IPv6 stateful firewall drop unknown connections catching tons of TCP RST

SDFadfasdfadsf · July 5, 2017, 9:48pm

common stateful firewall setup, 1 rule to allow incoming established/related connections followed by a rule to drop all other.

I noticed a lot of dropped TCP RST on Google HTTPS connections.

IIRC similar was happening on IPv4 and extending IPv4 conntrack timer reduces these logs to a certain degree. But for IPv6 I can’t find out where conntrack timer setting is.

Is there a good way to cut down the noise in logs (thousands of lines each day)? Am I doing it wrong?

msatter · July 5, 2017, 11:01pm

Google is still using Speedy which connects-back on UDP port 443. That is maybe what you are seeing.

Let hope Google will catch-up with us and switch to HTTP/2.

R1CH · July 5, 2017, 11:02pm

I also experienced something similar to this. Never figured out the cause, eventually moved to a stateless setup as I didn’t want to break what seem to be legitimate connections.

http://forum.mikrotik.com/t/ipv6-connection-tracking-weirdness/106889/1