Community discussions

MikroTik App
 
boingolover
just joined
Topic Author
Posts: 5
Joined: Sat Feb 11, 2023 6:41 pm

Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 6:31 am

I have read through this thread, which had some similar questions, but I didn't notice any solutions to the bogons leaving the WAN interface.

viewtopic.php?f=2&t=184513&p=922457#p922457

From my AT&T fiber gateway, I'm seeing occasional messages in its firewall logs where it's dropping leaked rfc1918 traffic from my subnets. As an example:
local0.warning: Aug 19 22:25:36 192.168.1.254  2024-08-19T22:25:36.786513-05:00 L4 FIREWALL[10003]: nflog_log_fw(), action=DROP reason=IP-SRC hook=FORWARD mark= IN=br1 OUT=br2 MAC=00:00:00:00:00:00:1818:fd:74:f8:94:5c:SRC=192.168.7.117 DST=52.14.160.4 LEN=129 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=55714 DPT=443 SEQ=1949419 ACK=3729627022 WINDOW=2048 RES=0x00 ACK PSH FIN URGP=0 OPT (TSTAMP=0x80f61f733e6f9fa4 ) 
local0.warning: Aug 19 22:25:50 192.168.1.254  2024-08-19T22:25:50.787733-05:00 L4 FIREWALL[10003]: nflog_log_fw(), action=DROP reason=IP-SRC hook=FORWARD mark= IN=br1 OUT=br2 MAC=00:00:00:00:00:00:1818:fd:74:f8:94:5c:SRC=192.168.5.115 DST=17.248.200.65 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=58644 DPT=443 SEQ=153643062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
It seems that the final FIN or RST after a connection tears down is not being natted, since the connection is no longer being tracked, but then it leaks out my WAN interface. Not a huge deal, but I'd like to block it anyway. What are my options here?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4406
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 8:22 am

Hard to know what the cause of the escape. One thing you can try is to drop invalid connections on OUTPUT.
/ip/firewall/filter/add chain=output connection-state=invalid action=drop log=yes out-interface-list=WAN 
While the default firewall drops invalid on input if something goes awry during the TCP connection, invalid packets can still escape. Not sure above will catch it, but it if it does that be a clue.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10541
Joined: Mon Jun 08, 2015 12:09 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 9:04 am

Well, it is a decades long standing bug in the Linux kernel.
Probably the maintainers argue it is not a bug but a fact of life, or they want to optimize for performance rather than for such things.
Fact of the matter is that tracking entries for closed connections are deleted too soon.
After a FIN has received and a reply FIN has been sent (or an RST when you live in Redmond), the tracking entry still has to remain for a "2MSL" time to conform to the TCP RFC. This is the time you see connections spend in TIME_WAIT state in netstat.
Linux does not do that.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11247
Joined: Mon Dec 04, 2017 9:19 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 1:07 pm

What are my options here?
The only solution I could ever find was to use bridge filter to drop packets escaping via WAN with any unexpected source address, but that is only possible for WANs using L2 interfaces ("IP over Ethernet" ones), not for PPP-based ones as those cannot be bridged.
 
boingolover
just joined
Topic Author
Posts: 5
Joined: Sat Feb 11, 2023 6:41 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 4:11 pm

What are my options here?
The only solution I could ever find was to use bridge filter to drop packets escaping via WAN with any unexpected source address, but that is only possible for WANs using L2 interfaces ("IP over Ethernet" ones), not for PPP-based ones as those cannot be bridged.
So what would that look like? A little more background here, I have an rb5009 in a "router on a stick" config, my public internet is on a vlan interface, and that vlan interface is attached to the bridge, as is my sfp interface. No PPP involved. I see in bridge filtering you can select a bridge interface, but nothing more specific than that.

So one other thought, my fiber gateway is plugged into a crs309 as an untagged port for the public internet vlan, and my router is plugged into that same switch as a trunked port. Could I do firewall filtering on the crs309 using hardware offload? I've not really looked into what is possible there, I understand the cpu is pretty constrained but in some cases some things can be offloaded.

Thanks for the reply!
 
boingolover
just joined
Topic Author
Posts: 5
Joined: Sat Feb 11, 2023 6:41 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 6:34 pm

So for now I am able to come up with switch port rules on the crs309 that block rfc1918 traffic on the public internet vlan. That at least ticks the box, but I can't help but think there is a more elegant solution.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11247
Joined: Mon Dec 04, 2017 9:19 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 9:28 pm

Well.. more elegant... Using switch chip rules for the purpose means not adding any load to the CPU, so the only better solution would be to apply the switch chip rules directly on the 5009 rather than on the 309. But I don't have one handy, so you have to check on your own whether the switch chip used in the 5009 can match on vlan ID and source IP address simultaneously. And you would have to apply the rules on the CPU port since they are used on ingress, so be careful and test with a single source IP address and a VLAN ID that is not essential, otherwise you can easily lock yourself out. Or find a USB-to-serial converter and configure serial console before adding any switch chip rules. Removing an interface from a bridge and using it as a backup management interface is not enough, as the traffic of all ports always flows through the switch chip.

For the unlikely case that you wanted to use bridge filter rules - the last time I tried that with late 6.48 or early 6.49, it was not possible to match on VLAN ID and IP address simultaneously, but maybe 7.x has improved in that regard. There also used to be an issue with endianness of the ethertype (mac-protocol) value on some architectures. So it would require quite a lot of testing if you wanted to go that way, but the switch chip rules on the 5009 seem the best by far to me. The workaround to matching on IP address and VLAN ID at the same time is to use an auxiliary bridge, but I would not call that "elegant".
 
boingolover
just joined
Topic Author
Posts: 5
Joined: Sat Feb 11, 2023 6:41 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 9:49 pm

Well.. more elegant... Using switch chip rules for the purpose means not adding any load to the CPU, so the only better solution would be to apply the switch chip rules directly on the 5009 rather than on the 309. But I don't have one handy, so you have to check on your own whether the switch chip used in the 5009 can match on vlan ID and source IP address simultaneously. And you would have to apply the rules on the CPU port since they are used on ingress, so be careful and test with a single source IP address and a VLAN ID that is not essential, otherwise you can easily lock yourself out.
I had the exact same thought, and I tried applying the same basic rules that work on the crs309 to the switch chip on the rb5009 and they seemed to have no effect, whether using the cpu interface or the sfp interface. I might have been doing something else wrong though, not sure.

Here are the rules from the crs309:
/interface ethernet switch rule
add comment="drop 10.0.0.0/8" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=10.0.0.0/8 switch=switch1 vlan-id=1000
add comment="drop 172.16.0.0/12" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=172.16.0.0/12 switch=switch1 vlan-id=1000
add comment="allow to 192.168.1.254" dst-address=192.168.1.254/32 ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.1.0/24 switch=switch1 vlan-id=1000
add comment="allow from 192.168.1.254" dst-address=192.168.1.0/24 ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.1.254/32 switch=switch1 vlan-id=1000
add comment="drop 192.168.0.0/16" new-dst-ports="" ports=sfp-sfpplus1,sfp-sfpplus7,sfp-sfpplus8 src-address=192.168.0.0/16 switch=switch1 vlan-id=1000


Or find a USB-to-serial converter and configure serial console before adding any switch chip rules. Removing an interface from a bridge and using it as a backup management interface is not enough, as the traffic of all ports always flows through the switch chip.
funny you say that, I totally locked myself out of my crs309 earlier and had to use a serial console to get back into it :)

For the unlikely case that you wanted to use bridge filter rules - the last time I tried that with late 6.48 or early 6.49, it was not possible to match on VLAN ID and IP address simultaneously, but maybe 7.x has improved in that regard. There also used to be an issue with endianness of the ethertype (mac-protocol) value on some architectures. So it would require quite a lot of testing if you wanted to go that way, but the switch chip rules on the 5009 seem the best by far to me. The workaround to matching on IP address and VLAN ID at the same time is to use an auxiliary bridge, but I would not call that "elegant".
from poking around in bridge filter rules it seemed fairly limited, but I'm pretty new to mikrotik world so I very well might be missing something.

Thanks again for all of your (and others) help on this.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11247
Joined: Mon Dec 04, 2017 9:19 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Tue Aug 20, 2024 10:25 pm

funny you say that, I totally locked myself out of my crs309 earlier and had to use a serial console to get back into it :)
Actually, that reminds me that whilst in ROS 6, the USB-to-serial converter was the only way and you had to configure it in advance, in ROS 7, I could dig my way back to a CRS310 using a USB-to-Ethernet converter (it just requires that the acccess using mac-telnet or mac-winbox is not restricted). I wouldn't have minded resetting it back to factory defaults back then but I was too lazy to remove it from the rack to get access to the label with the default password - only later have I found that another sticker with the password was available also on the leaflet in the cardboard box :) So on a 5009, this should work as well.

As for the switch chip rules, I hazily remember (from hAP ac², so a different switch chip), that in order that the rule would match, mac-protocol had to be specified as ip, not as vlan, although vlan-id was specified. So you have to be slightly creative to find the correct setting.
 
boingolover
just joined
Topic Author
Posts: 5
Joined: Sat Feb 11, 2023 6:41 pm

Re: Occasional FIN or RST packet showing up on WAN from my private subnets

Wed Aug 21, 2024 12:05 am

according to this post:

viewtopic.php?t=203179

sounds like there is a bug in the rb5009 where the switch1-cpu port filtering isn't working right now. hopefully that gets fixed, but for now, I guess I can live with filtering on my crs309 go back to not thinking about leakage.