Community discussions

MikroTik App
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Firewall: Invalid forward packets, unknown input

Sun Jan 17, 2021 2:49 pm

I came across the following in Mikrotik log:

invalid forward: in:bridge out:ether1, src-mac xx..., proto TCP (RST), 10.0.0.204:57914->23.3.109.12:443, len 40
(iphone to an Akamai)
invalid forward: in:bridge out:ether1, src-mac ...., proto TCP (ACK,FIN), 10.0.0.152:60806->54.173.8.102:80, len 52
(amazon stick to amazon)

this is logged by "drop forward state=invalid" rule.
NAT is configured to "masquerade" everything going through WAN port.

Could you tell me what is "invalid" about that? (I've read that it is mostly about badly NAT-ed packets... but the devices in question have no issues connecting to the internet, on top of masquerade rule simply saying "whatever goes through WAN")



Second question, unexpected inputs (SYN):

src-mac ....., proto TCP (SYN), 89.248.162.161:42541-> mikrotik:13413, len 40
...

I see a number of those, is it someone scanning my net? Curious is that those come in packs from various IPs:

Image
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13109
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall: Invalid forward packets, unknown input

Sun Jan 17, 2021 3:52 pm

invalid forward: in:bridge out:ether1, src-mac xx..., proto TCP (RST), 10.0.0.204:57914->23.3.109.12:443, len 40
invalid forward: in:bridge out:ether1, src-mac ...., proto TCP (ACK,FIN), 10.0.0.152:60806->54.173.8.102:80, len 52
Really depends on context ... It is expected to happen right after router reboot because then it doesn't have any notion of existing (before reboot) end-to-end connections and any packet belonging to those connections will be seen as invalid. This state should recover as clients establish new connections.
Another possibility is packet loss ... so router already changed its connection status while client did not ... this would imply packet loss inside LAN, such as dropped packets due to wifi woes (e.g. client changing serving AP or some such) .


I see a number of those, is it someone scanning my net?
There's always somebody (something) scanning net. Personally I don't care about packets being dropped (unless debuging some connectivity issues), I care more aboout packets not dropped.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10544
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall: Invalid forward packets, unknown input  [SOLVED]

Sun Jan 17, 2021 9:39 pm

I came across the following in Mikrotik log:

invalid forward: in:bridge out:ether1, src-mac xx..., proto TCP (RST), 10.0.0.204:57914->23.3.109.12:443, len 40
(iphone to an Akamai)
invalid forward: in:bridge out:ether1, src-mac ...., proto TCP (ACK,FIN), 10.0.0.152:60806->54.173.8.102:80, len 52
(amazon stick to amazon)

this is logged by "drop forward state=invalid" rule.
Thus is caused by the premature deletion of the connection entry for TCP in Linux.
When the router sees a close of the TCP session (FIN/ACK FIN) it immediately deletes the connection entry, instead of setting it to a timeout of say 30 seconds.
The result is that when the ACK FIN is not received by the other side, due to packetloss in the network, it will be re-transmitted, the packet will not match a connection entry, and it will be deemed "invalid".
This same thing can happen with a superfluous RST that is transmitted by some operating systems as a final packet after FIN/ACK FIN/ACK sequence.

It really is a bug. But as others write, best is to not log invalid packets, just live with them. You could also decide to pass invalid packets when the protocol is TCP and the TCP flags are RST or ACK FIN, or not to log that case.
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Re: Firewall: Invalid forward packets, unknown input

Mon Jan 18, 2021 9:37 am

Thus is caused by the premature deletion of the connection entry for TCP in Linux.
When the router sees a close of the TCP session (FIN/ACK FIN) it immediately deletes the connection entry, instead of setting it to a timeout of say 30 seconds.
The result is that when the ACK FIN is not received by the other side, due to packetloss in the network, it will be re-transmitted, the packet will not match a connection entry, and it will be deemed "invalid".
This same thing can happen with a superfluous RST that is transmitted by some operating systems as a final packet after FIN/ACK FIN/ACK sequence.

It really is a bug. But as others write, best is to not log invalid packets, just live with them. You could also decide to pass invalid packets when the protocol is TCP and the TCP flags are RST or ACK FIN, or not to log that case.
Would it be OK to simply ignore (not drop) invalid packets originating from my LAN (drop incoming)?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10544
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall: Invalid forward packets, unknown input

Mon Jan 18, 2021 11:01 am

What do you mean with "ignore (not drop)"?
As I said, the easiest is to remove the log flag on that rule.
In a NAT router, you can also consider removing the entire rule. It does not really accomplish much: invalid traffic from WAN would be blocked because of the NAT anyway.
 
ZupoLlask
just joined
Posts: 17
Joined: Mon Jan 26, 2015 1:26 pm

Re: Firewall: Invalid forward packets, unknown input

Sun Oct 30, 2022 12:00 pm