connection tracking, max-entries

arddennis · July 12, 2013, 10:52pm

Hello,

I tried to search the forum for word max-entries but got “No posts were found…” So starting new one.
I have a CCR1036 with OS version 6.0 and CCR1016 with OS version 6.1. Both have the same strange issue. The size of connection tracking table is seriously small. Which makes it impossible to use it.

On the router with 16Gb of RAM

[ard@z3k-router] > /system resource print 
             uptime: 4w3h50m37s
            version: 6.0
         build-time: May/17/2013 14:04:20
        free-memory: 15.4GiB
       total-memory: 15.9GiB
                cpu: tilegx
          cpu-count: 36
      cpu-frequency: 1000MHz
           cpu-load: 0%
     free-hdd-space: 903.1MiB
    total-hdd-space: 1024.0MiB
  architecture-name: tile
         board-name: CCR1036-12G-4S
           platform: MikroTik
[ard@z3k-router] >

I have pretty small max-entries value 524288

[ard@z3k-router] > /ip firewall connection tracking print  
             …
             generic-timeout: 10m
             max-entries: 524288
             …
[ard@z3k-router] >

If I enable connection tracking I lead to table overflow once a week. Each time I receive an attack connection tracking gets filled. Today the only normal way to filter traffic is blackhole route attacked ip.

Is it really not possible to specify higher value somehow? Connection limit feature is awesome, but still, with “max-entries: 524288” it is useless. On regular linux box with 16Gb of RAM it is possible to have millions records in conntrack table, slighly bigger backlog and other values. And network stack does not use all the ram even during attacks.

Maybe I am missing something and probably someone can elaborate the reason why it is so small.

tomaskir · July 12, 2013, 11:13pm

As far as I remember, the conntract table gets resized automatically when you are reaching its current size limit.
The real limit is the ammount of RAM on the router.

If you get problems with syn floods, enable syn cookie.

arddennis · July 12, 2013, 11:29pm

Thank you, I will try to catch the value next time.

The bad thing is the router sometimes reboots during such attacks. It becomes unavailable and then become accessible again, but after reboot by watchdog.

Maybe I just connected connection tracking and this unavailability and this is not the case. I was able to find my another post here by following it in “User Control Panel”, there conntrack max is explained http://forum.mikrotik.com/t/ccr-1036-16gb-ram-and-connection-tracking/64302/1 I was just not subscribed to that post and threfore didn’t receive a notices.

Sorry for second post for the same question.

joshhboss · January 26, 2023, 1:12am

Does that work similar to PfSense 1kb per state/connection ?