Hi guys

This morning I swapped a client over from a Draytek to a Mikrotik for various reasons. Everything went fine apart from not being able to access the Synology. It got a DHCP lease and the router could ping it, but nothing else on the network could ping it or access it.

Long story short I found that if I disabled the "drop invalids" rule in the defcon firewall it would work. So I thought that if I set a static IP on the Synology and told the defcon rule to NOT apply to 192.168.13.9 (synology IP) then it would be fine. It wasn't. The only way I could get local access to the Synology was to disable the "drop invalids" rule, which isn't ideal obviously.

Has anyone else seen this issue with Synology or anything else for that matter?

I have an older Synology that works fine. It's attached to a switch under my MikroTik router.

I'm reading what "invalid" means in the wiki and it has a strong association with out of order packets or incorrect sequence numbers with NAT. Are you using NAT to talk to it? Does it work from the same subnet?

Would be interesting to see what the traffic looks like in a sniffer trace. Maybe they are setting a flag in the header that the invalid rule doesn't like.

I have an older Synology that works fine. It's attached to a switch under my MikroTik router.

I'm reading what "invalid" means in the wiki and it has a strong association with out of order packets or incorrect sequence numbers with NAT. Are you using NAT to talk to it? Does it work from the same subnet?

Would be interesting to see what the traffic looks like in a sniffer trace. Maybe they are setting a flag in the header that the invalid rule doesn't like.

Everything was stock settings on the router, default config everywhere. I had added 2 vlans for voip and guest wifi but this was on the main data network. I hadn't even made any rules to segregate vlans and networks from each other at that point.

What's even weirder on this is that I couldn't ping the Synology from any other device, but I could go to the synology.me/remote-id link and get on to it.

What should I be looking out for with the sniffer? I'm not very well schooled on that tool.

What's even weirder on this is that I couldn't ping the Synology from any other device, but I could go to the synology.me/remote-id link and get on to it.

Well, maybe not so weird because that is probably done by using an established outbound connection from your Synology to the Synology website. Then that connection is used to then re-connect inward when you go to the Synology website from the internet. That's going to bypass some firewall rules since the connection is already established.

The reason I asked about "does it work from the same subnet" is because you're going to bypass firewall rules, in which case you aren't hitting the "invalid" rule. So does it ping from the same subnet? If not, the invalid rule isn't causing this, it's some other problem.

Sniffer traces are last resort because it takes a lot of time to look at them. Ensure this is really what you think it is. I was assuming that this really was related to the invalid rule. If it isn't, the sniffer trace is a waste of time.

If you are trying to get to the Synology from another machine on the same subnet and disabling the "invalid" rule "fixes" the problem, then I don't understand what's going on. That wouldn't make sense.

You should become familiar with sniffer traces. Set an output file name and turn it on for 10 or 20 seconds on your WAN interface, then download it and open it in Wireshark. This is how you look at the raw traffic on your device. Knowing what you are looking at there goes a long way to building your skills.

Well, maybe not so weird because that is probably done by using an established outbound connection from your Synology to the Synology website. Then that connection is used to then re-connect inward when you go to the Synology website from the internet. That's going to bypass some firewall rules since the connection is already established.

The Synology is on the same subnet as all other devices that use it, so all pings, IP and hostname requests are being done locally. If you go to the cloud link then it works fine.

The reason I asked about "does it work from the same subnet" is because you're going to bypass firewall rules, in which case you aren't hitting the "invalid" rule. So does it ping from the same subnet? If not, the invalid rule isn't causing this, it's some other problem.

As above, everything is on the same subnet and being accessed locally. I'm sure I'm not as knowledgeable as a lot of people on the subject but it's my understanding that the invalid rule is on the forward chain, which is for anything passing through the router, local or external. Am I wrong in thinking that?

All I know right now is that disabling the invalid rule fixes the problem, albeit causing another one haha.

Thanks for the tip on sniffing, I'll give it a go over the weekend. A combination of little sleep and a 7am start today has left me feeling a bit sick and fatigued right now

Any updates or solutions? I'm having the same problem. Mikrotik's invalid rule is dropping some of my synology packets.

Just a guess but does hairpin NAT have to be set up for this to work?
The reason I say this is because in other routers one simply checked NAT loopback and in the mikrotik after a few waterboarding configuration exercises the same is accomplished.
In other words, the OP may have forgotten about such a simple setting on the previous router when switching to the mikrotik??
Nothing is done for you in mikrotik!!!

Any updates or solutions? I'm having the same problem. Mikrotik's invalid rule is dropping some of my synology packets.

Are you using a VLAN too? If Synology is on the same lan, then packets don't go through the firewall. Could it be that packets to the synology go through the LAN and the packets from the synology are going through the VLAN? This would cause invalid packets that would be still routable, but only if the rule was disabled. Tools > Torch may show the interfaces the packets are flowing.