Router dropping traffic as "drop invalid"

RouterOS Beginner Basics
1

I really need some help please.

Yesterday i was using a service that uses UDP ports in the 20000 ranges.

Everything works fine, than after 10 min of usage the connection was dropped. After that it was impossible to reconnect.
When i check the router the traffic seems to go into the “drop invalid” firewall rule.

Strange thing is that even if i try to brute force the connection trough (as in disabling the whole firewall - or setting all the rules to allow) i can not connect to the service again. I also tried to reset the whole router setting with no luck.
I have no idea why a service would work and than (with no changes to the settings) drop and refuse the connection again.

If i connect to the internet past the router (direct to modem) service works fine again.

PLEASE id really like some help.

Need help with an online game
2

Can you do a full export of your firewall?
Are you explicitly accepting already established and related connections?

3

I will post the firewall in 1h, when i get back to the router, but i can tell you now its a QucikSet default rule set found in defconf.

Also nothing except the routers quickset was changed.

(noob - thats why i need help :smiley: )

What really confuses me is that it was working fine than just out of nowhere gone.

4

Here is the FW setup >


/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN


here is some dropped traffic>

14:43:47 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62026->69.174.194.168:20177, len 43
14:43:47 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62027->69.174.216.25:20137, len 43
14:43:53 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62029->69.174.220.21:20127, len 43
14:43:56 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62030->64.37.174.141:20125, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62031->103.194.166.37:20151, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62032->69.174.216.21:20104, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62033->69.174.194.166:20156, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62034->69.174.194.168:20177, len 43


and firewall rule>

14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53892->205.185.208.88:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53886->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53888->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53891->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53887->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53889->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53890->64.37.171.66:443, len 40

5

Can you try disabling fasttrack. That stops connection tracking and may be what is causing the packets not to be classed as established or related.

6

Steveocee suggested disabling fasttrack, it sadly did not work.

7

I resolved the issue.

Turns out a driver update on the wifi card on the PC side resolved the issue. Very strange it was only happening in this service and everything else was fine.

Thanks for the help.