However, if I do this in firewall filter(on AP):
0 chain=forward action=drop connection-state=invalid
1 chain=forward action=log src-address=192.168.0.0/24 log-prefix=“”
Then I get many many log entires for TCP traffic from 192.168.0.xxx (not supposed to happen!) and if I trace the src-mac, it comes from CPEs with masquerade…
If it was ‘invalid’ packets, then rule 0 should drop it, but it doesn’t, I get 100’s of logs entries in a minute generated by rule 1.
How is this possible, how can:
TCP/IP Packets arrive from behind a masquerade rule that has original IP in it?
Drop invalid packets filter rule does not drop these.
Packets route through all default gateways, even if there is no route for that subnet and obviously no return route?
If it is a bug that these packets ‘escape’ NAT, then at least I’d like to stop them.
To put rules on ingress for each possible subnet behind NAT is not really a good solution, I’d like to be able to stop it at the CPE so the network never receives these ‘invalid’ packets.
UPDATE:
Strange thing…
In Winbox the NAT rule looked normal, like it should be.
But for some reason I viewed it in terminal and noticed this:
[admin@Stander] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=public
[admin@Stander] /ip firewall nat> rem 0
[admin@Stander] /ip firewall nat> add chain=srcnat out-interface=public action=masquerade
[admin@Stander] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=public
[admin@Stander] /ip firewall nat>
This seems to solve my problems… not!
After a reboot, the to-address=0.0.0.0 comes back and I see bunch of invalid traffic going through to my network again.
[admin@Stander] > /ip fir nat pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=public
I can only see it in CLI, as that field is hidden when masquerade is selected.
This is with ROS 5.25 on a SXT.