In my firewall, in my infrastructure, I have noticed blocking connections to many invalid. Most of them are (ACK, FIN), some of them are (ACK, FIN, PSH).
I am concerned.

Virus?

If anyone knows,

Thank

I'm having similar problems on one of my 3 mikrotiks. This is the MT that we use to run a wireless hotspot in the building connected to its own DSL line.

The rule that drops packets w/ connection state=invalid on the forward chain is going crazy dropping packets.

Most of them are ACK,FIN from internal clients to external web sites (i.e. TCPIP 80). Low level IP makes my brain hurt, but as I understand, this is the beginning of the four-way handshake / "teardown" of the TCP connection.

1. (B) --> ACK/FIN --> (A)
2. (B) <-- ACK <-- (A)
3. (B) <-- ACK/FIN <-- (A)
4. (B) --> ACK --> (A)

Since these are showing as invalid connections, I assume that means that they have fallen out of the NAT tracking table.


I looked at a few of the ones screaming by and I didn't see them in the NAT table. These are the timeouts I am using (which I believe are the same as on my other MTs)...


enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m
tcp-established-timeout: 4h
tcp-fin-wait-timeout: 30s
tcp-close-wait-timeout: 1m
tcp-last-ack-timeout: 30s
tcp-time-wait-timeout: 30s
tcp-close-timeout: 10s
udp-timeout: 30s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 110592
total-entries: 62

Any thoughts?

which version of RouterOS?

which version of RouterOS?

v3.0 on a RB333.

BTW, I do not know if it is related or not but, I was experiencing some high CPU load issues. I just bounced it. By now, the users have left so I can't tell if the issue was resolved by a reboot or not...

Try with 3.11 and see if its still an issue. 3.0 is pretty buggy and outdated.