Community discussions

MikroTik App
 
ners
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Tue Mar 12, 2013 4:30 pm

What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 11:35 am

/ip firewall address-list add address=5.43.16.0/20 list=WAN-IN-FILTER
/ip firewall address-list add address=10.0.0.0/8 list=WAN-IN-FILTER
/ip firewall address-list add address=172.16.0.0/12 list=WAN-IN-FILTER
/ip firewall address-list add address=192.168.0.0/16 list=WAN-IN-FILTER
I have such an address list which I use for filtering out traffic with source IP belonging to my network.
What is more efficient from these two options:

1)
connection tracking -> off
/ip firewall filter add action=drop chain=forward in-interface-list=WAN_INTERFACES src-address-list=WAN-IN-FILTER
2)
connection tracking -> on
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=drop chain=forward in-interface-list=WAN_INTERFACES src-address-list=WAN-IN-FILTER
??
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?  [SOLVED]

Sun Jul 14, 2019 12:18 pm

Matching each packet to an address-list of few items should be less CPU-intensive than matching it to a much larger list of existing tracked connections, so if you don't need connection tracking for other purposes (bear in mind that the functionality of NAT depends on connection tracking), the first approach is more efficient.
 
ners
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Tue Mar 12, 2013 4:30 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 12:43 pm

Yes, I currently have connection tracking turned off. I don't need it for anything else.
So I'll stick to my current setup. Thanks!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 1:22 pm

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
 
ners
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Tue Mar 12, 2013 4:30 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 1:46 pm

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
I thought about rp-filter, but it seems I can't. I have two ISPs and two full-view BGP sessions with them, so returning packets might come via the other link (and rp_filter would discard them).
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 11:32 pm

asymmetric routing & rp-filter don't go hand-in-hand, that's true.

Who is online

Users browsing this forum: Bing [Bot], DanMos79, lurker888, mickeymouse690 and 87 guests