permit ipip traffic, however I still see traffic from outside 44/8 - mainly tcp syn packets to port 23 appearing on the LAN. These must be coming down via a tunnel and I'd like to filter them out. I've implemented an output rule to permit traffic from 44/8 to 44/8 and drop everything else, applied this to ether5. Is there a better way to implement this? I would like to filter on the WAN side but that would mean a firewall input rule on every tunnel.
Thanks,
Hi Nick,
You do not need to filter every tunnel.
Traffic via the tunnels come only from their endpoints, which are all 44-net machines.
The only tunnel from which you receive traffic from non-44 sources is the ampr-gw tunnel itself.
The best way to achieve this is to use 2 rules in the forward chain:
1. Accept established/related traffic using for ampr-gw as input interface (if you need outgoing traffic to the public internet)
2. Drop all the rest for input interface ampr-gw
If you do not want traffic to public IPs from your 44 addresses, just drop all forwarding from/to the ampr-gw tunnel.
Marius, YO2LOJ
On 2016-12-10 15:05, Nick G4IRX wrote:
(Please trim inclusions from previous messages) _______________________________________________ I've recently installed Marius YO2LOJ's RIPv2 AMPR Gateway Setup Script 2.2 on a Mikrotik RB450G. RouterOS is version 6.37.3, I have 44.131.56.241 configured on the ucsd-gw interface and 44.131.56.9/29 on ether5 for my LAN. It seems to work well and I can access 44net hosts from a 44net machine on the LAN.
I'm filtering traffic on the WAN interface of the router to only permit ipip traffic, however I still see traffic from outside 44/8 - mainly tcp syn packets to port 23 appearing on the LAN. These must be coming down via a tunnel and I'd like to filter them out. I've implemented an output rule to permit traffic from 44/8 to 44/8 and drop everything else, applied this to ether5. Is there a better way to implement this? I would like to filter on the WAN side but that would mean a firewall input rule on every tunnel.
Thanks,
Hi Marius,
Thanks for your reply.
I already have a rule to accept established/related traffic. I've added one to the end of the forward chain as you suggested. The blocked traffic is being logged on the router log. /ip firewall filter chain=forward action=drop in-interface=ucsd-gw log=yes log-prefix=""
73 Nick.
On 10/12/2016 13:35, Marius Petrescu wrote:
You do not need to filter every tunnel.
Traffic via the tunnels come only from their endpoints, which are all 44-net machines.
The only tunnel from which you receive traffic from non-44 sources is the ampr-gw tunnel itself.
The best way to achieve this is to use 2 rules in the forward chain:
- Accept established/related traffic using for ampr-gw as input
interface (if you need outgoing traffic to the public internet)
- Drop all the rest for input interface ampr-gw
If you do not want traffic to public IPs from your 44 addresses, just drop all forwarding from/to the ampr-gw tunnel.
Marius, YO2LOJ
On 2016-12-10 15:05, Nick G4IRX wrote:
(Please trim inclusions from previous messages) _______________________________________________ I've recently installed Marius YO2LOJ's RIPv2 AMPR Gateway Setup Script 2.2 on a Mikrotik RB450G. RouterOS is version 6.37.3, I have 44.131.56.241 configured on the ucsd-gw interface and 44.131.56.9/29 on ether5 for my LAN. It seems to work well and I can access 44net hosts from a 44net machine on the LAN.
I'm filtering traffic on the WAN interface of the router to only permit ipip traffic, however I still see traffic from outside 44/8 - mainly tcp syn packets to port 23 appearing on the LAN. These must be coming down via a tunnel and I'd like to filter them out. I've implemented an output rule to permit traffic from 44/8 to 44/8 and drop everything else, applied this to ether5. Is there a better way to implement this? I would like to filter on the WAN side but that would mean a firewall input rule on every tunnel.
Thanks,
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
Marius Petrescu -
Nick G4IRX