Community discussions

MikroTik App
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Invalid Forwards

Tue Mar 30, 2021 10:25 pm

I have recently noticed that my firewall has been dropping many invalid forwards. They should be more than 50 per day. The source ip, for most of them, is my smart tv and the detination ips mostly belong to google in different locations around the world. Has anyone experienced such a thing....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Invalid Forwards

Tue Mar 30, 2021 10:59 pm

Sounds like you should have a stern talking to with your TV ;-)
Is it searching for something in particular, as in do you have apps that people use on the TV???
Do you have the TV on its own VLAN segregated from your other stuff?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Invalid Forwards  [SOLVED]

Tue Mar 30, 2021 11:27 pm

I have recently noticed that my firewall has been dropping many invalid forwards.
There is a bug in the tracking code that often causes such things. When a TCP connection is finished using FIN/ACK_FIN the tracking entry is immediately deleted.
When the remote side sends another packet for this connection, e.g. an ACK_FIN or a RST, that is treated as invalid.
I usually add another drop rule before the drop invalid that matches on protocol TCP with flag FIN and another one with flag RST so I can track this issue using separate counters.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Invalid Forwards

Tue Mar 30, 2021 11:43 pm

Is this a recent bug and if so which firmwares does it affect??
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Invalid Forwards

Wed Mar 31, 2021 2:50 pm

I have recently noticed that my firewall has been dropping many invalid forwards.
There is a bug in the tracking code that often causes such things. When a TCP connection is finished using FIN/ACK_FIN the tracking entry is immediately deleted.
When the remote side sends another packet for this connection, e.g. an ACK_FIN or a RST, that is treated as invalid.
I usually add another drop rule before the drop invalid that matches on protocol TCP with flag FIN and another one with flag RST so I can track this issue using separate counters.
I applied the drop rules as you have suggested. Since this morning the counters for these rules have grown to 350 packets for FIN and 244 for RST. The intersesting part is that the TV has been in standby for more than a week. I gues that it is communicating eventhough in standby. You beleive that there nothing to worry abour?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Invalid Forwards

Wed Mar 31, 2021 3:19 pm

No I do not believe there is any cause for concern.
I would try the long version software though as I do not experience this phenomena.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Invalid Forwards

Wed Mar 31, 2021 5:00 pm

You beleive that there nothing to worry abour?

I worry about Koreans knowing my TV watching habbits so my TV is banned from internet (also helps against automatic unattended firmware upgrades, some were not exactly user-friendly in the past), but can access DLNA server in LAN (keeps my daughters happy at times). And no, I don't want to know how many times the rule triggered, whatever it is is too many.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Invalid Forwards

Wed Mar 31, 2021 5:15 pm

That is not a router issue that is simply unplugging the ethernet cable from the TV or the wifi connection.
However your reasoning does not take into account that most folks have a netflix account via wifi on their TV.
So removing internet is not a possibility. Thats why I suggest at least putting TV on a separate vlan.

I suppose one could also via firewall schedule, deny the tv access to the internet from 2300 to 1700.
No need for netflix on the TV past 11pm and before 5pm the next day LOL.
 
dencostis
just joined
Topic Author
Posts: 20
Joined: Fri Mar 19, 2021 8:20 am

Re: Invalid Forwards

Wed Mar 31, 2021 6:38 pm

No I do not believe there is any cause for concern.
I would try the long version software though as I do not experience this phenomena.
What do you mean by long version....
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Invalid Forwards

Wed Mar 31, 2021 7:26 pm

He probably means "long term version".
However that is useless, this bug is in Linux and it has always been in RouterOS as well (I mean the TCP tracking bug).

Who is online

Users browsing this forum: BioMax, itvisionpk, tjanas94 and 28 guests