Situation:
8 Nodes, all rb with ROS4.5, one network x.x.x.x/25
Node 1 = default gateway to internet > router
Eth2 + Eth3 bridged = LAN or local, IP firewall on bridge disabled.
Eth1 = WAN or Public
Node 2 = routing mode with management network behind NAT firewall
connected to Eth2 of Node 1
Node 3 + 4 = nodes in routing mode, other networks behind.
Node 5 + 6 = nodes in bridge mode. more nodes connected to
other interface in same bridge
Node 7 + 8 = node in routing mode, connected to
node 5 + 6 and thus part of network.
Nodes 3-8 all physically connected through a switch to eth3 of Node 1
This setup worked for more then a year.
Behind Node 2 a PC is found that is the main controller,
from here winbox or telnet is used to reach all nodes in network.
Two days ago put “router protect” firewall filter rules in Node 1 (amongst others):
Issue of this topic is rule “0” in the filter:
0 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid protocol=tcp
Since today suddenly Controller PC through Node 2 cannot reach Node 3, 5, 6 and 7 any more.
Can still reach node 1 and 4 with winbox session. Telnet or webapproach on all still possible.
From other network on node 4 cannot reach node 3,5,6 and 7 any more, but approach with
telnet or web still possible.
Node 1 and 4 are still always reachable.
(Winbox session from PC behind Node 2 has same route to other nodes for each of the other nodes. But suddenly not all nodes are reachable any more!)
If I now disable firewall rule “0” connectivity is restored!
Strange behaviours:
a. Problems only popped up in network that has not been changed for many weeks and always ran fine.
b. Problems popped up roughly 36 hours after rule “0” had been introduced.
c. Problems only on part of the nodes. Other nodes in same IP/network situation still reachable.
d. Problems only for winbox traffic. Telnet or webapproach give no problems. (Makes sense, filter looks to tcp traffic only.)
Now, in regard to the network some other strange behaviours:
e. Issue seems to be effected by a rule in the “forward” chain of node 1! But traffic doesn’t travel through router? Traffic only travels through two bridged Ethernet interfaces. No firewall or filter.
f. Even traffic from node 4 to node 3, 5, 6 or 7 is affected by the firewall rule of node 1! But traffic between node 4 and 3 for instance should not even pass through node 1!
f. Disabling rule “0” brings situation back to normal again. If enabled “statistics” field in winbox shows that traffic is dropped when session is tried.
Conclusion: firewall filter in forward chain drops winbox data stream in router where said traffic is only passing through a bridge or where traffic is not even ´touching´ node 1.
IP firewall for that bridge is not enabled. (So traffic should just pass anyway.)
Seems to me abnormal behaviour and only since last day.. how weird!
Any body has any ideas? Any input is welcome. I bypassed the effect by excluding traffic coming from that specific network. So router is protected from WAN now only.
We are talking all cabled connections here. No radio links.
I know in a network all traffic is broadcasting to all other nodes in the network. I still don’t understand that a rule that actually is in a process not making part of that network is still having this effect on that network traffic?
Rudy