I have 2 vlan interfaces (tag 101 and 102) and "accept all" rule in the forward chain.
Fragmented UDP packets are dropped and there is no way to match them (only the first fragment is matched with size=1500).
If I enable connection tracking the packets get forwarded and i see their "full" size (>1500).
Seems like a bug to me, i have no need in statefull firewall and there is no reason to drop transit fragments (unless, of course, there is a specific rule).

MT 2.9.44

do you log these drops, or just see they don't pass by using packet sniffer ? Without connection-tracking it should just pass anything I would assume.

So would I.
But no, fragments are silently dropped by routeros with tracking disabled, not seen in mangle nor in filter chains at all.

http://forum.mikrotik.com/viewtopic.php ... nts#p63884

I would think with conntrack off you should at least be able to route the fragments... however if you have any firewall rules it seems to not. Not quite sure really, seems odd to me. Maybe you can add a rule to allow fragments, I think I saw that as a filter option in the firewall at one time or another.

Sam

Thanks, seems like the same problem (but I have no bridge). Still seems more like bug, if there is no way to match a fragment (ROS drops if tracking disabled, matches whole reassembled packet if tracking enabled) then why there are specific options for that in firewall?