I’m preparing to eliminate my ISP-provided router and instead use a RB5009.
Before I do this I want to make sure I understand what all the firewall rules, and other parts of my setup are doing.
Therefore, right now, the Mikrotik is connected behind the Verizon router.
The Mikrotik serves DHCP and performs NAT for various VLANs created on the device: 20, 40, 60, 80, and used in my local network.
The “WAN” port of the RB5009 is therefore an access port on VLAN10. Yes, this is a ‘double NAT’ situation.
I’m using a firewall configuration which is almost the default that came with the device, just with some drops between VLANs.
In particular, I drop ‘invalid’ connections and accept established/related/untracked.
I’m having a (somewhat rare: representing about 1 in 1000 packets or 1MiB blocked vs 10GiB passed) issue where sometimes a client
- starts a connection, the NAT translation is logged
- and shortly after, a packet gets dropped for being ‘invalid’.
It looks like this:
masq80 srcnat: in:VLAN80 out:VLAN10, connection-state:new src-mac xy:zx:yz:xy:zx:yz, proto TCP (SYN), 192.168.80.199:46654->108.139.29.94:443, len 60
then
invalid_not_established forward: in:VLAN80 out:VLAN10, connection-state:invalid src-mac xy:zx:yz:xy:zx:yz, proto TCP (RST), 192.168.80.199:46654->108.139.29.94:443, len 40
Generally my internet works normally.
Is this just a random, 1 in 1000 sort of packet-dropped bug?
Or is my firewall configured incorrectly?
Will this likely go away once I stop double-NATing?
Here is my firewall forward chain and NAT configurations:
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow connections starting from Trusted vlans to all managed vlans" connection-state=new \
in-interface-list=TrustedVLANs log=yes log-prefix=new_trusted_to_managed out-interface-list=ManagedVLANs
add action=accept chain=forward connection-state=new in-interface-list=PrinterAccess log=yes log-prefix=printer_input out-interface=VLAN60
add action=accept chain=forward connection-state=new in-interface=VLAN60 log=yes log-prefix=printer_output out-interface-list=\
PrinterAccess
add action=drop chain=forward comment="block traffic between untrusted vlans" connection-state=new in-interface-list=UntrustedVLANs log=yes \
log-prefix=untrusted_to_managed out-interface-list=ManagedVLANs
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid_not_established
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=\
yes in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from VLAN10 not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface=VLAN10
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VLAN10 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=VLAN10 src-address=192.168.40.0/24
add action=masquerade chain=srcnat log-prefix=masq80 out-interface=VLAN10 src-address=192.168.80.0/24
I also attach my whole configuration below.
routerconfig.txt (8.09 KB)
