Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Any advantages of stateless firewall on RouterOS?

Mon Jul 17, 2017 11:44 am

I've noticed several times already that people configure RouterOS firewall in stateless fashion on production. Is there any actual reason not to use conntrack/fasttrack in more security critical installations? Because I have opportunity to "fix" terribly illegible and messed up mtk config backing monitoring system. It's using stateless firewall so I'd like to reconfigure it to statefull approach, maybe even fasttrack enabled, but I'm not sure if there are any security implications of such change.
MTCNA, MTCRE, MTCINE
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 899
Joined: Tue Oct 11, 2005 4:53 pm

Re: Any advantages of stateless firewall on RouterOS?

Mon Jul 17, 2017 6:14 pm

Connection tracking takes up a lot of resources.

On core routers it's counter productive to use CT as it will slow things down considerably on high traffic (and especially during DDoS attacks).

Nowadays with RAW filters you can still use CT for input/output chain (to protect the router) but bypass CT for forwarded traffic using IP > Firewall > RAW.
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: Any advantages of stateless firewall on RouterOS?

Mon Jul 17, 2017 10:31 pm

In redundant setups, statefulness might not be wanted since state tables are not replicated.
Also, performance.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: Any advantages of stateless firewall on RouterOS?

Tue Jul 18, 2017 12:33 am

What do you mean by "pereformance hit" - memory, cpu or both? Also how serious it is? Device used here is RB951 so quite weak device considering it's handling monitoring traffic and parking lot hotspot I'd need to perform some tests to give more detailed info but roughly what's the performance impact - 10, 50, 200, 1000%? Also - it's supposed to be using IPSec VPN now - doesn't VPN require conntrack anyways?
MTCNA, MTCRE, MTCINE
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24191
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Any advantages of stateless firewall on RouterOS?

Tue Jul 18, 2017 10:34 am

If you are considering IPsec, I suggest to switch to a device that does hardware level encryption, since this will bring your device to it's knees first, not the firewall.
No answer to your question? How to write posts

Who is online

Users browsing this forum: CZFan and 113 guests