Hi,
It would be excellent if we could specify in the NAT tables something equivalent to “-j NOTRACK”
When a router used with NAT as well as routed networks, all routed network traffic passes through the conntrack tables.
It would be nice if we can disable conntrack for some of the traffic.
Best Regards
as far as i know - you can only disable or enable connection tracking for all connections. No other possibilities are provided.
maybe you could provide with scenario why would you need such option?
Well,
Consider a scenario when a 532A gets 10mbit internet connection on eth0, provides NAT access to few clients on eth1 and also routes (no nat) traffic eth2.
In this case the router gets bogged down with the connection tracking for the eth0<->eth2 which should not have any connection tracking as it is routed network.
The only connection tracking that should be done is for eth0<->eth1.
It would be nice to have a way to mark the traffic so that it bypasses conntrack table as you can do in iptables.
Best Regards
Hello Janisk, why this isnt possible?
We have routers where in one vlan we have public ip addresses and in another vlan small private network ( with private ip addresses ).
If we have conntrack on, some customers report connection drops in their VPNs. With conntrack off this is without problems.
Now we cannot disable conntrack for public subnet ( only enable/disable for all connections ).
Can we expect notrack feature in any new ROS version ?
Thx L.
You can do that with FreeBSD (PFsense do support this).
It is sometimes usefull to disable connection tracking for some traffics, specially routed VoIP trafic when there are multiple failover gateways, to avoid ghost connections causing dead VoIP trunks.
Without this option, a manual connection reset (or script reset) can be necessary.
From Pfsense feature list :
"State types - pfSense offers multiple options for state handling.
Keep state - Works with all protocols. Default for all rules.
Modulate state - Works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) on behalf of the host.
Synproxy state - Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.
None - Do not keep any state entries for this traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances."
Hi, yes i can use pfsense (freebsd based) or other linux distro on x86/amd64 or alix etc etc … I can buy new mikrotik and use it for private network, create meta router instance etc. => Now i need fix problem,so i have to buy another device for NAT. OK
But configurable connection tracking is imho basic feature, it can save cpu power and many problems with helpers which we have enabled for private network and we would like to disable for public clients. ( have someone any other experience about conntrack enabled and services with public IP’s ??)
I’d rather have two powerful routers in VRRP setup with conntrack on for private clients and conntrack off for public clients than 4 small routers.
L.
According to what i’ve seen with NAT, it is always a difficult problem for VoIP if you have a failover gateway to access the public network.
You have to manually erase (or using a script) the wrong connections after a gateway change, or the VoiP trunks can become dead after coming back to the primary gateway.
This is the case with SIP, but the same problem can exhibit with IAX. I think that this problem can exhibit as well for other trafics sending packets almost continously : the connection never reset through the timeout and keep the wrong source address after gateway change.
Sometimes because of NAT i’ve even seen Linux boxes sending a private IP to the world through the public interface. I’ve seen that on older OpenWRT routers i was using before. Mikrotik is really more powerfull and easier to setup things and for advanced routing. So i use only that now even if NAT is still not perfect. Linux connection tracking seems not smart enough to use NAT with multiple gateways without script help. Winbox and dude are formidable tools for administration.
A solution, if possible, is to use tunnels and pure routing, and add a blackhole route to the private destination subnet (using a smaller prefix) to avoid ghost stall connections during route switching. When route switching has occured, the blackhole route will not be used anymore because the destination subnet route will have a bigger prefix. This should protect for wrong connection tracking.
As a general rule, don’t use NAT if you want high reliability or test it hardly before to enter production level.
FIPTech: problem isn’t with private service
I know that there is problem with vrrp + nat + conntrack + vrrp iface switchover from Master → Backup and back, but this isn’t my problem now ).
My problem is public service ( mikrotik route public ip addresses with conntrack on ). And because this router route public ip addresses and small private network with nat, i CANT disable conntrack. So my question why ROS does not support configurable conntrack? ( conntrack deactivated for configured ip/subnet …, as linux have -notrack etc…)
This is the main idea of my posts 
Another question: why all connections have to be connection tracked? Why not only natted connections??
Thx L.
Any news about this topic? I’m also running into CPU load problems 
try at least RouterOS 6.0 version.
Already tried with v6… no difference.
Great that this is “no problem” for Sergejs… but why loading CPU when it is absolutely not neccesary? Please look at the starting date of this thread … 2007 
Hello,
Yes, connection tracking uses CPU, I do not see any problems with 35%-40% on
100Mbps traffic.Regards,
SergejsHi,
When I disable all firewall rules (except two - allow all lan connections and
block all other) cpu load stays at the same level. tools/profile displays
firewall usage of ~35. So it looks it has nothing
to do with these rules. Is there anything I can do to reduce the cpu load?greetings
Daniel
Useful feature
+1
NOTRACK it is just another target, should be pretty easy to add.
Yes something like NOTRACK would be awesome. Once Connection tracking is switched off maximal routing capacity is twice as with Connection traffic. There situations where connection tracking is just on because it’s needed for an src-nat.
For example several internal subnets ( RFC 1918 IPs) connected to to a RB2011 which is also an internet-outbreak ( NAT ). In my Lab i had on a RB2011 a difference from 300 Mbit/s with conntrack vs 600Mbit/s without conntrack. Why to waive that extra 300Mbit/s capacity between the internal networks just because I’ve a <100Mbit/s uplink which needs natting?
I strongly believe that scenarios like that are common enough to implement such a feature.
Or the alternative to not tag by default but only tag with a TAG target
Sent from my SCH-I545 using Tapatalk 4
http://mocode.wordpress.com/2008/09/17/iptables-conntrack/
Calculation of memory is awesome .
Hi
if routeros is based on linux and iptables then
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher
priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network
interface) OUTPUT (for packets generated by local processes)
raw is the table you want to look at.
Also I was wondering if any thought had been down to share connection tracking info between routeros nodes of a VRRP, that would allow for seamless fail over…
This is available in linux, again assuming that routeros is based on that .
Hey Mikrotik,
any news on that thing here? We really would like to see the possibility of connection tracking turned off for some traffic.
Julian
could someone explain me better this trick ?