Hello,
I moved appartment recently, and since I've redone my network setup I see a lot of traffic that seems legit getting dropped.
While working with my mikrotik hap ac2 (redesigning vlans) I added some log rules for dropped traffic. I see a few issues in the logs that makes me wonder if something is wrong with my device and / or my setup.

My setup consists of a few VLANs, that are routed to the internet via my mikrotik doing NATing. The Mikrotik is connected to the internet via PPPoE using a Telekom (german operator) glassfiber modem.

Mainly I see a few things:

* Dropped Input SYN from INPUT
Those are probably normal. My guess is it comes mostly from scanners examples:
```
[input] input: in:telekom-pppoe out:(unknown 0), proto TCP (SYN), 14.135.120.222:53950->my.public.ip:195, len 52
[input] input: in:telekom-pppoe out:(unknown 0), proto TCP (SYN), 193.201.8.121:42141->my.public.ip:6392, len 44
```

* Dropped ACK,FIN or ACK,FIN,PSH from INPUT
Those I can't explain. They always seem coming from legit traffic (google, amazon...), but it seems that the router lost to who it should send it too?

```
[input] input: in:telekom-pppoe out:(unknown 0), src-mac ec:13:db:77:aa:6b, proto TCP (ACK,FIN,PSH), 35.190.80.1:443->my.public.ip:57053, len 181
[input] input: in:telekom-pppoe out:(unknown 0), src-mac ec:13:db:77:aa:6b, proto TCP (ACK,FIN,PSH), 3.67.35.217:443->my.public.ip:57046, len 154
[input] input: in:telekom-pppoe out:(unknown 0), src-mac ec:13:db:77:aa:6b, proto TCP (ACK,FIN), 172.217.19.67:80->my.public.ip:57048, len 52
[input] input: in:telekom-pppoe out:(unknown 0), src-mac ec:13:db:77:aa:6b, proto TCP (ACK,FIN,PSH), 8.8.8.8:443->my.public.ip:57047, len 181
[input] input: in:telekom-pppoe out:(unknown 0), src-mac ec:13:db:77:aa:6b, proto TCP (ACK,FIN), 172.217.16.78:80->my.public.ip:57029, len 52
```

* Invalid RST ACK,RST or ACK,FIN on Forward
It seems that randomly I drop from forward some traffic that my router considers invalid. Those are RST packets and ACK,FIN from what I could see. Sometimes between my VLAN, sometimes not.

```
[invalid] forward: in:Trusted VLAN out:telekom-pppoe, src-mac b0:e5:f9:bc:c1:96, proto TCP (ACK,FIN), 10.42.10.17:51793->172.217.16.74:443, len 52
[invalid] forward: in:Homelab VLAN - 30 out:IoT VLAN, src-mac 00:42:cb:e4:66:f4, proto TCP (RST), 10.42.30.11:43546->10.42.20.13:8443, len 40
[invalid] forward: in:Trusted VLAN out:telekom-pppoe, src-mac b0:e5:f9:bc:c1:96, proto TCP (RST), 10.42.10.17:60856->92.122.77.247:443, len 40
[invalid] forward: in:Trusted VLAN out:telekom-pppoe, src-mac b0:e5:f9:bc:c1:96, proto TCP (ACK,RST), 10.42.10.17:51750->142.250.147.188:5228, len 40
```

Overall, it seems mostly to be FIN and RST packets, so my supposition is that it shouldn't be a problem dropping them, that it comes either from a configuration or from the device itself to optimize it's cpu to clear the connection from the conn track table early, and that's why it cannot NAT back to the source. Still wouldn't explain the between VLANs invalids though.

Does someone have a better explanation regarding those packets and why they are dropped? Is it a normal behavior? Do you think it could cause issues to my setup?

Thank you,
Mickael

Hey, Bumping up this thread.


I am seeing similar issues.
It's dropping packets with `ACK, PSH`, `ACK,RST`, `ACK,FIN,PSH` and `RST` flags set.


From reading several other threads here, I have learned that mikrotik(or perhaps linux?) wipes out connection table when it receives the packet with `FIN` bit set. In TCP, Some devices send `FIN,ACK`, Stuff like windows sometimes sends, `RST` to close the connection and so on. Since, Mikrotik wipes connection from the connection table at the first packet, All the packets after that are considered invalid. I increased the close wait to 30s but I still see this a lot. I am not sure if I am missing something here? I think mikrotik should be handling this properly by letting, `RST`, `ACK,RST` and `FIN,ACK` packets pass.

However, for the life of me, I can not figure out why is a packet with `ACK,PSH` is considered invalid?
I keep seeing stuff like this in the logs.

See viewtopic.php?p=936148#p936148

* Dropped Input SYN from INPUT
Those are probably normal. My guess is it comes mostly from scanners examples:
```
input: in:telekom-pppoe out:(unknown 0), proto TCP (SYN), 14.135.120.222:53950->my.public.ip:195, len 52
input: in:telekom-pppoe out:(unknown 0), proto TCP (SYN), 193.201.8.121:42141->my.public.ip:6392, len 44
```

Yes, being in the input, not forward, chain those are destined for the Mikrotik itself.

However, for the life of me, I can not figure out why is a packet with `ACK,PSH` is considered invalid?

There are multiple possible reasons, and you would have to run packet sniffing to find out in detail.

First, TCP doesn't mandate that once one party sends FIN, the other one must respond with FIN immediately - sending payload data may continue unidirectionally after one party has said all it wanted to say and just waits for the response. It is not very common nowadays as it turned out there are benefits in reusing TCP sessions for multiple conversations, but it is possible.

Second, those dropped packets may be retransmitted or delayed packets that have arrived after the session has been terminated.

Thanks for responding! Your reply makes sense. I'll dive deeper into this in future _if_ this bothers me again. For now, It just feels like a lot of work and I can ignore it like i have been ignoring it for almost a year.

Totally normal to see, this is why NAT sucks - implementations of NAT have their own idea of when a connection is "finished" that doesn't match the OSes communicating.