Firewall not match packet fragment

ltloc04 · July 18, 2013, 5:03am

Hi all,

I have a case about firewall rules
My client send Flood attack with UDP Packet Fragments, I’ve created rule firewall which detect amount packet UDP from client (set rule to match Dst.limit Rate 1000 packet/s)
However, when i use Tools>Torch and capture amount packet (interval time is 1s), amount packet captured about >2000/s. But rules Dst.limit Rate 1000 packet/s is not match
And I test again with a rule firewall match accept any packet from client and view counters realtime inline rules, amount packet counters is only <20 packet/s but rate counter realtime is about 50Mbps. While amount packet captured in Tools > Torch is more 2000packet/s (rate is same 50Mbps)

Please let me know the solutions that fix this issue
P/s: I tested check option “Fragment” but still same error
Version RouterOS - 5.18

Thanks all

Chupaka · July 23, 2013, 12:14am

what’s the state of Connection Tracking? AFAIR, ConnTrack defragments packets

ltloc04 · July 26, 2013, 11:11am

Connection Tracking is enabled

Thanks
LTL

ltloc04 · July 29, 2013, 3:11am

Hi Chupaka, Connection Tracking is enabled.

Thanks

Chupaka · July 31, 2013, 8:26am

I re-read your mssages…

what if in Torch you see fragmented packets, and in Firewall they are already defragmented by ConnTrack? =)

ltloc04 · August 2, 2013, 10:59am

Thanks Chupaka,
I saw