Router Filtering TCP RST Packets
Hi All I've been asked to look at a problem with a web filtering system for a business. Ever since they upgraded from a 6.5.x version to a current long term release of RouterOS the filtering (RST Packets) traffic generated by the filter system has been lost/blocked by the router. I have pcap files generated by the router showing the RST packets being generated and sent to the client and server of a tcp connection but captures of the inbound and outbound traffic path do not show these RST packets. rp-filter is turned off, ip connection traffic how been tried on and off. I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem. Does anyone have any ideas ? Thanks Mike
Hi, If the router is in NAT mode, it is inclined to be picky on what it passes through. (and perhaps more so with newer versions) You could perhaps put in some raw filters to allow the spoofed packets from the web filter to pass into the local network. (Assuming they don't need alteration). Or perhaps more easily another non SPI router/packet filtering bridge, for just this task. Not sure about the outward RST's as they would presumably need to be natted. Regards Roger To: public@talk.mikrotik.com.au From: Mike O'Connor <mike@oeg.com.au> Date sent: Tue, 14 Apr 2020 21:14:45 +0930 Subject: [MT-AU Public] Router Filtering TCP RST Packets Send reply to: MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] Hi All I've been asked to look at a problem with a web filtering system for a business. Ever since they upgraded from a 6.5.x version to a current long term release of RouterOS the filtering (RST Packets) traffic generated by the filter system has been lost/blocked by the router. I have pcap files generated by the router showing the RST packets being generated and sent to the client and server of a tcp connection but captures of the inbound and outbound traffic path do not show these RST packets. rp-filter is turned off, ip connection traffic how been tried on and off. I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem. Does anyone have any ideas ? Thanks Mike _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
They seem to hit the invalid flag a lot, might depend on connection tracking settings, not sure. Mike O'Connor <mike@oeg.com.au> schrieb am Di., 14. Apr. 2020, 21:47:
Hi All
I've been asked to look at a problem with a web filtering system for a business.
Ever since they upgraded from a 6.5.x version to a current long term release of RouterOS the filtering (RST Packets) traffic generated by the filter system has been lost/blocked by the router.
I have pcap files generated by the router showing the RST packets being generated and sent to the client and server of a tcp connection but captures of the inbound and outbound traffic path do not show these RST packets.
rp-filter is turned off, ip connection traffic how been tried on and off.
I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem.
Does anyone have any ideas ?
Thanks
Mike
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
There are quite a few significant changes since 6.5! (especially security vulnerability patches ;) Some things that may be related to your observations include automated hardware offloading to switch chip where supported, and some changes to the way fasttrack and connection tracking works. It is possible that your spoofed packets are detected as 'invalid' (I see that Aaron has mentioned that too, while I was writing this :) To test that possibility, maybe make a filter rule that matches invalid packets with source/dest address of known connections and see if it counts any packets? I don't entirely follow some points in your question though - in particular that pcap shows the packets but other packet capture does not... is there more than one router in this scenario? Perhaps you could describe the topology in more detail and how the various components are put together? :-} Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike O'Connor Sent: Tuesday, 14 April 2020 9:45 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Router Filtering TCP RST Packets
Hi All
I've been asked to look at a problem with a web filtering system for a business.
Ever since they upgraded from a 6.5.x version to a current long term release of RouterOS the filtering (RST Packets) traffic generated by the filter system has been lost/blocked by the router.
I have pcap files generated by the router showing the RST packets being generated and sent to the client and server of a tcp connection but captures of the inbound and outbound traffic path do not show these RST packets.
rp-filter is turned off, ip connection traffic how been tried on and off.
I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem.
Does anyone have any ideas ?
Thanks
Mike
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On 15/4/20 10:11 am, Mike Everest wrote:
There are quite a few significant changes since 6.5! (especially security vulnerability patches ;)
Some things that may be related to your observations include automated hardware offloading to switch chip where supported, and some changes to the way fasttrack and connection tracking works. It is possible that your spoofed packets are detected as 'invalid'
The log do not report anything, and if I set firewall rules trying to match the packets they do not match.
(I see that Aaron has mentioned that too, while I was writing this :)
To test that possibility, maybe make a filter rule that matches invalid packets with source/dest address of known connections and see if it counts any packets?
They do not match. There not getting to the firewall level.
I don't entirely follow some points in your question though - in particular that pcap shows the packets but other packet capture does not... is there more than one router in this scenario? Perhaps you could describe the topology in more detail and how the various components are put together? :-}
Cheers!
Three ports. 1. Injection port 2. Customer LAN Side 3. WAN The filter box is using an external mirroring switch on the cable on port 2. The filter box injects the RST packets in to port 1 I used the packet capture feature to capture packets on ports 2 and 3 and test by access a filtered page. No RST packets in the capture. I did the test again but look at the port 1 only, try the blocked site again and this time there are RST packets in the pcap The router is silently dropping the RST packets, rp_filter is off and I tried with connection tracking disabled. I've dealt with the type of filtering box a number of times and never had an issue with a router filtering the packets out as long as the reverse path filtering was disabled. Thanks for any help Mike
Hi All
I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem.
So it turns out that the issue was actually with the filter unit, not RouterOS. The router has been replaced because of random crashes, possibly a faulty power supply. The filter box generates the packets and sends them to the default route, issue was it has not picked up the changed MAC address. Instead changing the settings in the filter we forced the MAC of the router interface to the old MAC and it all started working correctly. Cheers Mike
Cool, thanks for the update! :) Cheers, Mike (E ;)
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike O'Connor Sent: Sunday, 19 April 2020 3:23 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] [Warning: Forged Email] Router Filtering TCP RST Packets
Hi All
I found someone else asking this question https://forum.mikrotik.com/viewtopic.php?t=149084 the single reply was from someone who did not understand the problem.
So it turns out that the issue was actually with the filter unit, not RouterOS.
The router has been replaced because of random crashes, possibly a faulty power supply.
The filter box generates the packets and sends them to the default route, issue was it has not picked up the changed MAC address.
Instead changing the settings in the filter we forced the MAC of the router interface to the old MAC and it all started working correctly.
Cheers
Mike
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Aaron Were
-
Mike Everest
-
Mike O'Connor
-
Roger Plant