Community discussions

MikroTik App
 
kolbyr
just joined
Topic Author
Posts: 11
Joined: Thu Oct 27, 2022 10:57 pm

What do these log entries mean? GRE-Related Logs Rapidly Generating

Tue Nov 15, 2022 8:47 pm

Hey all,

Can someone assist me with understanding what this particular 'firewall,info' log is indicating or saying from a technical perspective?
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 97
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 102
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 64
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 164
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 80
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 64
 11:41:09 firewall,info input: in:ether8 out:(unknown 0), connection-state:established src-mac <remote-mac-omitted>, proto 47, <remote-ip-omitted>-><local-ip-omitted>, len
 80
This is a local RB4011iGS+ router that's getting spammed with these same logs (the src-mac is all the same, and src/dst IPs are all the same, omitted for privacy). This is a GRE tunnel between this local router and a remote CCR1036-8G-2S+. I don't want to include a ton of info here as all I'm looking for is to understand the log entry itself, but for information's sake: The GRE tunnel remains up solidly (it's not incrementing down/up events), OSPF is running stable over the GRE tunnel (no hits either), and pinging with large packets over the tunnel shows no packet loss.

Thanks in advance. :)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: What do these log entries mean? GRE-Related Logs Rapidly Generating  [SOLVED]

Tue Nov 15, 2022 9:01 pm

There is a rule in chain input of /ip firewal filter which has either action=log or the action is different but the log parameter is set to yes (and possibly it matches on protocol=gre). Unless it is the "accept established,related, or untracked" rule, your firewall is configured in an inefficient way, so even packets belonging to already established connections are handled by other rule(s) than the "accept established,related,or untracked" one.
 
kolbyr
just joined
Topic Author
Posts: 11
Joined: Thu Oct 27, 2022 10:57 pm

Re: What do these log entries mean? GRE-Related Logs Rapidly Generating

Tue Nov 15, 2022 9:07 pm

There is a rule in chain input of /ip firewal filter which has either action=log or the action is different but the log parameter is set to yes (and possibly it matches on protocol=gre). Unless it is the "accept established,related, or untracked" rule, your firewall is configured in an inefficient way, so even packets belonging to already established connections are handled by other rule(s) than the "accept established,related,or untracked" one.
Ah yes, you're right. Logging was checked in the accept action of the firewall rule. Some review will be done to optimize the config. :) Thank you very much!

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], johnson73, mhn6868, sted, TeWe and 92 guests