connection tracking

RouterOS General
1

I had a PC based router working well at about 30mbps until I got about 50mbps of traffic going through it. Via 533mhz cpu, 512MB ram, 2.9.46. typically about 40% load. This is not test traffic, but actual traffic of thousands of users. When I routed more traffic into it, it started to reboot frequently, several times a day, with an uptime of 20 minutes to several hours. Logs would say rebooted without proper shutdown. It basically routes traffic between two ethenet ports and blocks windows ports. One ethernet is the uplink, the other goes to 5 vlans, making it basically a 6+ port router.

I have since disabled connection tracking and it’s working great. I would love to be able to use connection tracking so I can use things like port forwarding. I would also like to limit p2p and provide some qos, which I think but am not sure depends on connection tracking. Is connection tracking required for forwarding h323 or pptp? Those are important to us and our customers.

It’s been running about 20 hours without any problems with connection tracking turned off, which is a magnitude more reliable than it had been at those traffic levels. At about 30mbps, it was perfectly reliable, I think the increase in traffic kinda put it over the edge for some reason.

These are the settings I had when I turned it off. Are there changes I can make to improve this? Not much is written about tuning these settings.

[admin@cup] ip firewall connection tracking> print
enabled: no
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 2h
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
udp-timeout: 10s
udp-stream-timeout: 1m
icmp-timeout: 5s
generic-timeout: 2m
tcp-syncookie: yes
max-entries: 0
total-entries: 0

2

what type of NICs in that box? Possibly it’s a NIC interrupt issue … Via chipset and high bandwidth have been known for those types of issues.

connection-tracking is used for all kinds of things, including the established / related firewall rules, natting, ip fragmentation, connection marking / mangling, ip helpers, etc. QoS should be fine with it off as long as you don’t require things related to the above. If you are only routing traffic you are fine turning them off, we do on both of our border routers that handle ~80-100mbps normally.

Sam

3

Thanks for the response;

It’s got 100mbps realtek built into the motherboard. As far as IRQs, it appears to share IRQs with the video and USB, which are not used.

[admin@cup] > /system resource pci print        
 # DEVICE   VENDOR                       NAME                        IRQ       
 0 01:00.0  Trident Microsystems         CyberBlade/i1 (rev: 106)    12        
 1 00:0b.0  Realtek Semiconductor Co.... RTL-8139/8139C/8139C+ (r... 11        
 2 00:09.0  Realtek Semiconductor Co.... RTL-8139/8139C/8139C+ (r... 10        
 3 00:08.0  Realtek Semiconductor Co.... RTL-8139/8139C/8139C+ (r... 12        
 4 00:07.5  VIA Technologies, Inc.       VT82C686 AC97 Audio Cont... 5         
 5 00:07.4  VIA Technologies, Inc.       VT82C686 [Apollo Super A... 0         
 6 00:07.3  VIA Technologies, Inc.       VT82xxxxx UHCI USB 1.1 C... 11        
 7 00:07.2  VIA Technologies, Inc.       VT82xxxxx UHCI USB 1.1 C... 11        
 8 00:07.1  VIA Technologies, Inc.       VT82C586A/B/VT82C686/A/B... 0         
 9 00:07.0  VIA Technologies, Inc.       VT82C686 [Apollo Super S... 0         
10 00:01.0  VIA Technologies, Inc.       VT8601 [Apollo ProMedia ... 0         
11 00:00.0  VIA Technologies, Inc.       VT8601 [Apollo ProMedia]... 0
4

you should enter the bios and disable anything unused, it will help quite a bit sometimes. disable usb, audio, unused IDE ports, com ports, etc. anything that has to be polled on the PCI bus is going to be more work, even if its not used.