Re: [AFMUG] mikrotik arp and 192.168.x.x

Wed, 14 Jun 2017 06:35:14 -0700

It's hard to say without seeing what you're seeing and where you're seeing it.
Your router presumably has a default route, so if it receives a packet destined for 192.168.2.1, then that's where it will send it. If you aren't filtering that traffic, then it could make it all the way to your egress by following default routes (where your upstream probably drops it). You're the default route for your customer's router, so the same applies for them. Weird destination IP? Send it to default route. 



------ Original Message ------
From: "Steve Jones" <[email protected]>
To: "[email protected]" <[email protected]>
Sent: 6/13/2017 10:14:27 PM
Subject: Re: [AFMUG] mikrotik arp and 192.168.x.x


yep, but those subnets aren't present on the network, first step on 
installation of a new mikrotik is default, remove config. Theres no 
routes in the tables to these subnets, and other than when I toss it on 
for testing those subnets don't exist anywhere in the network




On Tue, Jun 13, 2017 at 8:32 PM, 
[email protected]<[email protected]> wrote:

Are you redistributing connected and/or static routes by chance?


On Tue, Jun 13, 2017 at 4:40 PM, Steve Jones 
<[email protected]> wrote:

I don't know if this is normal to see or what. I cant figure it out

We have sites that are all isolated by mikrotiks and use ospf between 
them



what I'm seeing is stuff like site A having a customer on 1.2.3.4 at 
both sites A and B I'm seeing conversations between 1.2.3.4 from site 
A and 192.168.2.1 at site B. Site B does not have the 192.168.2 
subnet even present. when I put an IP in that subnet on site B 
mikrotik I see a MAC matching that IP, it is also present for an 
actual customer, we will say 5.6.7.8



I'm wondering if there isn't some form of tunnel between these two 
customers isolated by multiple routers that is leaking internal 
traffic out or something of that nature. I'm currently dropping that 
traffic now, I should have been from the get go, but what I don't 
understand is how, with no routes or subnets present this 
communication is even happening.



Scared me assumes the CIA hacked all my mikrotiks, then hijacked 
customer routers and are somehow using my network to mine bitcoin to 
fund black site operations. Reality tells me its misconfiguration 
somewhere on my part


any ideas?
























					Reply via email to