Page 1 of 1

invalid traffic on a bridge

Posted: Sun Sep 01, 2019 4:45 pm
by DonMcCoy
Hi all,

I have the following network as seen on the attached diagram.
Mikrotik has a bridge called br-vlan428 tagged on eth4 (the VLAN trunk to the Alcatel switch) and untagged at eth5 to the Aruba switch:

Creating VLAN 428:
/interface vlan add name=vlan-428 vlan-id=428 interface=ether4 disabled=no

Creating Bridge:
/interface bridge add name=br-vlan428 disabled=no

Adding Ports to the Bridge:
/interface bridge port add interface="vlan-428" bridge="br-vlan428" disabled=no
/interface bridge port add interface="ether5" bridge="br-vlan10" disabled=no

Assigning IP to the Bridge:
/ip address set address= interface=br-vlan428 disabled=no

Route of
/ip route
add check-gateway=ping distance=1 dst-address= gateway=

Now my problem is, when i try to ping from the SIP server to the Operator PC the ICMP packet is delivered normally, but when i try the other way around from the Operator PC to the SIP server i trigger the invalid firewall rule:

add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid log=yes log-prefix="invalid: "
firewall,info invalid:  forward: in:br-vlan428 out:br-vlan428, src-mac 00:0c:29:56:b8:ef, proto ICMP (type 0, code 0),>, len 60
So it seems that traffic has reached the SIP Server but on the way back it triggered the rule.

Any idea why the traffic is being marked as invalid in this case and how to go around that without disabling the invalid rule.