Hello,

I've noticed something strange after trying to remove active (established) connection from ip->firewall->connections on MikroTik RB951G-2HnD v6.33.1.

This is a scenario:

- open terminal on MT router
- connect to some device (system telnet 10.20.20.1 333)
- in connections I see src 192.168.1.1:44453 and dst 10.20.20.1:333
- that device sends TCP keep-alive package every second to check if socket is alive
- I remove that established connection
- if that device first sends some package (keep-alive), old connection appears again but with switched src and dst addresses
- if I send something from terminal to device, old connection appears again without switching src and dsc addresses

src address will be from one who first sends something to other side.

It can be a problem if I allow only router to establish connection.

In my log (I log all connections without any matched rule), I can see connection from that device:

TCP (ACK,PSH) from 10.20.20.1:333 -> 192.168.1.1:44453

but it is wrong, because router should always be on src side.

What do you think about this situation?

Thanks!

It is normal, the connection tracker will create connections when it sees traffic, not only when they are newly setup with SYN.
In Linux there is an option somewhere to disallow that, and only create new connections on new sessions.
I don't know if MikroTik allows to set that somewhere.