Page 1 of 1

What is "related" connection

Posted: Wed Aug 07, 2019 12:46 am
by Savanture
Hi, Mikrotik community.
Please help me to find out what means connection-state=related?
In numerous manuals over the Internet I saw firewall setup guides, where was recommended to add an accept rule for "established" and "related" connections. I made 2 separate accept rules for each Connection State and find that there were no any packets for at least 2 days passed through input or forward rule with connection-state=related.
So what related is used for?
How connection becomes "related" in RouterOS?

Re: What is "related" connection  [SOLVED]

Posted: Wed Aug 07, 2019 11:32 am
by pe1chl
For example, when you make a TCP connection and some system along the way sends an ICMP packet to inform you about certain issues, that ICMP traffic would be "related" to the TCP connection.
An unsolicited ICMP packet would not match that, but an ICMP packet that has the same TCP port numbers inside it as an open TCP connection would match it.
Also, there are some protocols (FTP is the most known example) that setup extra connections in the other direction in certain cases, that could count as "related" provided that the proper helper is enabled (/ip firewall service-port).

Re: What is "related" connection

Posted: Wed Aug 07, 2019 1:49 pm
by Savanture
Hi, pe1chl!
Thank you for your answer. I will later create a new topic about FTP and FTP helper as I could not make it work.
But I have some additional questions:
1. I always thought that ICMP-packet with some additional information about transferred data will use the same TCP connection, as transferred IP-packet. Am I wrong? I mean, I thought that ICMP-packet will be passed through already established connection and by the firewall rule for connection-type=established.
2. For my internal network I am using srcnat to the Internet. So if, as you say, ICMP-packets are not a part of already established TCP-connection and will be in some cases treated by RouterOS as "related", then should I do some additional settings to make this ICMP-packets reach connection initiator in my internal network?

Re: What is "related" connection

Posted: Wed Aug 07, 2019 3:06 pm
by pe1chl
No, ICMP is a separate protocol at the same level as TCP and UDP. However when an ICMP packet is sent, it includes part of the original packet that it refers to, in this case the TCP header.
So the router knows that this is "related" and the NAT layer makes sure it is sent to the correct internal system. When "related" is accepted in the forward chain, that is.

Unfortunately there is a lot of misinformation about ICMP going around, and claims that you should block it for security. However it is completely wrong to do that, and it will cause problems e.g. when you use a VPN. (see the many topics about "I am unable to reach some sites via my VPN")

Re: What is "related" connection

Posted: Wed Aug 07, 2019 4:57 pm
by Savanture
pe1chl, thank you for your explanations. I have rules for accepting only some set of ICMP packets in forward chain.