Community discussions

MikroTik App
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 1:31 pm

I really need some help please.

Yesterday i was using a service that uses UDP ports in the 20000 ranges.

Everything works fine, than after 10 min of usage the connection was dropped. After that it was impossible to reconnect.
When i check the router the traffic seems to go into the "drop invalid" firewall rule.

Strange thing is that even if i try to brute force the connection trough (as in disabling the whole firewall - or setting all the rules to allow) i can not connect to the service again. I also tried to reset the whole router setting with no luck.
I have no idea why a service would work and than (with no changes to the settings) drop and refuse the connection again.

If i connect to the internet past the router (direct to modem) service works fine again.

PLEASE id really like some help.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 1:42 pm

Can you do a full export of your firewall?
Are you explicitly accepting already established and related connections?
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 1:50 pm

I will post the firewall in 1h, when i get back to the router, but i can tell you now its a QucikSet default rule set found in defconf.

Also nothing except the routers quickset was changed.

(noob - thats why i need help :D )

What really confuses me is that it was working fine than just out of nowhere gone.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 3:54 pm

Here is the FW setup >


/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN


here is some dropped traffic>

14:43:47 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62026->69.174.194.168:20177, len 43
14:43:47 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62027->69.174.216.25:20137, len 43
14:43:53 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62029->69.174.220.21:20127, len 43
14:43:56 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62030->64.37.174.141:20125, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62031->103.194.166.37:20151, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62032->69.174.216.21:20104, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62033->69.174.194.166:20156, len 43
14:43:57 firewall,info srcnat: in:(unknown 0) out:ether1, src-mac c0:25:xxx, proto UDP, 192.168.88.251:62034->69.174.194.168:20177, len 43


and firewall rule>

14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53892->205.185.208.88:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53886->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53888->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53891->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53887->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53889->64.37.171.66:443, len 40
14:43:02 firewall,info forward: in:bridge out:ether1, src-mac c0:25:x, proto TCP (ACK,FIN), 192.168.88.251:53890->64.37.171.66:443, len 40
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 4:26 pm

Can you try disabling fasttrack. That stops connection tracking and may be what is causing the packets not to be classed as established or related.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 4:27 pm

Steveocee suggested disabling fasttrack, it sadly did not work.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: Router dropping traffic as "drop invalid"

Mon Oct 15, 2018 10:18 pm

I resolved the issue.

Turns out a driver update on the wifi card on the PC side resolved the issue. Very strange it was only happening in this service and everything else was fine.

Thanks for the help.

Who is online

Users browsing this forum: PBondurant and 50 guests