LTE / SSL Firewall problem

RouterOS Beginner Basics
1

Hi All

I spotted an issue today whilst on customer site with them accessing HTTPS sites over the SXT LTE i have recently implemented, the config looks a little like this:

What i spotted was that 90% at least of requests to HTTPS sites where just dying … I could see the browser find the IP, then get estblishing secure connection … then it just stayed at that point till it timed out.

I did some digging and could see one particular firewall drop rule with lots of traffic logged against it, the rule was disabled and the problem went away.

The rule in question is this one:

add action=drop chain=forward comment="defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=yes !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl

I can see its from the defconf, but can anyone help me understand why it might be failing ? Could it be due to the CGNAT in use on the Mobile providers network ?

Many Thanks

Nik

2

You can check default configuration by issuing

/system default-configuration print

The defconf drop invalid rule doesn’t look like yours, this is the output from the previous command on a Hap AC:

           /ip firewall {
             filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
             filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"
             filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN"
             filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
             filter add chain=forward action=accept connection-state=established,related comment="defconf: accept established,related"
             filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
             filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 comment="defconf:  drop all>
           }

Try setting that drop invalid rule as that one, i.e. just connection-state=invalid it should make a difference.

It can be CGNAT, packet fragmentation, packets reaching the router out of order… a normal count for this rule would be about 150k-200k per Gb of transferred traffic on a FTTH connection.

3

Thanks for the reply, I think the rule from my export is the same just displayed differently, but i will recreate and try it thanks :slight_smile:

I am seeing 100Mb out of 10Gb of traffic finding its way into this rule.

Nik

4

Keep in mind you’re on a LTE wireless network… higher percentage of invalid packets are to be expected vs a FTTH one.

5

If only HTTPS traffic is having a problem, it could be MSS issues.

Suggest you try this: (replace ether1 with your WAN interface)

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=ether1 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=ether1 new-mss=clamp-to-pmtu \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535

https://en.wikipedia.org/wiki/Maximum_segment_size#MSS_and_PMTU