This week we look at the RouterOS configuration mistakes ranked 6 and 5:

6-NAT issues

This setup allows you to hide (masquerade) your private IP address from a public network. This means, that in your private network you can have whatever private IP you want which is then, in turn, translated to the public network IP given to you by your network provider.

This option can be used by clients who want to connect to a network without requiring a change to the internal IP addressing of their LAN.

5- Allowed IP Spoofing

Spoofing, while mostly negative, has some more or less legitimate applications. Satellite Internet access is one. Packets going to orbit and coming back have a relatively long latency, and there are a lot of protocols in use that don’t take well to this delay.

Satellite providers may spoof these protocols, including IP, so that each end of a packet flow receives acknowledgement packets without much delay.

Also, since VPN applications are particularly prone to problems with latency, special software from these providers generally performs more “accepted” spoofing.

Solution:

But the bad kind of spoofing can be controlled. There are five things, among others, that you can do to help prevent IP spoofing and its related attacks from affecting your network:

1. Use authentication based on a key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing.
2. Use an access control list to deny private IP addresses on your downstream interface.
3. Implement filtering of both inbound and outbound traffic.
4. Configure your routers and switches if they support such configuration, to reject packets originating from outside your local network that claims to originate from within.
5. Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.