connection-state=established

makbar · November 14, 2017, 11:40pm

I understand Cisco config

ip access-list extended WAN-IN
  permit tcp any any established

but not understand MikroTik default FW record

add action=accept chain=input  connection-state=established

without TCP.

What is “state=established” for non TCP protocols?!

jarda · November 15, 2017, 3:18am

This state is of connection in connection table of the firewall and has nothing to do with the protocol itself.

makbar · November 15, 2017, 9:44am

When this state occurs or disappears with non-TCP protocols, for example GRE, ICMP, UDP…

blajah · November 15, 2017, 10:39am

Its explained in ConTrack settings

 /ip firewall connection tracking> pri
                   enabled: yes
      tcp-syn-sent-timeout: 5s
  tcp-syn-received-timeout: 5s
   tcp-established-timeout: 1d
      tcp-fin-wait-timeout: 10s
    tcp-close-wait-timeout: 10s
      tcp-last-ack-timeout: 10s
     tcp-time-wait-timeout: 10s
         tcp-close-timeout: 10s
   tcp-max-retrans-timeout: 5m
       tcp-unacked-timeout: 5m
               udp-timeout: 10s
        udp-stream-timeout: 3m
              icmp-timeout: 10s
           generic-timeout: 10m
               max-entries: 218008
             total-entries: 55

Additional comment regarding gre. If 2 sides agree on setting up tunnel ( no matter what protocol it is) all connection-state mechanics is described inside tunnel itself. External factors like ConnectionTracker would cause more harm then good, interfering with tunnel protocol mechanisms.