Firewall considers packets invalid

Fractoid · November 9, 2021, 12:35pm

I was hoping that someone can help me with a MikroTik firewall question.

I have a MikroTik LtAP mini with two rules on the input and forward chains that drops invalid packets but there is a lot more traffic being dropped than I expected and I suspect a lot of them are valid packets. The log keeps on growing with new records being added constantly.
My question is why would the firewall consider these to be invalid and so many of them so frequently?

Here is the firewall filters that drop invalid traffic

 ip firewall filter print where connection-state="invalid"
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=yes log-prefix="invalid" 

 1    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid"

The firewall logs

log print where topics~"firewall"
13:15:46 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:35071->52.114.xxx.xxx:443, len 40 
13:15:46 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:46163->52.114.xxx.xxx:443, len 40 
13:15:46 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:41383->52.114.xxx.xxx:443, len 40 
13:15:50 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:37622->149.154.xxx.xxx:443, len 76 
13:16:04 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:37618->149.154.xxx.xxx:443, len 142 
13:16:09 firewall,info invalid forward: in:bridge out:lte1, src-mac a8:34:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:37072->1.1.xxx.xxx:443, len 64 
13:16:10 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:59065->52.114.xxx.xxx:443, len 40 
13:16:35 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43262, len 52 
13:16:35 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43264, len 52 
13:16:36 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43272, len 52 
13:16:36 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43270, len 52 
13:16:36 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43270, len 52 
13:16:36 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43272, len 52 
13:16:37 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43270, len 52 
13:16:37 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 1.1.xxx.xxx:443->100.121.xxx.xxx:43272, len 52 
13:16:41 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:59065->52.114.xxx.xxx:443, len 40 
13:16:48 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:44114->178.79.xxx.xxx:443, len 40 
13:16:51 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:37618->149.154.xxx.xxx:443, len 142 
13:17:22 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:33221->52.168.xxx.xxx:443, len 40 
13:17:53 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:33221->52.168.xxx.xxx:443, len 40 
13:22:40 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (RST), 192.168.xxx.xxx:37644->149.154.xxx.xxx:443, len 40 
13:23:26 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (RST), 192.168.xxx.xxx:33750->159.148.xxx.xxx:443, len 40 
13:23:26 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (RST), 192.168.xxx.xxx:33750->159.148.xxx.xxx:443, len 40 
13:24:31 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:37344->13.89.xxx.xxx:443, len 40 
13:24:55 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:39976->149.154.xxx.xxx:443, len 40 
13:24:55 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42524->40.114.xxx.xxx:443, len 83 
13:24:58 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42527->40.114.xxx.xxx:443, len 71 
13:25:02 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42498->40.114.xxx.xxx:443, len 71 
13:25:03 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:44300->178.79.xxx.xxx:443, len 40 
13:25:04 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42523->40.114.xxx.xxx:443, len 71 
13:25:05 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:40425->173.239.xxx.xxx:4041, len 40 
13:25:05 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42504->40.114.xxx.xxx:443, len 71 
13:25:06 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:44299->178.79.xxx.xxx:443, len 40 
13:25:09 firewall,info invalid forward: in:bridge out:lte1, src-mac 0c:e0:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 192.168.xxx.xxx:42526->40.114.xxx.xxx:443, len 71 
13:27:49 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37676, len 52 
13:27:49 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37676, len 52 
13:27:49 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37676, len 52 
13:27:50 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (RST), 192.168.xxx.xxx:37680->149.154.xxx.xxx:443, len 40 
13:28:20 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:40886->52.114.xxx.xxx:443, len 40 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:27 firewall,info invalid input: in:lte1 out:(unknown 0), src-mac 00:d1:xx:xx:xx:xx, proto TCP (SYN,ACK), 149.154.xxx.xxx:443->100.121.xxx.xxx:37686, len 52 
13:28:48 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:39474->195.135.xxx.xxx:80, len 52 
13:28:56 firewall,info invalid forward: in:bridge out:lte1, src-mac 9c:b6:xx:xx:xx:xx, proto TCP (ACK,FIN), 192.168.xxx.xxx:40886->52.114.xxx.xxx:443, len 40

The connection tracking table also has enough space left

ip firewall connection tracking print
                   enabled: auto
      tcp-syn-sent-timeout: 5s
  tcp-syn-received-timeout: 5s
   tcp-established-timeout: 1d
      tcp-fin-wait-timeout: 10s
    tcp-close-wait-timeout: 10s
      tcp-last-ack-timeout: 10s
     tcp-time-wait-timeout: 10s
         tcp-close-timeout: 10s
   tcp-max-retrans-timeout: 5m
       tcp-unacked-timeout: 5m
        loose-tcp-tracking: yes
               udp-timeout: 10s
        udp-stream-timeout: 3m
              icmp-timeout: 10s
           generic-timeout: 10m
               max-entries: 88016
             total-entries: 39

Thanks

anav · November 9, 2021, 12:40pm

/export hide-sensitive file=anynameyouwish

Fractoid · November 9, 2021, 1:12pm

Herewith the export
ltap_mini.rsc.gz (2.94 KB)

mkx · November 9, 2021, 4:17pm

AFAIK this is a known “problem”. Namely: when TCP connection is getting terminated, one party sends TCP packet with FIN flag set, the other party replies with TCP packet with FIN and ACK flags set. I’m not sure if it’s required, but it’s customary that the other party sends two (or even more) such packets. When a stateful firewall (e.g. Mikrotik) sees this packet exchange, it sets the connection state to closed (or it removes connection from table of connections) after seeing first FIN,ACK packet. Second packet then doesn’t correspond to any of connections (still) in connection tracking table and is considered as new … due to invalid flag combination (legitimate initial packet of TCP connection has SYN flag and none other flag set) the packet is then declared as invalid. The sollution would be to keep now closed connection in connection tracking table for a short time (a second or so) to catch such late packets.

anav · November 9, 2021, 5:03pm

Issues noted:

(1) Optional
Change this to
/ip neighbor discovery-settings
set discover-interface-list=LAN

(2) Recommended based on all my devices…
Change this to
/ip settings
set rp-filter=loose tcp-syncookies=no

(3) Optional set all of these to NONE, unless something doesnt work without out like MT IOS app. If that is the case try just WAN interface first and not the others.
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=
LAN wan-interface-list=WAN

(4) Recommended delete the extra unneccessary garbage on the firewall rules.

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid log=yes log-prefix=invalid
add action=accept chain=input comment=“defconf: accept ICMP” disabled**=NO**
protocol=icmp
add action=jump chain=forward comment=“jump to ICMP filters
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
jump-target=icmp protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“IP addresses that are allowed to access
_the router
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
src-address-list=allowed_to_router
Replace with
add action=accept chain=input in-interface-list=LAN src-address-list=allowed_to_router

add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN log=yes log-prefix=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid log=yes log-prefix=invalid[/size]
add action=drop chain=forward comment=“Drop invalid\ {This is a duplicate of rule above}
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
connection-state=invalid disabled=yes log=yes log-prefix=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN log=yes log-prefix=!dstnat
add action=drop chain=forward comment=“Drop incoming packets that are not NAT`\ {duplicate of above rule }
ted\https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface=lte1 log=yes log-prefix=!NAT
add action=drop chain=input comment=“drop everything else
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
disabled=yes log=yes log-prefix=unknown
add action=drop chain=forward comment=“Drop incoming from internet which is no
t public IP
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
in-interface=lte1 log=yes log-prefix=!public src-address-list=
not_in_internet
add action=drop chain=forward comment=“Drop packets from LAN that do not have
LAN IP
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=
!192.168.88.0/26
Replace the above with two simple clear rules.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop comment=“drop all else”

add action=accept chain=icmp comment=“echo reply
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment=“net unreachable
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=“host unreachable
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=“host unreachable fragmentation required
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment=“Destination Unreachable” icmp-options=
3:2-15 protocol=icmp
add action=accept chain=icmp comment=“allow echo request
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment=“allow time exceed
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment=“allow parameter bad
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
icmp-options=12:0 protocol=icmp
add action=accept chain=icmp comment=“Parameter Problem: Bad IP header”
icmp-options=12:1-2 protocol=icmp
add action=drop chain=icmp comment=“deny all other types
\nhttps://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall”
log=yes log-prefix=ICMP

(5) Recommend turning upnp off. Should not be required. ???

Fractoid · November 9, 2021, 8:31pm

Thanks

I’ll try the suggested changes and see what happens.

Fractoid · March 9, 2022, 8:28am

So after going through everything meticulously, even deleting and recreating firewall rules without much success I finally decided to try something extreme, re-installing the router OS.

I simply went and re-installed the same version of the OS and magically all of my problems went away!
This must be a fluke right? So I left it a few months but it’s still working as expected.

A few things worth mentioning here.
The unit is a MikroTik LtAP mini which gets used indoors, outdoors, in a vehicle, in coffee shops, and just about anywhere else that internet access is required.
This sees the unit being exposed to all kinds of RF, magnetic and solar radiation which I suspect in this case is what caused the problems.