Connection-State: established

Guscht · December 29, 2021, 11:47am

Hi,

its unclear to me what connection-state “established” means exactly?
Its very confusing to me, because there is a TCP-Connection State “established” but not everything is TCP…

I can create Firewall-Filter-Rules:
UDP + Connection State = established → Action Passthrough
ICMP + Connection State = established → Action Passthrough

Screenshot 2021-12-29 124015.jpg
Screenshot 2021-12-29 124059.jpg
Both rules match to certain packets. Now, this cant be the “TCP-Connection State established” because these are non-TCP-packets.
Screenshot 2021-12-29 124033.jpg
How can I see which non-TCP-Packets are in the state “established”?
Screenshot 2021-12-29 124312.jpg
Does the “seen reply” flag in the Conn-Tracking means this is “established” (for TCP AND non-TCP-Traffic)?
And does this apply to “related” non-TCP-Traffic as well?
Screenshot 2021-12-29 124405.jpg

hendra · December 29, 2021, 3:42pm

i am looking for this case too

mkx · December 29, 2021, 4:29pm

For connection-less IP protocols (i.e. anything but TCP), RouterOS fakes connections and their states. It makes configuring firewall much easier.

For example: UDP connection from A to B [*]. When ROS sees first packet, it creates connection tracking entry with state new. When it sees first packet from B to A [**], it updates “connection” state to established. As there is no tear-apart procedure for termination of such (bogus) connections, ROS relies on timer expiry to transition connection to state “finished” (actually it’s dropped from connection tracking list). This is one of reasons why fast-track only deals with most but not all packets, some packets need to go via slow-path to reset connection tracking timers.

[] Here A means pair src IP address - src port. Likewise B means pair dst IP address - dst port
[**] Here A means pair dst IP address - dst port and likewise B means pair src IP address - src port. If A and B of this line match A and B of preceeding line [], then these are packets of same “connection”, flowing in opposite directions.

Guscht · December 29, 2021, 5:38pm

But does:

When ROS sees first packet, it creates connection tracking entry with state new.

Means the “C” confirmed-flag is set in Connection Tracking?

And further:

When it sees first packet from B to A [**], it updates “connection” state to established.

Does this mean the “S” seen reply-flag is set?

Unfortunately the Connection-Tracking show nowhere “new”, “established”…
Screenshot 2021-12-29 183655.jpg
C = new
SC = established

Unfortunately MT has never clearly expressed the difference, but if you read the documentation, it means (at least to me) the same:

confirmed
Connection is confirmed and a packet is sent out from the device.

seen-reply
Destination address has replied to the source address.

new
the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions.

established
a packet which belongs to an existing connection

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Connection_tracking
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

CZFan · December 29, 2021, 5:44pm

connection oriented or connectionless protocols have nothing to do with this, this only comes in between the two end devices.

This is only relevant to firewalls, connection tracking uses both src and dst addresses with the src and dst ports to decide of it is a new connection, established, etc

Guscht · December 29, 2021, 5:53pm

Please tell me where I can see which connection has which state “established”, “new”, “related”… I simply want to see it.