We have a disaster - we basically just changed our firewall to a Mikrotik CCR1009-8G-1S-1S+ currently running 7.16.1 *tonight we we'll upgrade to 7.16.2 but the notes don't suggest that it will fix it. Short of going back to our old firewall - we'd prefer to get the Mikrotik working.
Its as if there's a limit on connections and sessions and so when that limit is being reached the connection is being dropped.
Or the high outbound ports numbers are restricted or limited or something.
The Issue
Randomly the Mikrotik will drop the RDP connection - this is something in the order of several times a day all day per person but its disconnecting someone every several minutes just choosing different users. The user then see's a black screen, reconnecting and then gets in for about several hours until its their turn. Only using TCP for my RDP. Its across older servers 2012r2 and newer server Windows 2019
The Windows servers reports "Session XX has been disconnected, reason code 0"
My Network
We have several public IP address's on one WAN port. We have several inbound RDP servers on different Public IP.
We cant use VPN to our customers.
So therefore there is a DSTNAT rule to link the Public IP address to the private server via the port.
add action=dst-nat chain=dstnat comment=" (Rule 249) " \
dst-address=PublicAddress.01 dst-port=3389 in-interface=sfp1 log=yes \
log-prefix=RULE249 protocol=tcp src-address-list=SAFELIST \
to-addresses=192.168.200.64 to-ports=3389
As i want to also want to have traffic that's leaving that server to be coming from its own public IP - i also have a SCRNAT.
add action=src-nat chain=srcnat comment= "(Rule 249)" out-interface=sfp1 \
src-address=192.168.200.64 to-addresses=PublicAddress.01
Also have a forwarding rule
add action=accept chain=forward comment="(Rule 249)" dst-address=\
192.168.200.64 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
Each server are setup the same way on different IP.
So Ive looked at the timeouts and increased them
enabled: auto
active-ipv4: yes
active-ipv6: no
tcp-syn-sent-timeout: 30s
tcp-syn-received-timeout: 30s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
loose-tcp-tracking: yes
udp-timeout: 20s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 1048576
total-entries: 3179
I have "block invalid forward traffic" was being fired some traffic on other servers - anyway I've change block to log
So there could be something this - maybe. Here's the rule anyway.
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log=yes log-prefix="Drop invalid"
The client also has a Mikrotik - thats been there for ever - its only on our side that's been changed.
Basically getting a whole bunch of upset users
PS: Many thanks in advance your help