TCP to my VPN GW is filtered as invalid packet
Posted: Mon Jun 05, 2023 12:52 am
Hello
I have a Mikrotik Router (CCR1009) with two VLAN/Subnet. One is 50 / 172.16.50.0/24 and the other is 90 / 172.16.90.0/24.
The 50 is used for Servers and the 90 is used for Clients. I have a Server at 172.16.50.140 and a VPN GW (WireGuard) at 172.16.50.100. The VPN GW provides 192.168.99.0/24 to his clients.
One of the VPN clients provides an HTTP Server on Port 80. The clients on 90 can access it fine. But the Servers on 50 can access it, just with very high latency. Checking with Wireshark showed that there are TCP Retransmissions.
With some testing, I figured out that my drop invalid firewall rule on the Mikrotik Router is the culprit. As soon as I disable the drop invalid on the forwarding chain the issue is gone and the requests are working without delay. Any idea why?
My Firewall rules:
There is a route 192.168.99.0/24 via 172.16.50.100 on the Mikrotik. Also there is iptables on the VPN GW to handle NAT.
I have a Mikrotik Router (CCR1009) with two VLAN/Subnet. One is 50 / 172.16.50.0/24 and the other is 90 / 172.16.90.0/24.
The 50 is used for Servers and the 90 is used for Clients. I have a Server at 172.16.50.140 and a VPN GW (WireGuard) at 172.16.50.100. The VPN GW provides 192.168.99.0/24 to his clients.
One of the VPN clients provides an HTTP Server on Port 80. The clients on 90 can access it fine. But the Servers on 50 can access it, just with very high latency. Checking with Wireshark showed that there are TCP Retransmissions.
With some testing, I figured out that my drop invalid firewall rule on the Mikrotik Router is the culprit. As soon as I disable the drop invalid on the forwarding chain the issue is gone and the requests are working without delay. Any idea why?
My Firewall rules:
Code: Select all
4 ;;; accept established, related
chain=input action=accept connection-state=established,related log=no log-prefix=""
5 ;;; drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
6 ;;; accept allowed_to_router
chain=input action=accept src-address-list=allowed_to_router log=no log-prefix=""
7 ;;; accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
8 ;;; accept IGMP
chain=input action=accept protocol=igmp log=no log-prefix=""
9 ;;; accept IGMP IPTV
chain=input action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix=""
10 ;;; accept IGMP IPTV
chain=input action=accept connection-state="" protocol=udp src-address=0.0.0.0/0 dst-address=239.0.0.0/8 log=no log-prefix=""
11 ;;; General drop
chain=input action=drop log=no log-prefix=""
18 chain=forward action=accept connection-state="" protocol=udp src-port=5000 dst-port=5000 log=no log-prefix=""
19 ;;; accept established, related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
20 ;;; drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
21 ;;; drop all from WAN not DSTNATed
chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""