Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall issue connection-state: invalid src-mac

Post Reply
 
seaquest45
just joined
Topic Author
Posts: 6
Joined: Mon Jun 29, 2020 12:15 pm

Firewall issue connection-state: invalid src-mac

Mon Jan 16, 2023 6:03 pm

Hi community,

I've two Mikrotik devices establishing an IPSec VPN and I see lots of logs with the connection state: invalid src-mac: xx:....

The log output is:
Code: Select all
FROM P2 to P1 prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:a5:bf:0f:3c:19, proto TCP (ACK,PSH), 192.168.50.70:58422->192.168.49.4:445, len 296
The source of this log come from my ip/firewall/raw rules defined here:
Code: Select all
ip firewall raw print detail 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1    chain=prerouting action=accept log=yes log-prefix="FROM P2 to P1" src-address=192.168.50.0/24 dst-address=192.168.49.0/24 

 2    chain=prerouting action=accept log=yes log-prefix="FROM P1 TO P2" src-address=192.168.49.0/24 dst-address=192.168.50.0/24
The question is: why I get a
Code: Select all
connection-state:invalid src-mac 00:a5:bf:0f:3c:19
when this MAC address is my ISP GW MAC Address
Code: Select all
16 DC 184.xxx.xxx.1    00:A5:BF:0F:3C:19  ether1
?

I'm pretty sure I've done a wrong configuration somewhere but where?

Thank you
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11597
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall issue connection-state: invalid src-mac

Mon Jan 16, 2023 6:07 pm

I'd say that invalid refers to connection state and not MAC. "Raw prerouting" is done immediately before connection tracking so unknown connection state is expected.
Top
 
seaquest45
just joined
Topic Author
Posts: 6
Joined: Mon Jun 29, 2020 12:15 pm

Re: Firewall issue connection-state: invalid src-mac

Mon Jan 16, 2023 6:56 pm

Thank you for this reply :)

So this is one "false positive" information as this is a raw prerouting rule?

BR,

Martin
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11597
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall issue connection-state: invalid src-mac

Mon Jan 16, 2023 7:04 pm

Well, if your connectivity works as intended, then log is indeed "false positive" from your perspective.

Yes, log message formatting could be better, first part of message is space separated with parameter name separated from value using colon. Sometimes there's also coma. Second part is coma separated with space separating parameter name from value. And between both there's only space ...
Top
 
seaquest45
just joined
Topic Author
Posts: 6
Joined: Mon Jun 29, 2020 12:15 pm

Re: Firewall issue connection-state: invalid src-mac

Mon Jan 16, 2023 7:52 pm

I copy.

Thank you for your inputs, really appreciated.

BR,

Martin L.
Top
Post Reply

Who is online

Users browsing this forum: pterpstra, svh79 and 95 guests
  4. RouterOS
  5. General