What relies on Connection Tracking?

Skaught · October 7, 2009, 2:07am

I have a RB1000 that is nearly peaking out at 100% CPU due to heavy load. It is doing Routing, IP Accounting, NAT(For our management stuff to get online and overflow for our public pools) and Queues (For clients who break AUP)

I am pushing about 100mbit over it to serve a few thousand subscribers. Our upstream is about to move us to a GB port.

I have already moved hotspot controller, usermanager, and each users service level queues to other systems. We also stopped L7 shaping P2P and no longer use mangle. I want to add BGP and OSPF soon.

I think I may need to ditch Connection tracking to save the CPU soon. I went online to look for a list of things that rely on Connection Tracking. I found there is no such list.

I already know NAT needs it. I can move that to another router.

What else?

If I can build a list I can post it in the Wiki.

normis · October 7, 2009, 6:18am

Everything that you have under the Firewall menu (including Mangle, NAT, Filter)

Skaught · October 7, 2009, 8:45am

Is there anything not under the firewall menu that will stop working?

Like queues or accounting?

normis · October 7, 2009, 8:50am

all Queues also. We will make a WIKI article about this, thanks for pointing out the lack of this information

Skaught · October 7, 2009, 9:00am

Perhaps features that rely on tracking should go grey when tracking is off. Just like if I disable an Interface, it’s IPs go grey.

changeip · October 7, 2009, 3:54pm

you can still use the firewall filter, you just can’t use matchers that rely on connection tracking. Simple rules that match src/dst ip, ports, etc all will still work.

dada · October 8, 2009, 8:45am

all Queues also

Normis, I have no idea what they should stop working after the Connection tracking is disabled. Are you sure?

janisk · October 8, 2009, 8:58am

well, queues partially work. But i would not rely on that. Hence - enable connection-tracking for queuing.

Chupaka · October 10, 2009, 6:11pm

will wait for Wiki article… to know, what in queues depends on ConnTrack…

Skaught · November 20, 2009, 5:53am

Does IP accounting or policy routing rely on conntrack?

Chupaka · November 20, 2009, 9:45am

Normis, is there already such Wiki page? =)

normis · November 20, 2009, 9:49am

working on it now …

basically “connection-state, connection-mark, connection-type, p2p” will not work. Accounting, policy routing, simple firewall rules - WILL WORK. NAT won’t work.

Chupaka · November 20, 2009, 10:15am

the most interesting part is queues =)

(read above)

Skaught · November 26, 2009, 9:31pm

I tested it and simple queues worked fine for us. But your mileage may vary.

We also found out turning off conntrack on our RB1000 made only a small difference. We ended up installing a Mikronoc 2200 dual core router and that solved all our issues.

normis · November 27, 2009, 9:38am

List at bottom of this page:
http://wiki.mikrotik.com/wiki/Connection_tracking

changeip · November 27, 2009, 4:10pm

how about ip helpers, they probably need added to thats list. gre/pptp, irc, h323, sip, etc.

martini · November 28, 2009, 9:04pm

new-connection-mark and connection-mark work withiut any problem with disabled con.track

Chupaka · November 28, 2009, 9:22pm

?..

wo_Ot

Skaught · November 29, 2009, 8:12pm

I am starting to get the feeling that the only way to know what breaks and what doesn’t would for MT to dig through all the source code and trace it out or something.

But as I found, Conntrack only added ~5-15% to the cpu in our environment. I know for me this is now a much less important question.