I have a Mikrotik Router (CCR1009) with two VLAN/Subnet. One is 50 / 172.16.50.0/24 and the other is 90 / 172.16.90.0/24.
The 50 is used for Servers and the 90 is used for Clients. I have a Server at 172.16.50.140 and a VPN GW (WireGuard) at 172.16.50.100. The VPN GW provides 192.168.99.0/24 to his clients.
One of the VPN clients provides an HTTP Server on Port 80. The clients on 90 can access it fine. But the Servers on 50 can access it, just with very high latency. Checking with Wireshark showed that there are TCP Retransmissions.
With some testing, I figured out that my drop invalid firewall rule on the Mikrotik Router is the culprit. As soon as I disable the drop invalid on the forwarding chain the issue is gone and the requests are working without delay. Any idea why?
My Firewall rules:
There is a route 192.168.99.0/24 via 172.16.50.100 on the Mikrotik. Also there is iptables on the VPN GW to handle NAT.
Code: Select all
4 ;;; accept established, related chain=input action=accept connection-state=established,related log=no log-prefix="" 5 ;;; drop invalid chain=input action=drop connection-state=invalid log=no log-prefix="" 6 ;;; accept allowed_to_router chain=input action=accept src-address-list=allowed_to_router log=no log-prefix="" 7 ;;; accept ICMP chain=input action=accept protocol=icmp log=no log-prefix="" 8 ;;; accept IGMP chain=input action=accept protocol=igmp log=no log-prefix="" 9 ;;; accept IGMP IPTV chain=input action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix="" 10 ;;; accept IGMP IPTV chain=input action=accept connection-state="" protocol=udp src-address=0.0.0.0/0 dst-address=184.108.40.206/8 log=no log-prefix="" 11 ;;; General drop chain=input action=drop log=no log-prefix="" 18 chain=forward action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix="" 19 ;;; accept established, related chain=forward action=accept connection-state=established,related log=no log-prefix="" 20 ;;; drop invalid chain=forward action=drop connection-state=invalid log=no log-prefix="" 21 ;;; drop all from WAN not DSTNATed chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""