[CLUG-chat] Slow internet on a Mikrotik Router

Hardus Bouwer hardbouw at yahoo.com
Thu Feb 27 14:58:18 SAST 2014

On Thu, Feb 27, 2014 at 9:23 AM, William Warwick <thephuzzy at gmail.com> wrote:
> On 26/02/2014 19:51, Hardus Bouwer wrote:
>> Hallo,
>> I was not sure to post this under the tech or chat, seeing that Mikrotik
>> is not entirely opensource, it fits here better.
>> My setup is as follows:
>> I
>> have an ADSL Modem in bridged mode and then my mikrotik connects to it
>> and does 2 PPPoe Connections out, one to my ISP and one for my VPN
>> connection, ontop of the pppoe vpn connection I have a ppptp connection
>> to establish a tunnel between me and the other end.
>> My problem is
>>   that for some reason In getting a lot of traffic comming into my router
>>   from outside. It does not enter my LAN, just get inot the PPPoe
>> connection for my internet. The traffic is between 400-800kbps, not that
>>   much, but its only on my PPPoe ISP connection, dont go throuh the
>> router. While that traffic is so much, my internet is extremely slow to
>> unresponsive, this happens randomly. We used to have it alot at work and
>>   I then just add a firewall blocked rule to block it, that method does
>> not work for me at home. I fllowed some online tutorials and added a lot
>>   of firewall rules to block all kinds of random stuff from outside, even
>>   with that it is not having a effect on the incomming traffic to the isp
>>   account.
>> I need to be able to block all access to my router from outside completely
>> no exeptions
>> Here is a bunch of rules that I added:
>> /ip firewall filter
>> <snip>
> Based on the amount of rules you have that end with a "drop", im guessing
> you went for a blacklist firewall setup? IE you allow all traffic except
> this that and the other ports?
> The first thing I would do is look at what ports you actually need open, and
> then reconfigure your firewall filters in a Whitelist format... IE block all
> traffic except this that and the other port. This is in my opinion a far
> better starting point as its far easier and safer to open something that is
> not working than to have a bunch of services open that may or may not be
> used as an attack vector. A blacklist firewall to me is like a sieve and a
> roll of duck tape - you will forever more be hunting down holes and trying
> to patch them.
> Something like this is a good start:
> /ip firewall filter
> add chain=input connection-state=established action=accept
> add chain=input connection-state=related action=accept
> add chain=input connection-state=invalid action=drop
> add chain=input in-interface=<LAN> action=accept
> add chain=input action=drop
> add chain=forward connection-state=established action=accept
> add chain=forward connection-state=related action=accept
> add chain=forward connection-state=invalid action=drop
> add chain=forward in-interface=<LAN> action=accept
> add chain=forward action=drop
> This setup will block ALL external traffic unless its related to a
> connection that was started from inside the network, but will allow all
> traffic originating from your internal network (provided you change the
> <lan> interface name above). Once you have the basic structure in place, you
> can start looking at what other ports you might want to have open and what
> other service you might want to advertise. If you want to add the service to
> this ruleset, just make sure the rules are inserted into the chain above the
> drop rule.
> William Warwick
> --
> clug-chat mailing list: clug-chat at clug.org.za
> To (un)subscribe: http://lists.clug.org.za/mailman/listinfo/clug-chat
> Wiki: http://wiki.clug.org.za
> IRC: irc.atrum.org #clug
> List Rules: http://wiki.clug.org.za/wiki/Mailing_list_rules

I connected with teamviewer to my home pc and removed all those rules
and added your set, that now disabled web browsing.
I was a bit unsure about the LAN interface as I have multiple
interfaces in a bridged setup. I added ports 2-5 on the back of the
router as well as the built in WiFi to a Bridge.

The existing rules I added just to try and make my router more secure,
got them from an forum on the internet, I checked them all before
adding and they make sense, I think what you are saying is that the
router blocks traffic by default, so they wont be necessary?

As you explained also is actually what I need, if the connection was
not created from inside my Lan it must not be able to come through or
touch my router at all. Every time my internet becomes so slow I can
see the High traffic to my Public IP when running torch.


More information about the clug-chat mailing list