Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

LTE / SSL Firewall problem

Locked
 
nikc
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Wed Jul 13, 2016 6:05 pm

LTE / SSL Firewall problem

Mon Nov 21, 2016 10:18 pm

Hi All

I spotted an issue today whilst on customer site with them accessing HTTPS sites over the SXT LTE i have recently implemented, the config looks a little like this:

Image

What i spotted was that 90% at least of requests to HTTPS sites where just dying ... I could see the browser find the IP, then get estblishing secure connection .... then it just stayed at that point till it timed out.

I did some digging and could see one particular firewall drop rule with lots of traffic logged against it, the rule was disabled and the problem went away.

The rule in question is this one:
Code: Select all
add action=drop chain=forward comment="defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=yes !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
I can see its from the defconf, but can anyone help me understand why it might be failing ? Could it be due to the CGNAT in use on the Mobile providers network ?

Many Thanks

Nik
Top
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: LTE / SSL Firewall problem

Mon Nov 21, 2016 11:11 pm

You can check default configuration by issuing
Code: Select all
/system default-configuration print
The defconf drop invalid rule doesn't look like yours, this is the output from the previous command on a Hap AC:
Code: Select all
           /ip firewall {
             filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
             filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"
             filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN"
             filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
             filter add chain=forward action=accept connection-state=established,related comment="defconf: accept established,related"
             filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
             filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 comment="defconf:  drop all>
           }
Try setting that drop invalid rule as that one, i.e. just connection-state=invalid it should make a difference.

It can be CGNAT, packet fragmentation, packets reaching the router out of order... a normal count for this rule would be about 150k-200k per Gb of transferred traffic on a FTTH connection.
Top
 
nikc
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Wed Jul 13, 2016 6:05 pm

Re: LTE / SSL Firewall problem

Tue Nov 22, 2016 10:34 am

Thanks for the reply, I think the rule from my export is the same just displayed differently, but i will recreate and try it thanks :)

I am seeing 100Mb out of 10Gb of traffic finding its way into this rule.

Nik
Top
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: LTE / SSL Firewall problem

Mon Nov 28, 2016 3:44 pm

Keep in mind you're on a LTE wireless network... higher percentage of invalid packets are to be expected vs a FTTH one.
Top
 
TyBermea
newbie
Posts: 29
Joined: Mon Nov 02, 2015 3:18 am
Contact:
Contact TyBermea

Re: LTE / SSL Firewall problem

Sun Dec 04, 2016 2:59 am

If only HTTPS traffic is having a problem, it could be MSS issues.

Suggest you try this: (replace ether1 with your WAN interface)
Code: Select all
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=ether1 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=ether1 new-mss=clamp-to-pmtu \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
https://en.wikipedia.org/wiki/Maximum_s ... S_and_PMTU
Top
Locked
  4. RouterOS
  5. Beginner Basics