large amount of firewall input drop from NAT

realdreams · March 22, 2015, 10:53pm

In the firewall the first 5 rules are
#1 input ICMP accept
#2 input established accept
#3 input related accept
#4 input OpenVPN UDP/port accept
#5 input any drop & log

I am getting 100K dropped packets from rule #5 within 12 hours. The majority of them seems to be TCP RST, TCP FIN from NAT transactions destination at my WAN address higher ports(1024+). The source IP addresses looks like CDN nodes. My guess would be the NAT entry has been removed (I can see similar connections to those IP/ports so they are actually legitimate traffic) on RouterOS but the server still thinks they are alive. Is this behavior normal or something is misconfigured?

TrollMan · March 23, 2015, 10:23am

I had this issue when on a ads line. Solution was to 3x the timeout on connection tracking.

realdreams · March 24, 2015, 10:55pm

Which timeout did you change?

TrollMan · March 25, 2015, 6:41am

Any timeout that was below 5 seconds.

realdreams · March 27, 2015, 4:20am

I increased all timers by x2 and still see some of these dropped packets. Some from Google’s server 80/443 TCP RST or SYN