I’ve tried to speed up my 500ers disabling connection tracking in 2.9.x. But
for 2 reasons this is not possible:
OSPF looses Neighbors some time
IPsec tunnels of customers going through the router stop working
The router I tried this, do not use NAT and has only simple Firewallrules
(Input: allow access from our IPs and from the whole 192.168.x.x and drop the rest
Forward: no rule)
The IPSec-tunnels not working are not terminated at this router. They are routed
through.
Anyone working without conntrac? How?
i am using 2 border routers with 2.9.26 on them and conn-track is off… i am told that ip fragments won’t pass thru these routers with conn-track off. This might not be noticable here though because we have a toplayer box in front that is probably fixing / rejecting those ip fragments before they come to us.
i dont notice any problems with conn-track off. i also have a few simple firewall rules in them, ie ICMP ping limiting, forward allow, etc. no rules that would use connection tracking.
i have not tested ospf, only bgp - i have over 300 days uptime on bgp sessions however. i have also not tested ipsec thru these.
We have to have connection tracking for customer to be able to use IPsec. We have a separate router just for our servers, and since we don’t use IPsec to them, that is fine to leave it off on that. Things are more reliable in 2.9.x without connection tracking, but I’d prefer to be able to have it on so we could do port forwarding and nat features. We use 2.9.x almost exclusively at the moment.