Community discussions

MikroTik App
 
User avatar
43north
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Nov 14, 2014 7:06 am

Why is ping now blocked by my firewall rule for drop invalid packets?

Tue Dec 05, 2017 6:12 am

So I have had the same setup for quite a while, nothing has changed other than new firmware..... Two routers in OSPF config. When I try and ping from my desktop computer to network switches on the other router it just times out. But on that router if I just disable my drop invalid packets rule, the pings work just fine. Once again nothing has changed so why is it acting like this now?

My switches are on subnet 10.0.169./24 now I can ping servers on that same subnet without having to disable the firewall rule for drop invalid packets. The issue is only with my network switches.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Tue Dec 05, 2017 8:40 am

Maybe your icmp accept rule not on the top? Or it's not created?
 
User avatar
43north
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Nov 14, 2014 7:06 am

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Tue Dec 05, 2017 8:44 am

The ICMP rule is there, but it is below the invalid drop rule. Now it has always been below and never been an issue. Just for kicks I moved it to the top of the list and it still didnt matter, ping wont go through unless I disable the drop invalid rule. Super weird....
 
User avatar
43north
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Nov 14, 2014 7:06 am

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Sat Dec 09, 2017 6:24 pm

Bump
 
pe1chl
Forum Guru
Forum Guru
Posts: 10534
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Sat Dec 09, 2017 10:08 pm

You forgot to include your configuration with the question. All crystal balls are now in use as christmas ornaments, so real data is required.
 
Boardy
just joined
Posts: 5
Joined: Sun Apr 01, 2018 11:01 am

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Sun Apr 01, 2018 11:11 am

well, same for me, I just recognized that at least 3 clients are pinging the RB and the pings ICMP Type 0 are blocked because they are invalid...

any idear?

Boardy
You do not have the required permissions to view the files attached to this post.
Last edited by Boardy on Wed Apr 04, 2018 6:28 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10534
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Wed Apr 04, 2018 11:06 am

Like so many other beginning admins you need to learn that ICMP is not the same as PING.
ICMP is used for PING but it is used for many other things as well.

ICMP type 0 code 0 is not PING, it is PING REPLY.
When you suddenly receive a PING REPLY without having sent a PING this is "unrelated" and so it is not accepted by a "related" rule,
and it is "invalid" because it is not a way to start a new "ping session".
So it is correct that it is dropped.

As this appears to be your local network, either there are some bad guys trying tricks on you, or maybe you have a meshed network
with autorouting (BGP, OSPF) and you have asymmetric routing (i.e. the traffic in one direction may follow a different path than the reply).
On such a network you cannot use a stateful firewall!! (i.e. you must not use established/related but you must accept all traffic in forward
unless it is to be blocked everywhere)
 
Boardy
just joined
Posts: 5
Joined: Sun Apr 01, 2018 11:01 am

Re: Why is ping now blocked by my firewall rule for drop invalid packets?

Wed Apr 04, 2018 6:34 pm

Yes many thanks for your explanation - I just figured out that activating The dude was the reason for this drops...

So I am not sure if it is logical to get invalid replays using Dude on the router, but stopping dude was also stopping the drops...

I have no mesh and also no assymetric routing... not sure if theis is a missconfig or normal for dude???

all replays are going to x.x.x.1 wich is the router itself...