Here’s some assumptions:
- OK session: the SYN/ACK is likely starting out with an origin TTL of 128, so it’s making 15 hops to get to the client.
- Reset session: the RST packet is likely starting out with an origin TTL of 64, so it’s making 12 hops to get to the client.
Also, since the OK traffic seems to be using a TTL of 128 at each end, that would seem to be a dead giveaway of injection, though pinpointing the exact origin beyond this could be difficult, unless you have access to the routers the sessions are traversing. If you do have access, you can do more captures along the path and look at Source MAC addresses to 100% confirm the source of the unwanted RST packets.
I’m curious: if you run a packet capture on your VyOS WAN interface while replicating the problem, are you getting a RST packet too? And if so, what does TTL does that have in comparison to the OK traffic?
FWIW, you can right-click about any packet parameter in the Wireshark details pane and select
Apply as a Column for easier visibility and comparison.