firewall filter - missing packets and bytes

I added this firewall filter action to see all addresses that try to establish udp connection to the mikrotik udp port 500

/ip firewall filter
add action=add-src-to-address-list address-list=important
address-list-timeout=1d chain=input disabled=no dst-port=500
in-interface=pppoe-out1 protocol=udp src-port=500

and the problem is that today I found tree different ip addresses in address list = “important” but in the same time through Winbox Firewall/Filter rules I can see that bytes are 0B (zero) and packets are also 0 (zero) indicating that no traffic was related to that action.

How is that possible? That some filter rule added some addresses to specified address list and in the same time that it indicates 0 (zero) traffic and 0 (zero) packets?

Please provide some comments because this is serious security issue from my perspective. tnx!

I have version 5.9 at the moment - I can not replicate this problem because when I try to establish connection (IKE) from my pc, mikrotik firewall rule indicates packets and bytes as it should, as it it expected.

I use mikrotik for several years (two instances: one in my office (dedicated server) and other at home (RB433)) and I never saw this happened until now.
Can someone from MT support comment if this is possible - that some filter rule is triggered and it executes his function (add-src-to-address-list) and that no traffic is registered on that rule - 0 bytes 0 packets? And that happened 3 times in one day (3 different unknown public IP addresses added to address list without traffic and packets shown).
Is this possible or it is a bug?

Can someone please provide some thoughts.
Is it possible that firewall filter rule is triggered and in the same time that traffic is shown as zero (0) on that rule??

I think that this is security hole and possible bug!?

Any kind of support would be very appreciated!

Please post your complete exported firewall config and we might then see how this is happening?

Thank you in advance!!

Here it is, very simple:

/ip firewall filter
add action=add-src-to-address-list address-list=importantad address-list-timeout=1d chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500
add action=accept chain=input disabled=no in-interface=pppoe-out protocol=ipsec-esp
add action=accept chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500
add action=accept chain=input disabled=no dst-port=1701 in-interface=pppoe-out protocol=udp src-port=1701
add action=drop chain=input disabled=no in-interface=pppoe-out
add action=drop chain=forward connection-state=new disabled=no in-interface=pppoe-out

So, no config in NAT or Mangle firewall rules, just filter?

( Thanks for the karma )

oh, thought that it is not importnat, there is a nat rule just to reach internet

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out src-address=192.168.X.X/24

Thought that only Filter is important because the first rule in Filter (action=add-src-to-address-list) was triggered 3 times for 3 different outside ip addresses and no traffic was shown(visible) in Winbox

I would be interested to see what happens when you add logging to the rules immediately before your first rule.

/ip firewall filter
add action=log chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500

Yes, that could be interested.

From that day when I saw this wired behavior (those 3 addresses in address list and in the same time no traffic in the rule) I was tryeing to replicate that situation but every time when I connect with vpn L2tp/IPsec, traffic is normally shown as expected, but those 3 addresses definitely triggered this rule and traffic was not shown).

I can only add action=log as you suggest and wait and wait…hopefully to happen again.

Just to confirm: This behavior, that I described, is wired? Isn’t it? Filter rule triggered and executed - in the same time no traffic shown?

Wierd? Yes, Security hole? No. A “feature”. Probably!