anyone having trouble with a Firewall filter rule like this

add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid

This absolutely creates much trouble with my customers traffic.

Seems to kill all sorts of valid traffic including my AirControl traffic to my APs and cpes.

We are a fully routed network.
Have tried on RouterOS v5.25 and v6.5. same result.

Any suggestions?

What is the full picture of the IP Firewall filters?

Its rule 10 that causes all the trouble.

# nov/ 4/2013 21:10:13 by RouterOS 6.5
#
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Established input
chain=input action=accept connection-state=established
1 ;;; Established forward
chain=forward action=accept connection-state=established
2 ;;; Related input
chain=input action=accept connection-state=related
3 ;;; Related forward
chain=forward action=accept connection-state=related
4 chain=input action=accept protocol=ospf
5 ;;; Routing subnet
chain=input action=accept src-address=10.100.0.0/16
6 ;;; MMSystems
chain=input action=accept src-address-list=MMSystems
7 ;;; MMSystems
chain=input action=accept src-address-list=MMSystemsPub
8 ;;; MMSystems
chain=forward action=accept src-address-list=MMSystems
9 ;;; MMSystems
chain=forward action=accept src-address-list=MMSystemsPub
10 X ;;; Drop invalid forward
chain=forward action=drop connection-state=invalid protocol=tcp
in-interface=Eth6-customers
11 X ;;; Drop invalid input
chain=input action=drop connection-state=invalid protocol=tcp
12 ;;; Allow customer to certain addresses
chain=forward action=accept dst-address-list=CustAllow
in-interface=Eth6-customers
13 chain=forward action=drop protocol=tcp src-address-list=InsidePrivate
dst-address-list=MMSystems dst-port=22-23
14 ;;; Allow suspended customers to reach whitelist
chain=forward action=accept src-address-list=Suspended
dst-address-list=whitelist
15 ;;; Allow customer to certain addresses
chain=forward action=accept src-address-list=InsidePublic
dst-address-list=CustAllow
16 ;;; Allow customer to certain addresses
chain=forward action=accept src-address-list=InsidePrivate
dst-address-list=CustAllow
17 ;;; Allow customer to certain addresses
chain=input action=accept src-address-list=InsidePublic
dst-address-list=CustAllow
18 ;;; Allow customer to certain addresses
chain=input action=accept src-address-list=InsidePrivate
dst-address-list=CustAllow
19 ;;; Allow DNS resolution for Suspended customers TCP
chain=input action=accept protocol=tcp src-address-list=Suspended
dst-port=53
20 ;;; Allow DNS resolution for Suspended customers TCP
chain=forward action=accept protocol=tcp src-address-list=Suspended
dst-port=53
21 ;;; drop insidepri to insidepri
chain=forward action=drop src-address-list=InsidePrivate
dst-address-list=InsidePrivate
22 ;;; drop insidepub to insidepri
chain=forward action=drop src-address-list=InsidePublic
dst-address-list=InsidePrivate
23 ;;; drop insidepri to 172
chain=forward action=drop src-address-list=InsidePrivate
dst-address-list=InfraEquip
24 ;;; drop insidepub to 172
chain=forward action=drop src-address-list=InsidePublic
dst-address-list=InfraEquip
25 ;;; Drop traffic from Restricted addresses
chain=forward action=drop src-address-list=Restricted
26 ;;; dns
chain=input action=accept protocol=tcp port=53
27 ;;; dns, ntp, snmp
chain=input action=accept protocol=udp dst-port=53,123,161,162
28 ;;; ldp
chain=input action=accept protocol=udp dst-port=646
29 X chain=input action=log log-prefix=""
30 ;;; Drop all remaining Input traffic
chain=input action=drop
31 ;;; Drop traffic to restricted addresses
chain=forward action=drop dst-address-list=Restricted
32 ;;; Drop remaining Suspended customer traffic
chain=forward action=drop protocol=tcp src-address-list=Suspended
dst-port=!80
33 ;;; Accept remaining traffic for customers on "Customers" list.
chain=forward action=accept src-address-list=Customers
34 ;;; MMSystems
chain=forward action=accept src-address-list=MMSystems
35 ;;; MMSystems
chain=forward action=accept src-address-list=MMSystemsPub
36 ;;; MMSystems
chain=forward action=accept dst-address-list=MMSystems
37 ;;; MMSystems
chain=forward action=accept dst-address-list=MMSystemsPub
38 ;;; Allow customer to certain addresses
chain=forward action=accept src-address-list=InsidePublic
dst-address-list=CustAllow
39 ;;; Allow customer to certain addresses
chain=forward action=accept src-address-list=InsidePrivate
dst-address-list=CustAllow
40 ;;; Drop all remaining traffic from Customers->!MMsystems not on "Customers"
list. Keeps unregistered customer from accessing the internet but allows Management access.
chain=forward action=drop src-address-list=!Customers
dst-address-list=!MMSystems in-interface=Eth6-customers
41 X chain=PortScan action=return

If that rule is dropping traffic which you need then there is probably a gap in the defined permitted traffic. Is this router primarily intended to act as a firewall?

Each tower has a router that connects to one or more upstream towers and is the primary interface to the customers.
There is one interface that is customer facing.
the firewall filters are primarily to protect the infrastructure, not the customers.
Most customers are on private addresses so we NAT at the tower outbound.

Throw out protocol=tcp from your regules.

If it helps, you can give me Karma

Im having the same problem, starting about 2 weeks from now, many invalid connections in input chain, also in forward chain. Someone else having the same behavior?