Hello,
I have strange problem on my x86 mikrotik router/firewall. I have 2 core intel CPU, one intergrated NIC and one 4port mikrotik NIC. All ports except one that is connected to internet are in same bridge.
I have quite few NAT rules and firewall rules, but no mangles.
From time to time few packets miss NAT rule and go to input chain. For example I have dst-nat rule for web server:
Most of the packets to externap_ip:80 are NATed to internal_ip:80, but I have quite a few packets catched by deny all rule in INPUT chain which should be matched by that NAT rule:
input: in:InetGB out:(none), srv-mac: xx:xx:xx:xx:xx, proto TCP (ACK), some_address:some_port → external_ip:80, len 52
in proto part of log is TCP(ACK), TCP(ACK, RST) TCP (ACK, FIN) or TCP(SYN).
I currently have rOS 5.0rc8, but I have this exactly issue for at least year (for sure same problem was on rOS 4.xx).
I’m not sure, that all that blocked packets are invalid. From time to time web pages from web server behing mikrotik are not loaded completely. There errors corelates with packets in input firewall log.
If connection tracking does not have a record of connection then packet is considered invalid. If after connection is clodes router receives ack/fin, ack/rst packets then of course they will be dropped.
I got that. But I dont understand why connection tracking miss some valid packets. I have multiple servers with multiple applications behind mikrotik and all of them loose connection from time to time. There are web servers, which fail to send page to client sometimes, there are FTP server which close connection randomly …
Problem seems to be resolved. Behind mikrotik firewall is cisco firewall. Problem was probably caused by ISN (TCP sequence number randomization) and SACK (selective acknowlegdement) on cisco firewall respective on both devices. When cisco admin issued norandomseq command on my IP address problem went away.