connection-state:invalid - what am I doing wrong..

:%s/my.ip.add.ress/111.222.333.444/g

7.13.2 on hEX if it matters..

most (if not all) of the hosts are Amazon, Apple, and other legitimate looking connections..

Am I somehow not communicating to them correctly that we are terminating the connection?

I’m assuming the proto is them to me and those are their flags set..

17.248.175.166 is sending me flags RST
192.229.211.10 is sending me flags ACK and FIN

RST is a hard stop for some reason..

Why would Apple be hard terminating a connection with me..

07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64289, len 40
07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64289, len 40
07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64289, len 40
07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.199.68:443->111.222.333.444:64292, len 40
07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.199.70:443->111.222.333.444:64286, len 40
07:45:10 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.199.70:443->111.222.333.444:64286, len 40
07:48:41 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,FIN), 192.229.211.108:80->111.222.333.444:64297, len 52
07:49:12 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,FIN), 192.229.211.108:80->111.222.333.444:64297, len 52
07:50:13 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,FIN), 192.229.211.108:80->111.222.333.444:64297, len 52
07:52:14 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,FIN), 192.229.211.108:80->111.222.333.444:64297, len 52
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:52:35 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 3.5.80.10:443->111.222.333.444:45414, len 40
07:53:53 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64294, len 40
07:53:53 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64294, len 40
07:53:53 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64294, len 40
07:53:53 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 17.248.175.166:443->111.222.333.444:64294, len 40
07:53:53 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,RST), 18.210.101.162:443->111.222.333.444:64296, len 40
07:53:57 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 23.58.90.40:443->111.222.333.444:64299, len 40
07:54:15 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (ACK,FIN), 192.229.211.108:80->111.222.333.444:64297, len 52
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40
07:56:56 firewall,info input: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:01:5c:74:b4:46, proto TCP (RST), 3.5.80.10:443->111.222.333.444:45426, len 40

Nothing much special here.. redirecting ntp and unencrypted dns from internal things (iot)

/ip firewall filter add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid log=yes
/ip firewall filter add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
/ip firewall filter add action=accept chain=forward dst-port=51829 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp
/ip firewall filter add action=accept chain=forward dst-port=221 protocol=tcp
/ip firewall filter add action=reject chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN reject-with=icmp-network-unreachable
/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related disabled=yes hw-offload=yes
/ip firewall filter add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
/ip firewall filter add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat dst-port=51829 in-interface-list=WAN protocol=udp to-addresses=192.168.88.254 to-ports=51829
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.88.254 to-addresses=192.168.88.254 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat dst-port=123 in-interface=bridge protocol=udp src-address=!192.168.88.254 to-addresses=192.168.88.254 to-ports=123
/ip firewall nat add action=redirect chain=dstnat comment=“Forwarding rule” dst-port=53 in-interface=bridge protocol=tcp src-address=!192.168.88.254 to-addresses=192.168.88.254 to-ports=53


/ip/firewall/connection/tracking/ print
enabled: auto
active-ipv4: yes
active-ipv6: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
loose-tcp-tracking: yes
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 225280
total-entries: 2223

Thank you in advance..