Are you pre-defining blocks, though?
Inside IP Outside IP/Port range 100.64.1.1 2.2.2.2:2000-2099 100.64.1.2 2.2.2.2:2100-2199 100.64.1.3 2.2.2.2:2200-2299 I'd do more than 100 ports, but table is just meant to express the concept. Then you ALWAYS know IP:port to internal IP matching, without having to track anything. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Christopher Tyler" <ch...@totalhighspeed.net> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> Sent: Friday, June 19, 2020 12:07:55 PM Subject: Re: [AFMUG] Issue with Google That is how we are doing it for the most part. We still have a lot of old 172.16.0.0/12 addresses that need to be converted to 100.64.0.0/10. We have been and still are steadily working towards that goal though. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com ----- Original Message ----- > From: "afmug" <af...@ics-il.net> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 12:00:18 PM > Subject: Re: [AFMUG] Issue with Google > If you're NATing multiple customers behind a single IP address, do it this > way: > > > [ > https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 > > | > https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 > > ] > > > > ----- > Mike Hammett > [ http://www.ics-il.com/ | Intelligent Computing Solutions ] > [ https://www.facebook.com/ICSIL ] [ > https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ > https://www.linkedin.com/company/intelligent-computing-solutions ] [ > https://twitter.com/ICSIL ] > [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] > [ https://www.facebook.com/mdwestix ] [ > https://www.linkedin.com/company/midwest-internet-exchange ] [ > https://twitter.com/mdwestix ] > [ http://www.thebrotherswisp.com/ | The Brothers WISP ] > [ https://www.facebook.com/thebrotherswisp ] [ > https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] > > From: "Christopher Tyler" <ch...@totalhighspeed.net> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Friday, June 19, 2020 11:46:07 AM > Subject: Re: [AFMUG] Issue with Google > > Yes, NAT is in play here, I just now increased the NAT pool to 128 addresses > based on TJ's theory that the NAT pool might be too small. > > The source IP's seem to be spoofed or proxied somehow as the first IP address > in > the list from Google is our ARIN /20 Network address (x.x.0.0) and I find it > hard to believe that our gateway router is scraping Google for content. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > ----- Original Message ----- >> From: "afmug" <af...@ics-il.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 11:37:58 AM >> Subject: Re: [AFMUG] Issue with Google > >> You have the source IP, port, and time. What more do you need to determine >> who's >> doing it? >> >> I'm assuming you're NATing customers at the router in question. >> >> >> >> ----- >> Mike Hammett >> [ http://www.ics-il.com/ | Intelligent Computing Solutions ] >> [ https://www.facebook.com/ICSIL ] [ >> https://plus.google.com/+IntelligentComputingSolutionsDeKalb ] [ >> https://www.linkedin.com/company/intelligent-computing-solutions ] [ >> https://twitter.com/ICSIL ] >> [ http://www.midwest-ix.com/ | Midwest Internet Exchange ] >> [ https://www.facebook.com/mdwestix ] [ >> https://www.linkedin.com/company/midwest-internet-exchange ] [ >> https://twitter.com/mdwestix ] >> [ http://www.thebrotherswisp.com/ | The Brothers WISP ] >> [ https://www.facebook.com/thebrotherswisp ] [ >> https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg ] >> >> From: "Christopher Tyler" <ch...@totalhighspeed.net> >> To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> >> Sent: Friday, June 19, 2020 10:59:30 AM >> Subject: [AFMUG] Issue with Google >> >> So the other day we got an email (excerpt below) from Google's automated >> tool... >> >> We are seeing automated scraping of Google Web Search from a large >> number of your IPs. Automated scraping violates our /robots.txt file >> and also our Terms of Service. We request that you terminate this >> traffic immediately. Failure to do so may cause your network to be >> blocked by our abuse systems. >> >> To allow you to identify the traffic, we are providing a list of >> your IPs they used today (Source field), as well as the most common >> destination (Google) IP and port and a timestamp of a recent request >> (in UTC) to aid in your identification. Note that this list may not >> be exhaustive, and we request that you terminate all such traffic, not >> just traffic from IPs in this list. >> >> All of the destination ports (to Google) are either 80 or 443, so they at >> least >> appear to be legit web traffic on the surface. They are obviously spoofed IP >> address as there are network addresses in the list and the IP belongs to a >> router that doesn't appear to be compromised in any way. The initial letter >> included 700+ IP addresses from our network. >> >> It's now affecting our customers as they are now getting Captcha's for every >> couple of Google searches that they perform. >> >> Does anyone know of a good way to track the perpetrator(s) down and/or know >> of a >> way to mitigate this? >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
