Community discussions

MikroTik App
  4. RouterOS
  5. RouterOS beta

IPv6 + Firewall filters + Simple Queue not working

Post Reply
 
mroy
just joined
Topic Author
Posts: 2
Joined: Wed Nov 10, 2021 11:26 am

IPv6 + Firewall filters + Simple Queue not working

Wed Nov 10, 2021 5:07 pm

Hi everyone !

IPv6 with a simple SFQ queue is not working on RB5009UG+S+ with RouterOS 7.1rc6. Connection states are lost.

Firewall configuration (logging only for debug purpose) :
Code: Select all
/ipv6 firewall filter add action=accept chain=forward connection-state=established,related,new in-interface=LAN log=yes log-prefix="[LAN6]"
/ipv6 firewall filter add action=accept chain=forward connection-state=established,related in-interface=WAN log=yes log-prefix="[WAN6]"
/ipv6 firewall filter add action=drop chain=forward log=yes log-prefix="[DROP6]"

Queue configuration :
Code: Select all
/queue type add kind=sfq name=SFQ
/queue simple add max-limit=13500k/800k name=SFQ queue=SFQ/SFQ target=WAN,WAN total-queue=SFQ

Test example :
Code: Select all
curl -6 www.example.com

Result - IPv6 connections :
Code: Select all
/ipv6 firewall connection print detail 
Flags: S - seen reply; A - assured

Result - Firewall logs :
Code: Select all
/log print
 15:22:26 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:22:26 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:27 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:22:27 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:27 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:29 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:22:29 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:31 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:33 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:22:33 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:22:41 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:43 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40
 15:22:45 firewall,info [DROP6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58270, len 40

If I disable the simple SFQ queue, it works as expected :
Code: Select all
/queue simple set SFQ disabled=yes

Test :
Code: Select all
curl -6 www.example.com

Firewall connections :
Code: Select all
/ipv6 firewall connection print detail 
Flags: S - seen reply; A - assured 
 0 SA protocol=tcp src-address=2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx src-port=58266 
      dst-address=2606:2800:220:1:248:1893:25c8:1946 dst-port=80 reply-src-address=2606:2800:220:1:248:1893:25c8:1946 
      reply-src-port=80 reply-dst-address=2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx reply-dst-port=58266 tcp-state=time-wait 
      timeout=5s

Firewall logs :
Code: Select all
/log print
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 40
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (SYN,ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 40
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,PSH), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 111
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 32
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 32
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 1240
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (ACK,PSH), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 415
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (ACK), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 32
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 32
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK,FIN), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 32
 15:18:41 firewall,info [WAN6] forward: in:WAN out:LAN, src-mac yy:yy:yy:yy:yy:yy, proto TCP (ACK,FIN), [2606:2800:220:1:248:1893:25c8:1946]:80->[2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266, len 32
 15:18:41 firewall,info [LAN6] forward: in:LAN out:WAN, src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK), [2a01:xxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx]:58266->[2606:2800:220:1:248:1893:25c8:1946]:80, len 32

If I remove the connection states from the firewall filters, I also works with the queue. But I lose the connection tracking and filtering feature, which is bad.

Conclusion : Simple SFQ queue loses the IPv6 connection states.

Note : It works perfectly on a RB2011UiAS with RouterOS 6.48.5 (LTS) (IPv6 filters + Simple SFQ queue).
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests
  4. RouterOS
  5. RouterOS beta