Mangle rule sometimes returns connection-state:invalid src-mac

Hiji5656 · May 4, 2025, 9:18pm

Hi smart folks!

Here is part of code. We route Pool_03_CLIENT_GROUP_01 IP’s to another VM gateway.

/ip firewall mangle add action=mark-connection chain=prerouting comment="CLIENT_GROUP_01" connection-state=new dst-address-list=RFC1918 new-connection-mark=LAN-CLIENT_GROUP_01 passthrough=no src-address-list=Pool_03_CLIENT_GROUP_01
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new dst-address-list=!RFC1918 new-connection-mark=CLIENT_GROUP_01_CM src-address-list=Pool_03_CLIENT_GROUP_01
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=CLIENT_GROUP_01_CM new-routing-mark=SERVER-PVE-VM-01 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-state="" dst-address-list=!RFC1918 new-routing-mark=SERVER-PVE-VM-01 passthrough=no src-address-list=Pool_03_CLIENT_GROUP_01

Sometimes this rules returns

prerouting: in:bridge(ether2-server) out:(unknown 0), connection-state:invalid src-mac 00:00:01:00:00:01, proto TCP (ACK,RST), 192.168.10.101:65183->55.188.115.160:443, len 40

00:00:01:00:00:01 - MAC of client from Pool_03_CLIENT_GROUP_01 (Virtual Machine) with 192.168.10.101 IP with is real ARP record.

Why invalid src-mac ?

chechito · May 4, 2025, 9:38pm

maybe a “,” is missing between

connection-state:invalid
and
src-mac 00:00:01:00:00:01

i think are 2 separated statements

Hiji5656 · May 4, 2025, 9:42pm

Ohhh
Thank you!
I dunno why but saw it as problem:reason for a moment. While watching at all the others log entries)

Ban bad user IP - Ping try with: in:ether1-wan out:(unknown 0), connection-state:new src-mac 86:c9:b2:4b:92:15, proto ICMP (type 8, code 0), 43.201.28.202->X.X.X.X, len 84