Community discussions

MikroTik App
 
tobcon
just joined
Topic Author
Posts: 10
Joined: Sun Mar 06, 2022 6:57 pm

TCP to my VPN GW is filtered as invalid packet

Mon Jun 05, 2023 12:52 am

Hello

I have a Mikrotik Router (CCR1009) with two VLAN/Subnet. One is 50 / 172.16.50.0/24 and the other is 90 / 172.16.90.0/24.

The 50 is used for Servers and the 90 is used for Clients. I have a Server at 172.16.50.140 and a VPN GW (WireGuard) at 172.16.50.100. The VPN GW provides 192.168.99.0/24 to his clients.

One of the VPN clients provides an HTTP Server on Port 80. The clients on 90 can access it fine. But the Servers on 50 can access it, just with very high latency. Checking with Wireshark showed that there are TCP Retransmissions.

With some testing, I figured out that my drop invalid firewall rule on the Mikrotik Router is the culprit. As soon as I disable the drop invalid on the forwarding chain the issue is gone and the requests are working without delay. Any idea why?

My Firewall rules:
 4    ;;; accept established, related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 5    ;;; drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; accept allowed_to_router
      chain=input action=accept src-address-list=allowed_to_router log=no log-prefix="" 

 7    ;;; accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 8    ;;; accept IGMP
      chain=input action=accept protocol=igmp log=no log-prefix="" 

 9    ;;; accept IGMP IPTV
      chain=input action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix="" 

10    ;;; accept IGMP IPTV
      chain=input action=accept connection-state="" protocol=udp src-address=0.0.0.0/0 dst-address=239.0.0.0/8 log=no log-prefix=""

11    ;;; General drop
      chain=input action=drop log=no log-prefix="" 

18    chain=forward action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix="" 

19    ;;; accept established, related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

20    ;;; drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

21    ;;; drop all from WAN not DSTNATed
      chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
There is a route 192.168.99.0/24 via 172.16.50.100 on the Mikrotik. Also there is iptables on the VPN GW to handle NAT.
Screenshot from 2023-06-04 23-53-27.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: TCP to my VPN GW is filtered as invalid packet

Mon Jun 05, 2023 1:10 am

YOur explanation is not understandable.
a. please provide a network diagram
b. provide full config of router ( minus router serial number and any public WANIP information, keys etc.).

Im assuming the wireguard is just for remote access to config the router for the admin and to reach land devices for some users?
If not provide more detail.
 
tobcon
just joined
Topic Author
Posts: 10
Joined: Sun Mar 06, 2022 6:57 pm

Re: TCP to my VPN GW is filtered as invalid packet

Mon Jun 05, 2023 1:34 am

Sure, the config is attached to the post.

The VPN GW provides multiple purposes. The purpose which causes issues here is providing access to a remote Webserver. In the diagram, the green one shows the way which works without TCP retransmits, and the red one shows the way with the delay and TCP retransmits.
vpn_retransmit_issue.png
You do not have the required permissions to view the files attached to this post.
Last edited by tobcon on Mon Jun 05, 2023 6:17 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: TCP to my VPN GW is filtered as invalid packet

Mon Jun 05, 2023 2:37 am

Sorry cannot make heads or tails of your config, everything is WAN............ including the bridge.
Not even sure why you have VRRP?? The diagram didnt help.
You have no wireguard setup at all??
 
tobcon
just joined
Topic Author
Posts: 10
Joined: Sun Mar 06, 2022 6:57 pm

Re: TCP to my VPN GW is filtered as invalid packet  [SOLVED]

Mon Jun 05, 2023 6:24 pm

Ok, I have found the issue.

The TCP SYN from the Server is being sent to the Router and the Router forwards it to the VPN-GW in the same Subnet, which then routes the Packet to the VPN Client.
But as they are in the same Subnet, the TCP SYN/ACK is sent directly from the VPN-GW to the Server.

Because of that, the Router can't track the Connection and drops it as invalid.
 
mcwnuq
just joined
Posts: 3
Joined: Sun Jan 22, 2023 1:46 am

Re: TCP to my VPN GW is filtered as invalid packet

Tue Nov 21, 2023 2:05 pm

Hi @tobcon,
I have similar problem with VPN and docker subnets. I have VPN client and docker on my home lab. I have added routes and masquerade on MT and have problems with TCP Retransmission and TCP Dup ACK (similar to you). What have you do to fix this?

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Semrush [Bot] and 73 guests