Community discussions

MikroTik App
 
User avatar
Maggiore81
Member
Member
Topic Author
Posts: 367
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

BGP and conntrack

Mon Jan 27, 2020 10:22 pm

Hello. I am studying again to refresh MTCINE and on the slides I encountered a sentence where it says that conntrack have to be disabled for best performances.
Well... the slides are from 2012 and now there is fastpath, fasttrack and so on.

On my ISP on the core router, we use conntrack with fast-track (rule for forward invalid, disabled).
I have seen that disabling the conntrack has no benefit since we lose some firewall functions, and also we see higher cpu usage because I assume that packet are going in slowpath.

What is the final suggestion here in 2020 ? I successfully use BGP with conntrack+fasttrack (invalid packet forwarding are not dropped since we are completely multihomed).
I Tried to add the raw rule NOTRACK for all the traffic that was not local, but cpu was higher so I reverted to the initial configuration of conntrack+fasttrack
Thank you
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE, MTCSE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
Maggiore81
Member
Member
Topic Author
Posts: 367
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: BGP and conntrack

Mon Oct 26, 2020 9:39 pm

One year has passed, and no opinion from other users?
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE, MTCSE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
markonen
just joined
Posts: 8
Joined: Tue Aug 11, 2020 4:28 pm

Re: BGP and conntrack

Tue Oct 27, 2020 2:23 pm

Conntrack is beneficial when the device can comfortably handle the number of connections. On your core router, that seems to be the case for normal traffic.

Each connection has a memory cost though, and that makes conntrack a potential weak point in DoS attacks.

So with conntrack/fasttrack the router performance is largely a function of the number of connections, whereas with conntrack disabled the performance is determined more by the number of packets forwarded. If your router is beefy enough to forward small packets at line rate without conntrack, then disabling conntrack can offer more predictable performance when under attack.
 
User avatar
Maggiore81
Member
Member
Topic Author
Posts: 367
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: BGP and conntrack

Tue Oct 27, 2020 5:03 pm

Thank you for your opinion.

I have read also the slowpath and the fastpath/conntrack.
I have made some test, and with my current traffic (about 5Gigs), with 1036 and slowpath I reach 50-60% CPU.
With fasttrack I reach 20% at maximum.

I have a established timoeut at 5minutes so I free quickly the table.
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE, MTCSE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

Who is online

Users browsing this forum: No registered users and 19 guests