Forward chain "drop all else"- counter is zero

5009Owner · December 1, 2024, 7:30am

I wonder, whyt that counter shows zero, is it normal? Everything is working fine, but in firewall, in forward chain, my last rule “drop all else”, counter shows zero.
I asked this in another thread, but anav kindly asked to start a new thread. Thanks anav, here is my complete config.
I have S-RJ01 in my SFP-port.
I used to have mobile phone in my USB-port so there are still some configurations for that.
And there is a Zyxel wifi access point in port 6. Everything is working there too.

MikroTik RouterOS 7.16 (c) 1999-2024  


# 2024-12-01 07:55:29 by RouterOS 7.16
# software id = XXXXXXXXXX
#
# model = RB5009UG+S+
# serial number =XXXXXXXXXXX

/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 port-cost-mode=short protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=2.4Ghz_VLAN vlan-id=77
add interface=BR1 name=LAITE_VLAN vlan-id=75
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=SFP_VLAN vlan-id=25
add interface=BR1 name=SSID1_VLAN vlan-id=60
add interface=BR1 name=SSID2_VLAN vlan-id=65
add interface=BR1 name=TV_VLAN vlan-id=70

/interface list
add name=WAN
add name=LAN
add name=MGMT

/interface lte apn
set [ find default=yes ] name=Handset use-network-apn=no

/ip pool
add name=OMA_PC_POOL ranges=10.0.20.55-10.20.0.56
add name=M_LAPTOP_POOL ranges=10.0.30.10-10.0.30.15
add name=OMALAPTOP_POOL ranges=10.0.40.10-10.0.40.15
add name=PI_POOL ranges=10.0.50.10-10.0.50.15
add name=SSID1_POOL ranges=10.0.60.10-10.0.60.15
add name=TV_POOL ranges=10.0.70.10-10.0.70.15
add name=SSID2_POOL ranges=10.0.65.10-10.0.65.15
add name=dhcp_pool8 ranges=x.x.x.x-x.x.x.x
add name=LAITE_POOL ranges=10.0.75.10-10.0.75.15
add name=2.4Ghz_POOL ranges=10.0.77.10-10.0.77.15
add name=SFP_POOL ranges=10.0.25.10-10.0.25.15

/ip dhcp-server
add address-pool=OMA_PC_POOL interface=OMA_PC_VLAN lease-time=10m name=OMA_PC_DHCP
add address-pool=M_LAPTOP_POOL interface=M_LAPTOP_VLAN lease-time=10m name=M_LAPTOP_DHCP
add address-pool=OMALAPTOP_POOL interface=OMALAPTOP_VLAN lease-time=10m name=OMALAPTOP_DHCP
add address-pool=PI_POOL interface=PI_VLAN lease-time=10m name=PI_DHCP
add address-pool=SSID1_POOL interface=SSID1_VLAN lease-time=10m name=SSID1_DHCP
add address-pool=TV_POOL interface=TV_VLAN lease-time=521w3d name=TV_DHCP
add address-pool=SSID2_POOL interface=SSID2_VLAN lease-time=10m name=SSID2_DHCP
add address-pool=dhcp_pool8 interface=ether1 name=dhcp1
add address-pool=LAITE_POOL interface=LAITE_VLAN lease-time=521w3d name=LAITE_DHCP
add address-pool=2.4Ghz_POOL interface=2.4Ghz_VLAN lease-time=10m name=2.4Ghz_DHCP
add address-pool=SFP_POOL interface=SFP_VLAN lease-time=521w3d name=SFP_DHCP

/ip smb users
set [ find default=yes ] disabled=yes

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=70
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether6 internal-path-cost=10 path-cost=10 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=25

/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=30m udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set max-neighbor-entries=4096 rp-filter=strict

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1,ether6 vlan-ids=60,65,75,77
add bridge=BR1 tagged=BR1 vlan-ids=70
add bridge=BR1 tagged=BR1 vlan-ids=25

/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
add interface=M_LAPTOP_VLAN list=LAN
add interface=OMALAPTOP_VLAN list=LAN
add interface=PI_VLAN list=LAN
add interface=ether8 list=MGMT
add interface=SSID1_VLAN list=LAN
add interface=TV_VLAN list=LAN
add interface=*12 list=WAN
add interface=SSID2_VLAN list=LAN
add interface=OMA_PC_VLAN list=MGMT
add interface=LAITE_VLAN list=LAN
add interface=2.4Ghz_VLAN list=LAN
add interface=SFP_VLAN list=LAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=10.0.20.1/24 interface=OMA_PC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=M_LAPTOP_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=OMALAPTOP_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=PI_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=SSID1_VLAN network=10.0.60.0
add address=10.0.70.1/24 interface=TV_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=ether8 network=10.0.80.0
add address=10.0.65.1/24 interface=SSID2_VLAN network=10.0.65.0
add address=10.0.75.1/24 interface=LAITE_VLAN network=10.0.75.0
add address=10.0.77.1/24 interface=2.4Ghz_VLAN network=10.0.77.0
add address=10.0.25.1/24 interface=SFP_VLAN network=10.0.25.0

/ip cloud
set update-time=no

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=10.0.25.10 client-id=xxxxxxxx mac-address=xxxxxxxx server=SFP_DHCP

/ip dhcp-server network
add address=10.0.20.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.20.1
add address=10.0.25.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.25.1
add address=10.0.30.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.60.1
add address=10.0.65.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.65.1
add address=10.0.70.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.70.1
add address=10.0.75.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.75.1 netmask=24
add address=10.0.77.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=10.0.77.1
add address=x.x.x.x/x gateway=x.x.x.x

/ip dns
set cache-max-ttl=30m servers=1.1.1.2,1.0.0.2

/ip firewall filter
add action=accept chain=input comment="\"Accept established, related\"" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid log-prefix=Input_Drop_Invalid_
add action=accept chain=input comment="\"Accept ICMP\"" protocol=icmp
add action=accept chain=input comment="Allow 5009 config from port 8" in-interface-list=MGMT src-address=10.0.80.5
add action=accept chain=input comment="Allow 5009 config from port 2" in-interface-list=MGMT src-address=10.0.20.55
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="\"Drop all else\"" log-prefix=Input_Drop_All_Else_

add action=accept chain=forward comment="\"Accept established, related\"" connection-state=established,related
add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid log-prefix=Forward_Drop_Invalid_
add action=accept chain=forward comment="Allow list LAN to internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Zyxel config from port 2" dst-address=10.0.20.15 src-address=10.0.20.55
add action=accept chain=forward comment="Allow Zyxel config from port 8" dst-address=10.0.20.15 src-address=10.0.80.5
add action=accept chain=forward comment="Allow Shelly config from port 2" dst-address=10.0.75.15 src-address=10.0.20.55
add action=drop chain=forward comment="\"Drop all else\"" log=yes log-prefix=Forward_Drop_All_Else_

/ip firewall nat
add action=masquerade chain=srcnat comment="\"NAT\"" out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl tls-version=only-1.2
set api disabled=yes
set winbox address=10.0.80.0/24,10.0.20.55/32
set api-ssl disabled=yes

/ip smb shares
set [ find default=yes ] directory=/pub

/ip ssh
set strong-crypto=yes

/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Helsinki

/system identity
set name=Box

/system ntp client
set enabled=yes

/system ntp client servers
add address=194.100.49.139
add address=194.100.49.151

/system routerboard reset-button
set enabled=yes

/system scheduler
add interval=1d name="Wan Off" on-event="/interface disable [find where default-name=\"ether1\"]\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-12-26 start-time=21:30:00
add interval=1d name="Wan On" on-event="/interface enable [find where default-name=\"ether1\"]\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-12-27 start-time=04:00:00

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

/tool mac-server ping
set enabled=no

/user settings
set minimum-password-length=15

holvoetn · December 1, 2024, 8:47am

Simple explanation. The rule doesn’t get hit.
As a test, disable the forward, invalid rule. See what happens.

It’s not because a rule doesn’t count it is not working. It simply means all the rest before, catches everything before it gets there.

But in default firewall, that specific combination is not present.
So why put it there ?

5009Owner · December 1, 2024, 10:56am

But in default firewall, that specific combination is not present.
So why put it there ?

What do You mean, I think it is a good idea to have “Drop All Else” in the end of the filter rules?

holvoetn · December 1, 2024, 10:58am

It doesn’t harm, true.

But if everything is already handled before, it doesn’t make sense. That’s all.

5009Owner · December 1, 2024, 11:01am

So “Drop Invalid” takes care of all the “unnormal” traffic?
Are You saying that if I disable invalid rule, drop all else-rule takes care of invalid? So only one of those 2 rules is necessary?

RaresC95 · December 1, 2024, 11:33am

If the traffic is marked as invalid state it will pe dropped at that rule, if not, it will continue until it reaches a rule that matches it.
You do need a rule that is dropping everything, the firewall works like this, accept what you need and then drop everything else, it’s much more simple to accept then drop everything, much fewer rules.

mkx · December 1, 2024, 11:53am

It does make sense to drop “invalid” packets early, they might match some allow rule down the chain.

5009Owner · December 1, 2024, 1:24pm

So after all my firewall is ok then, with “drop invalid” and then “drop everything” in the end. Just like in many examples here in the forum. I was just thinking why there are no hits in “drop everything”-rule in the end. But if everything is handled before, then it is ok.
Just an example, just now my firewall counter in forward chain “established, related” shows 65,3GiB and “drop invalid” shows 2400KiB.
It of course depends, but what is the relation between those number “normally”?

mkx · December 1, 2024, 7:52pm

In my case, accept (fasttrack counter) is at 2TB and another 2TB for “slow track”… 32MB drop invalid on input and 32MB drop invalid on forward … and 178MB drop all else (on input … nothing on forward).

5009Owner · December 2, 2024, 6:08am

Hmmm..

Is it possible to have a value how many % those “drop” counters should reach of total traffic before getting worried that something odd is going on?
I have never been under of any cyber attack (I hope) so no idea what for example those counters are saying then.

mkx · December 2, 2024, 6:48am

Ideally there would be 0 dropped packets (because nobody would be trying to anything bad to you). In reality there’s always some bots scanning internet for new victims of their deeds. I guess there will be more dropped packets if bots “smell the blood” (there are many reasons for that, one would be misconfigured services opening window for DDoS attacks … and if attackers find a vulnerability, they will try to find others).

If you happen to become “under fire” for some reason, then you’ll get DDoSed and your router will struggle … even if your firewall is perfect.

So no, there isn’t “a normal ratio threshold” …