The packets may be invalid for a number of reasons.
Being a stateful firewall, packets usually show up in this context due to the 'state' not being correct, possibly due to packet flow that is no longer valid, for example.
you can bypass this invalid check with the following firewall -> packet filtering -> custom firewall rule
iptables -I InvalidL -j RETURN
if you need to test to see if this feature is causing an issue.
Thanks for the suggestion, I'll try it shortly. I've just upgraded firmware to V4.08 with no change in behaviour.
Is the stateful inspection done before routing? I expected the static route to have redirected those packets before any inspection being done.
yes, the invalid check ( like all packet filter checks ) is done before routing
That rule is already in the firewall custom rules.
It is the only rule there and it says that these rules are instead of builtin rules.
should NOT be instead of builtin rules
Sorry, it's not instead of, that heading is the label for a checkbox which is so far to the right I couldn't see it.
The check box is unchecked.
If I'm reading this right:
Packet Filter Rules
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 18 936 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 40 InvalidL all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 11547 3993K EstabRel all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 PPPoEIn all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1 40 WanIn all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 PrivIn all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 678 72207 PrivIn all -- eth0.4 * 0.0.0.0/0 0.0.0.0/0 0 0 PrivIn all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 PrivIn all -- ipsec1 * 0.0.0.0/0 0.0.0.0/0 0 0 DefDeny all -- * * 0.0.0.0/0 0.0.0.0/0
only one packet has tripped the custom rule while I have a great many recent invalid state messages the the log.
the packet counters reset when the rules are reloaded due to an interface goes up/down, or when you select 'update' on the custom rules page.