Community discussions

 
Savanture
just joined
Topic Author
Posts: 4
Joined: Wed Aug 07, 2019 12:02 am
Location: Moscow, Russian Federation

What is "related" connection

Wed Aug 07, 2019 12:46 am

Hi, Mikrotik community.
Please help me to find out what means connection-state=related?
In numerous manuals over the Internet I saw firewall setup guides, where was recommended to add an accept rule for "established" and "related" connections. I made 2 separate accept rules for each Connection State and find that there were no any packets for at least 2 days passed through input or forward rule with connection-state=related.
So what related is used for?
How connection becomes "related" in RouterOS?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: What is "related" connection  [SOLVED]

Wed Aug 07, 2019 11:32 am

For example, when you make a TCP connection and some system along the way sends an ICMP packet to inform you about certain issues, that ICMP traffic would be "related" to the TCP connection.
An unsolicited ICMP packet would not match that, but an ICMP packet that has the same TCP port numbers inside it as an open TCP connection would match it.
Also, there are some protocols (FTP is the most known example) that setup extra connections in the other direction in certain cases, that could count as "related" provided that the proper helper is enabled (/ip firewall service-port).
 
Savanture
just joined
Topic Author
Posts: 4
Joined: Wed Aug 07, 2019 12:02 am
Location: Moscow, Russian Federation

Re: What is "related" connection

Wed Aug 07, 2019 1:49 pm

Hi, pe1chl!
Thank you for your answer. I will later create a new topic about FTP and FTP helper as I could not make it work.
But I have some additional questions:
1. I always thought that ICMP-packet with some additional information about transferred data will use the same TCP connection, as transferred IP-packet. Am I wrong? I mean, I thought that ICMP-packet will be passed through already established connection and by the firewall rule for connection-type=established.
2. For my internal network I am using srcnat to the Internet. So if, as you say, ICMP-packets are not a part of already established TCP-connection and will be in some cases treated by RouterOS as "related", then should I do some additional settings to make this ICMP-packets reach connection initiator in my internal network?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: What is "related" connection

Wed Aug 07, 2019 3:06 pm

No, ICMP is a separate protocol at the same level as TCP and UDP. However when an ICMP packet is sent, it includes part of the original packet that it refers to, in this case the TCP header.
So the router knows that this is "related" and the NAT layer makes sure it is sent to the correct internal system. When "related" is accepted in the forward chain, that is.

Unfortunately there is a lot of misinformation about ICMP going around, and claims that you should block it for security. However it is completely wrong to do that, and it will cause problems e.g. when you use a VPN. (see the many topics about "I am unable to reach some sites via my VPN")
 
Savanture
just joined
Topic Author
Posts: 4
Joined: Wed Aug 07, 2019 12:02 am
Location: Moscow, Russian Federation

Re: What is "related" connection

Wed Aug 07, 2019 4:57 pm

pe1chl, thank you for your explanations. I have rules for accepting only some set of ICMP packets in forward chain.

Who is online

Users browsing this forum: No registered users and 35 guests