My connection:

Internet -> Static WAN IP address, EDGE router (with NAT rules) -> Core Router -> Local Network


The Core router CCR1009-8G-1S-1S+ (tile), has no NAT rules, no Mangle rules, simple static default route.

There is a simple Firewall rule list (CCR):


/ip firewall filter

add action=accept chain=forward comment="Accept established and related" connection-state=established,related

add action=drop chain=forward comment="Drop invalid" connection-state=invalid

add action=accept chain=forward comment="Allow access to Internet" src-address=192.168.88.0/24

add action=drop chain=forward comment="Drop ALL Forward" log=yes log-prefix="Drop ALL Forward"


For some reason reading the log I see some traffic was dropped

Drop ALL Forward forward: in:WAN-interface out:LAN-interface, connection-state:new src-mac AA:AA:01:01:01:01, proto TCP (ACK,PSH), 33.90.100.100:443->192.168.88.101:60708, len 125

I don't understand why that traffic was initiated as "new".

My computer 192.168.88.101 initiates connection from port 60708 to remote server 33.90.100.100 port 443, because I have established and related rule, incoming traffic should be automatically accepted. But it accepts it only partially, some traffic is recognized as "new", and it does not go to "established and related."

I probably would not pay attention to it, till I found tons of dropped traffic from different network clients, and people complain about the slow internet.


Later I found the same issue with output/input chains


/ip firewall filter

add action=accept chain=input comment="Accept established and related" connection-state=established,related

add action=drop chain=input comment="Drop invalid" connection-state=invalid

add action=accept chain=input comment="Accept Winbox" dst-address=192.168.88.1 dst-port=8291 protocol=tcp

add action=drop chain=input comment="Drop ALL Input" log=yes log-prefix="Drop ALL Input"



add action=accept chain=output comment="Accept established and related" connection-state=established,related

add action=drop chain=output comment="Drop ALL Output" log=yes log-prefix="Drop ALL Output"



Reading the log:

Drop ALL Output output: connection-state:new proto TCP, 192.168.88.1:8291->192.168.88.101:33000, len 125



I am still connected to Winbox, but some traffic is dropped.


I have these issues on different computers/clients.

I have replaced the Core router with the new device (same model), no luck.

Later I found the same issues in another network with the same type of hardware (CCR tile)

Tested on RouterOS 7.13.5 and 7.12

What it could be? Where do I need to look?

Your firewall rules are just wrong.
Either study the matter or apply default firewall rules...
(unfortunately the CCR1009 has no default firewall rules, but you can copy them from another model)

If your CCR does not work as a primary router with NAT, but as Bridge mode, then you do not need a firewall on it.
I don't really understand what is the point of the CCR router... Does it perform the functions of a switch?

Stated differently, what is it doing there............. Not needed ????

My CCR works as a primary Core router with hundreds firewall rules, Mangle rules, routes, vlans, CAPSMAN, VPNs ...
The separation of the Core router from the edge router (with NAT) was made on purpose.

What I published here is just an example of the simplest configuration setup after when I noticed the issues and did reset the factory settings.

But there are several mistakes in it... that is why you encounter issues.
For some unclear reason, the CCR devices do not get the default rules that other devices get.

Even with the default rules there are issues with logging dropped traffic, because you will get lots of false positives.
E.g. when a connection has been sitting idle for too long or one side hasn't noticed the other side wanted to close it, you will see such packets as you describe now (a TCP (ACK,PSH) marked as "new" or a TCP (ACK,FIN) marked as "invalid").

Sorry, but I am outta here, good luck with assistance.
Reason - contradictory statements.

Intro Post:
The Core router CCR1009-8G-1S-1S+ (tile), has no NAT rules, no Mangle rules, simple static default route.
There is a simple Firewall rule list (CCR): [/b]

Latest Post:
My CCR works as a primary Core router with hundreds firewall rules, Mangle rules, routes, vlans, CAPSMAN, VPNs ..

buh buh buh bye..........................

I apologize for the not correct statement from beginning.

I only wanted to publish a minimum setup of the configuration and to show the issue with that, I expected to be asked about entire configuration, for that reason to minimize the number of potential questions, I did reset to factory set and made a simple firewall configuration.

Then, I understood that people asked about why do I use the CCR then, and I described the primary needs in normal life.
Again, my statement "My CCR works as a primary Core router with hundreds firewall rules, Mangle rules, routes, vlans, CAPSMAN, VPNs .." is describing the normal life usage of CCR.

But there are several mistakes in it... that is why you encounter issues.
For some unclear reason, the CCR devices do not get the default rules that other devices get.

Even with the default rules there are issues with logging dropped traffic, because you will get lots of false positives.
E.g. when a connection has been sitting idle for too long or one side hasn't noticed the other side wanted to close it, you will see such packets as you describe now (a TCP (ACK,PSH) marked as "new" or a TCP (ACK,FIN) marked as "invalid").

Thanks!

Okay, It does make sense, I did not pay attention earlier to these type of drops. I still do not understand why the amount of the drops has been increased significantly. I think I have something else is going on in my network...

When your internal network is flaky, e.g. a large area covered with WiFi access points, or the external network (ISP) is not very reliable, you will have more of those lingering connections that are not accounted for in the firewall tracking.

There are some ways around it, e.g. you can decide to pass TCP packets with the FIN flag, pass packets with the RST flag, and to drop packets with the SYN flag below the "accept established/related" and before dropping invalid or other packets with log. Of course do not put logging on those 3 extra rules.
That will significantly reduce the noise.