Community discussions

MikroTik App
 
LurkerBeta
just joined
Topic Author
Posts: 13
Joined: Fri Jul 09, 2021 8:50 am

6.48.5 doesn't always allow udp established connections

Tue Nov 23, 2021 10:58 am

service work, but i have many errors (traffik from mikrotik DNS server to PC)
End output rules output: in:(unknown 0) out:LAN-bridge, proto UDP, 192.168.66.1:53->192.168.66.6:51496, len 60
Rule
;;; established related chain=output action=accept connection-state=established,related log=no
not accept traffic

ip firewall connection tracking print
enabled: auto
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 10s
tcp-established-timeout: 12h
tcp-fin-wait-timeout: 20s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 30m
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 10m
loose-tcp-tracking: yes
udp-timeout: 20s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 183768
total-entries: 870
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: 6.48.5 doesn't always allow udp established connections

Wed Nov 24, 2021 8:23 pm

Ip firewall filter chain=output is only for connections initiated by router itself. If DNS service is running on router itself (192.168.66.1), then you need rules in chain=input ... usually that would be two rules:
add chain=input action=accept connection-state=connected,related,untracked
add chain=input action=accept protocol=udp dst-port=53 connection-state=new

The second one should be made more speciffic (e.g. by adding in-interface or src-address or some other property) in order to avoid creation of open relay DNS server accessible from internet.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.48.5 doesn't always allow udp established connections

Wed Nov 24, 2021 9:53 pm

@mkx, I'm afraid that what the OP is trying to illustrate is the fact that the rule doesn't count, but it may be a confusion of cause and consequence. If that rule is alone in the output chain, it should match (and thus count) on each DNS response sent by the router, as such a packet definitely matches on connection-state=established. So I'd expect the answer not to be actually sent rather than the rule to miss it.

@LurkerBeta, can you elaborate on what actually happens? Packets are handled by /ip firewall filter rules after they have been routed, so if there is a routing issue of any kind (mangle rules, routing rules, arp responses missing, ethernet interface flapping), this may be a reason why there is no packet the rule could match.

Is that the only rule in chain output of /ip firewall filter?
 
LurkerBeta
just joined
Topic Author
Posts: 13
Joined: Fri Jul 09, 2021 8:50 am

Re: 6.48.5 doesn't always allow udp established connections

Fri Dec 17, 2021 1:02 pm

I figured out the problem, all firewall rules are correct.
The client make DNS request via UDP to the router. The router make DNS request to DNS server in the Internet. If router does not receive a response, then the router responds to the client after the UDP connection timeout expires.
Question: how long does it take for the router to respond to the client if router cannot contact the internet DNS server?

Who is online

Users browsing this forum: Majestic-12 [Bot], pmcsill, stefhapx6 and 67 guests