Community discussions

 
blougaville
newbie
Topic Author
Posts: 34
Joined: Thu Aug 18, 2011 10:39 pm

Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 7:47 am

This is strange. I have a firewall filter rule (FORWARD chain) on a Mikrotik router that drops invalid packets. For some reason, it's dropping packets that are to/from the same interface, my LAN subnet. Lots of packets are hitting the rule and being dropped. Here's an example of what I see when I log the drop rule:

forward: in:bridge1 out:bridge1, src-mac 70:88:c2:da:51:61, proto TCP (ACK), 192.168.90.51:50138->192.168.90.11:49677, len 40

Why would that traffic even hit the forward chain if it's to/from the same interface/subnet?
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 1:46 pm

For example if you have use-ip-firewall=yes set on bridge?
BR,
Metod
 
blougaville
newbie
Topic Author
Posts: 34
Joined: Thu Aug 18, 2011 10:39 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 5:20 pm

For example if you have use-ip-firewall=yes set on bridge?

Nope, that is turned off...
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?  [SOLVED]

Thu Nov 07, 2019 5:47 pm

This will happen when you set ARP mode to proxy-arp in the network interface/bridge.
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 5:49 pm

Another possibility is DST-NAT (the variant called hairpin NAT).

Or proxy ARP (not likely though).

Or misconfigured client machine (perhaps wrong subnet mask) sending packets via gateway when it could deliver them directly ...

Or if there's routing triangle... in a network there are two routers, one serving as default gateway, the other only as gateway towards some specific network. Devices are unaware of the other router and send packets to first router. First router resends them to second router (using same interface for input and output ... but packets transverse L3 part of router). On the way back, the other router delivers replies directly to LAN devices bypassing first router and thus screwing its connection state table.


And I'm sure there are other reasons for them, but it's hard to think of them without knowing physical and logical network topology as well as configuration of relevant network elements ...
BR,
Metod
 
blougaville
newbie
Topic Author
Posts: 34
Joined: Thu Aug 18, 2011 10:39 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 6:00 pm

This will happen when you set ARP mode to proxy-arp in the network interface/bridge.

Very interesting...I DO have proxy-arp set on the bridge interface because we use OpenVPN and enabling proxy-arp on the bridge is the only way I know of to allow VPN users to pass traffic to resources on our local network. I guess now that I know this is what was causing it I can adjust my firewall rules appropriately...but is there a better practice instead of enabling proxy-arp for my OpenVPN users?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 7:48 pm

The best is to move your VPN users to a separate subnet so it can be cleanly routed instead of using proxy-arp. Of course it can cause some issues with systems having improper routes or relying on broadcasting.
Otherwise, you can setup a bridge filter that drops the ARP requests that are not for the router itself or the address(es) used for VPN.
Then it will not reply to those, and the real device can answer and the traffic will no longer be via the router.
/interface bridge filter
add action=jump arp-opcode=request chain=input dst-mac-address=\
    FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF in-bridge=bridge1 jump-target=\
    arprequest mac-protocol=arp
add action=accept chain=input
add action=log chain=------- comment=-------------
add action=accept arp-dst-address=192.168.88.1/32 chain=arprequest comment="ARP for router" mac-protocol=arp
add action=accept arp-dst-address=192.168.88.128/28 chain=arprequest comment="ARP for VPN systems" mac-protocol=arp
add action=drop chain=arprequest
 
blougaville
newbie
Topic Author
Posts: 34
Joined: Thu Aug 18, 2011 10:39 pm

Re: Traffic to/from the same interface is hitting firewall filter forward chain?

Thu Nov 07, 2019 9:53 pm

Thank you so much! I will weigh my options with both of your suggestions. I appreciate everyone who chimed in.

Who is online

Users browsing this forum: No registered users and 116 guests