Firewall issue connection-state: invalid src-mac

RouterOS General
1

Hi community,

I’ve two Mikrotik devices establishing an IPSec VPN and I see lots of logs with the connection state: invalid src-mac: xx:…

The log output is:

FROM P2 to P1 prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:a5:bf:0f:3c:19, proto TCP (ACK,PSH), 192.168.50.70:58422->192.168.49.4:445, len 296

The source of this log come from my ip/firewall/raw rules defined here:

ip firewall raw print detail 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1    chain=prerouting action=accept log=yes log-prefix="FROM P2 to P1" src-address=192.168.50.0/24 dst-address=192.168.49.0/24 

 2    chain=prerouting action=accept log=yes log-prefix="FROM P1 TO P2" src-address=192.168.49.0/24 dst-address=192.168.50.0/24

The question is: why I get a

connection-state:invalid src-mac 00:a5:bf:0f:3c:19

when this MAC address is my ISP GW MAC Address

16 DC 184.xxx.xxx.1    00:A5:BF:0F:3C:19  ether1

?

I’m pretty sure I’ve done a wrong configuration somewhere but where?

Thank you

2

I’d say that invalid refers to connection state and not MAC. “Raw prerouting” is done immediately before connection tracking so unknown connection state is expected.

3

Thank you for this reply :slight_smile:

So this is one “false positive” information as this is a raw prerouting rule?

BR,

Martin

4

Well, if your connectivity works as intended, then log is indeed “false positive” from your perspective.

Yes, log message formatting could be better, first part of message is space separated with parameter name separated from value using colon. Sometimes there’s also coma. Second part is coma separated with space separating parameter name from value. And between both there’s only space …

5

I copy.

Thank you for your inputs, really appreciated.

BR,

Martin L.