I've just followed this amazing guide to setup my new infrastructure based on an RB1100 AHX2. The setup is a home lab environment with main vlan + nas + iot + segregated networks for k8s nodes. Not too far from the one of a "smart home" and with firewall similar to what advised in the guide. Single bridge, all vlan inside the bridge. Some iface are trunks, some access ports.
Setup is now complete and thins are working quite well. However, I have random connection "stalls" (first connection to NAS or similar takes slightly longer than usual) and some devices do not immediately go out on the internet. More specifically, I see countless connection drops flagged as "invalid" forward or input, which are mainly RST or ACK.FIN and might actually be dropped packets of legitimate connections, hindering correct networking - such as:
Code: Select all
invalid forward: in:mgmt-vlan out:ether12-wan, src-mac xx:xx:xx:xx:xx:xx, proto TCP (RST), 10.10.10.181:42938->142.250.180.74:443, len 40
invalid input: in:ether12-wan out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN,PSH), 17.248.145.145:443->192.168.1.10:63439, len 115This is an extract of the rb configuration:
Code: Select all
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=edge-vlan vlan-id=8
add interface=bridge name=guest-vlan vlan-id=20
add interface=bridge name=iot-vlan vlan-id=7
add interface=bridge name=mgmt-vlan vlan-id=10
add interface=bridge name=nas-vlan vlan-id=9
/interface bonding
add mode=802.3ad name=bonding-nas slaves=ether2-nas-lag,ether3-nas-lag,ether4-nas-lag
/interface list
add name=wan
add name=pvt-vlans
add name=svc-vlans
add comment="all local vlans" include=pvt-vlans,svc-vlans name=all-vlans
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1-iot pvid=7
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6-iot pvid=7
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7-edge pvid=8
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8-edge pvid=8
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9-edge pvid=8
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10-edge pvid=8
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=bonding-nas pvid=9
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether13-lan pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11-wlan pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5-mdns-trunk
/ip neighbor discovery-settings
set discover-interface-list=pvt-vlans
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5-mdns-trunk untagged=ether1-iot,ether6-iot vlan-ids=7
add bridge=bridge tagged=bridge untagged=ether7-edge,ether8-edge,ether9-edge,ether10-edge vlan-ids=8
add bridge=bridge tagged=bridge untagged=bonding-nas vlan-ids=9
add bridge=bridge tagged=bridge,ether5-mdns-trunk untagged=ether13-lan,ether11-wlan vlan-ids=10
/interface list member
add interface=ether12-wan list=wan
add interface=iot-vlan list=svc-vlans
add interface=edge-vlan list=svc-vlans
add interface=nas-vlan list=svc-vlans
add interface=mgmt-vlan list=pvt-vlans
add interface=guest-vlan list=all-vlans
/ip firewall filter
add action=accept chain=input comment="accept established, related" \
connection-state=established,related
add action=accept chain=input comment="allow mgmt-vlan full access" \
in-interface=mgmt-vlan
add action=accept chain=input comment="allow all VLANs" in-interface-list=\
all-vlans
add action=drop chain=input comment="drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=drop chain=input comment="drop all coming from WAN" \
in-interface-list=wan log=yes log-prefix=from_WAN
add action=drop chain=input comment="drop everyting else"
add action=fasttrack-connection chain=forward comment="fasttrack connections" \
connection-state=established,related
add action=accept chain=forward comment="accept established, related" \
connection-state=established,related
add action=accept chain=forward comment="allow mgmt-vlan full access" \
connection-state=new in-interface=mgmt-vlan
add action=accept chain=forward comment=\
"allow private VLANs access to service VLANs" connection-state=new \
in-interface-list=pvt-vlans out-interface-list=svc-vlans
add action=accept chain=forward comment="allow all VLANs internet access" \
connection-state=new in-interface-list=all-vlans out-interface-list=wan
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="accept icmp" protocol=icmp
add action=drop chain=forward comment=\
"drop all from WAN not destination NATted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=wan log=yes log-prefix=!NAT
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade srcNAT for wan" \
out-interface-list=wanWhat is the reason of some many block packages? How could I solve the issue?
Any help would be appreciated. Thanks in advance!