I set a rule just before the drop statement which explicitly allows all traffic from this client, and logs the packet, to see what exactly is going on.
Here is a example of a packet that would be dropped without this explicit rule:
Code: Select all
forward: in:br_local out:br_local, src-mac c4:54:44:2f:72:d7, proto TCP (ACK), 192.168.1.21:53966->10.20.10.1:3001, len 40
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Accept established/related forward from all interfaces" connection-state=established,related
add action=accept chain=forward comment="Accept new forward from local bridge" connection-state=new in-interface=br_local
... some other stuff ...
add action=accept chain=forward log=yes src-address=192.168.1.21 <--- this is the explicit rule i put in just before the drop
add action=reject chain=forward comment="Reject invalid tcp forward from local bridge" connection-state=invalid in-interface=br_local protocol=tcp reject-with=tcp-reset tcp-flags=!rst
add action=drop chain=forward comment="Drop all forward"
And the interesting thing is that all other traffic works correctly, the only traffic that was logged by the eplicit rule I put in was the traffic from this pc at 192.168.1.21 to the server at 10.20.10.1:3001
The port on the client changes, but I checked all of them and they all have established connections in the connection tracker.
Why is this happening?