I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have. An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router. To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains: chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx" My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network. Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address): 18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40 I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something? There are quite a few of these, I'm seeing about 20 per minute. The router version is old and should be upgraded: 6.36 (stable). It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160