MikroTik

If I turn on logging/blocking of invalid forward traffic in this intermediate router I get a lot of packets that seem to be legit but are being marked as invalid.

For now I am allowing it in case it causes problems for our customers so I hope someone might be able to explain why I am seeing this.

To clarify this router is running PPPoE Server serving public IPs to PPPoE customers. Each customer is running their own consumer grade firewall and NAT
The router in the screenshot is not doing any NAT

The traffic looks legitimate so I am trying to establish why it is being marked as INVALID.

Those ack,fin and rst are package sent by the other side to end the established connecting, that is considered by your Mikrotik already as ended.

These packets are coming in now and are bouncing off because nobody is waiting to welcome them.

Thank you for the reply, I am not clear what you are mean though or if it is normal or not?

The majority of these packets come from my customer side (PPPoE clients) attempting to reach outside (internet) addresses