xzonisy wrote:
connection state invalid 會drop
查到的解釋是這樣的:
Firewall connection-state=invalid
https://forum.mikrotik.com/viewtopic.php?t=50818
If there are no connection tracking entry for source/destination, and packet is not "new" (syn for TCP) then it is considered invalid.
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties
invalid - a packet that does not have determined state in connection tracking (ussualy - sevear out-of-order packets, packets with wrong sequence/ack number, or in case of resource overusage on router), for this reason invalid packet will not participate in NAT (as only connection-state=new packets do), and will still contain original source IP address when routed. We strongly suggest to drop all connection-state=invalid packets in firewall filter forward and input chains