Drop invalid connections

surprise005 · August 27, 2014, 11:00am

Please help me in a small problem:
There is a bridge with two configured subnets 10.0.1.0/24, 10.0.3.0/24. The problem is: very slowly opens a page on my web server 10.0.3.10 from any devices 10.0.1.0/24 when the rule add chain = forward protocol = tcp connection-state = invalid action = drop is active. Mikrotik log for that rule:
13:57:10 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK), 10.0.1.95:63140->10.0.3.10:80, len 40
13:57:10 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK,PSH), 10.0.1.95:63140->10.0.3.10:80, len 500
13:57:11 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK,PSH), 10.0.1.95:63140->10.0.3.10:80, len 500
13:57:11 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK,PSH), 10.0.1.95:63140->10.0.3.10:80, len 500
13:57:12 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK,PSH), 10.0.1.95:63140->10.0.3.10:80, len 500
13:57:14 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK), 10.0.1.95:63140->10.0.3.10:80, len 52
13:57:15 firewall,info forward: in:bridge1(ether3) out:bridge1, src-mac d4:3d:7e:d9:29:b3, proto TCP (ACK,PSH), 10.0.1.95:63140->10.0.3.10:80, len 500
When this rule disabled all working fine.
Maybe i should delete this rule, or is there another way to solve this problem?

surprise005 · August 28, 2014, 5:54pm

So any1 cant help?

agehall · August 28, 2014, 6:48pm

You can’t bridge between two different /24 subnets - you would need to route.

Please post your complete config if you want more help. It’s pretty hard to guess what may be wrong based on your (very condensed) logs.

surprise005 · September 1, 2014, 8:01pm

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1588 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip address
add address=10.0.0.1/24 disabled=no interface=bridge1 network=10.0.0.0
add address=10.0.1.1/24 disabled=no interface=bridge1 network=10.0.1.0
add address=10.0.2.1/24 disabled=no interface=bridge1 network=10.0.2.0
add address=10.0.3.1/24 disabled=no interface=bridge1 network=10.0.3.0
/ip r print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADC 10.0.0.0/24 10.0.0.1 bridge1 0
1 ADC 10.0.1.0/24 10.0.1.1 bridge1 0
2 ADC 10.0.2.0/24 10.0.2.1 bridge1 0
3 ADC 10.0.3.0/24 10.0.3.1 bridge1 0
/ip f address-list
add address=10.0.0.0/24 disabled=no dynamic=no list=lan_subnets
add address=10.0.1.0/24 disabled=no dynamic=no list=lan_subnets
add address=10.0.2.0/24 disabled=no dynamic=no list=lan_subnets
add address=10.0.3.0/24 disabled=no dynamic=no list=lan_subnets
/ip f f print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop connection-state=invalid
1 chain=input action=accept connection-state=established
2 chain=input action=accept connection-state=related
3 chain=input action=accept in-interface=bridge1
4 chain=forward action=drop connection-state=invalid
5 chain=forward action=accept connection-state=established
6 chain=forward action=accept connection-state=related
7 chain=forward action=accept src-address-list=lan_subnets dst-address-list=lan_subnets in-interface=bridge1 out-interface=bridge1
8 chain=forward action=drop

Topology:
L2Switch(Users1)->L2Switch(Main)
L2Switch(Users2)->L2Switch(Main)
L2Switch(Srv)->L2Switch(Main)
L2Switch(Main)->Mkt Bridge1(ether3)

L2Switchs(Users1/2) include 10.0.0.0/24-10.0.3.0/24 hosts: users workstations (10.0.0.0/24-10.0.1.0/24), ipcam (10.0.2.0/24) and ipphones (10.0.3.0/24)
L2Switch(Srv) include 10.0.0.0/24-10.0.3.0/24 servers: pdc, bdc, dhcp, dns, mail servers, terminal, ftp, storage and etc (10.0.0.0/24-10.0.1.0/24) different for each workstations subnets,
ip NVR's (10.0.2.0/24), ip Atc's (10.0.3.0/24).
Problem with slowly connections between different subnets (like http, 37777 - video stream connection) when chain=forward action=drop connection-state=invalid is active.
Sorry for my english)

plisken · September 4, 2014, 9:48am

One IP-range for one bridge

bridge1 example 192.168.1.1/24
bridge2 example 192.168.2.1/24

Not more than 1 IP-range per bridge

You can nat all the bridges with ISP

surprise005 · September 5, 2014, 8:23pm

Ok, plisken!
If i create 4 vlan interface for each subnet on ether3, it will be correctly?

plisken · September 5, 2014, 8:32pm

I don’t working with vlan in this case.

How match free ethernet interfaces do you have?
What will you just do?

What routerboard do you have?