Getting alot of WAN in PROTO=TCP SPT=443

Is my MTU too big (1500) ?

bots hammering the (closed, I assume) https port ?

if you're curious, run tcpdump on WAN, port 443.

2 Likes

IPs are from Google, GitHub, and other popular websites

Those packets are the websites replying as LAN users browse popular websites. They are solicited traffic and will be forwarded to machines on the LAN.

1 Like

If they are reject messages, I think some of these may be due to something like a slow or improper connection close and the firewall rejects late ACKs in the FIN, FIN/ACK, ACK TCP connection close sequence after the entry in the firewall connection table is already flushed. I was able to get packet captures that seemed to prove this.

Almost all of my related dmesg entries show SPT 443 and ACK:
[5779803.964716] reject wan in: IN=eth0 OUT= MAC=<redacted> SRC=<(internet)redacted> DST=<(local wan if)redacted> LEN=83 TOS=0x00 PREC=0x00 TTL=51 ID=7873 DF PROTO=TCP SPT=443 DPT=50369 WINDOW=64 RES=0x00 ACK PSH URGP=0

1 Like

Yes, when a NAT association no longer exists, any remaining web replies cannot be forwarded, so it will be rejected.

2 Likes

Also, I think the out-of-the-box config on OpenWrt only logs rejects (and maybe some error messages etc) so if you see logged traffic entries that are not reject messages, your config may be customized to log more. I'm sure others can speak to this better if you need more info on it.

1 Like

You mean forward all traffic from WAN IN to PC with tcpdump?
How to do port forwarding on LuCI?

no, just run tcpdump on the router, but I think the other explanations are more accurate than mine.

1 Like