Community discussions

MikroTik App
 
Boris Bakchiev
just joined
Topic Author
Posts: 4
Joined: Thu Jul 08, 2004 12:25 am

Connection Tracking

Wed Sep 26, 2007 2:08 am

Hi,

It would be excellent if we could specify in the NAT tables something equivalent to "-j NOTRACK"

When a router used with NAT as well as routed networks, all routed network traffic passes through the conntrack tables.
It would be nice if we can disable conntrack for some of the traffic.

Best Regards
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Connection Tracking

Thu Sep 27, 2007 10:44 am

as far as i know - you can only disable or enable connection tracking for all connections. No other possibilities are provided.

maybe you could provide with scenario why would you need such option?
 
Boris Bakchiev
just joined
Topic Author
Posts: 4
Joined: Thu Jul 08, 2004 12:25 am

Re: Connection Tracking

Fri Sep 28, 2007 3:07 am

Well,

Consider a scenario when a 532A gets 10mbit internet connection on eth0, provides NAT access to few clients on eth1 and also routes (no nat) traffic eth2.

In this case the router gets bogged down with the connection tracking for the eth0<->eth2 which should not have any connection tracking as it is routed network.

The only connection tracking that should be done is for eth0<->eth1.

It would be nice to have a way to mark the traffic so that it bypasses conntrack table as you can do in iptables.

Best Regards
 
LukasSVK
newbie
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: Connection Tracking

Sat Jul 14, 2012 7:32 am

Hello Janisk, why this isnt possible?
We have routers where in one vlan we have public ip addresses and in another vlan small private network ( with private ip addresses ).
If we have conntrack on, some customers report connection drops in their VPNs. With conntrack off this is without problems.
Now we cannot disable conntrack for public subnet ( only enable/disable for all connections ).

Can we expect notrack feature in any new ROS version ?

Thx L.
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Re: Connection Tracking

Wed Jul 18, 2012 11:21 pm

You can do that with FreeBSD (PFsense do support this).

It is sometimes usefull to disable connection tracking for some traffics, specially routed VoIP trafic when there are multiple failover gateways, to avoid ghost connections causing dead VoIP trunks.

Without this option, a manual connection reset (or script reset) can be necessary.



From Pfsense feature list :


"State types - pfSense offers multiple options for state handling.

Keep state - Works with all protocols. Default for all rules.
Modulate state - Works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) on behalf of the host.
Synproxy state - Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.
None - Do not keep any state entries for this traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances."
 
LukasSVK
newbie
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: Connection Tracking

Thu Jul 19, 2012 2:11 pm

Hi, yes i can use pfsense (freebsd based) or other linux distro on x86/amd64 or alix etc etc ... I can buy new mikrotik and use it for private network, create meta router instance etc. => Now i need fix problem,so i have to buy another device for NAT. OK

But configurable connection tracking is imho basic feature, it can save cpu power and many problems with helpers which we have enabled for private network and we would like to disable for public clients. ( have someone any other experience about conntrack enabled and services with public IP's ??)

I'd rather have two powerful routers in VRRP setup with conntrack on for private clients and conntrack off for public clients than 4 small routers.

L.
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Re: Connection Tracking

Thu Jul 19, 2012 8:24 pm

According to what i've seen with NAT, it is always a difficult problem for VoIP if you have a failover gateway to access the public network.

You have to manually erase (or using a script) the wrong connections after a gateway change, or the VoiP trunks can become dead after coming back to the primary gateway.

This is the case with SIP, but the same problem can exhibit with IAX. I think that this problem can exhibit as well for other trafics sending packets almost continously : the connection never reset through the timeout and keep the wrong source address after gateway change.

Sometimes because of NAT i've even seen Linux boxes sending a private IP to the world through the public interface. I've seen that on older OpenWRT routers i was using before. Mikrotik is really more powerfull and easier to setup things and for advanced routing. So i use only that now even if NAT is still not perfect. Linux connection tracking seems not smart enough to use NAT with multiple gateways without script help. Winbox and dude are formidable tools for administration.

A solution, if possible, is to use tunnels and pure routing, and add a blackhole route to the private destination subnet (using a smaller prefix) to avoid ghost stall connections during route switching. When route switching has occured, the blackhole route will not be used anymore because the destination subnet route will have a bigger prefix. This should protect for wrong connection tracking.

As a general rule, don't use NAT if you want high reliability or test it hardly before to enter production level.
 
LukasSVK
newbie
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: Connection Tracking

Sun Jul 22, 2012 1:31 am

FIPTech: problem isn't with private service
I know that there is problem with vrrp + nat + conntrack + vrrp iface switchover from Master -> Backup and back, but this isn't my problem now ).

My problem is public service ( mikrotik route public ip addresses with conntrack on ). And because this router route public ip addresses and small private network with nat, i CANT disable conntrack. So my question why ROS does not support configurable conntrack? ( conntrack deactivated for configured ip/subnet ..., as linux have -notrack etc....)

This is the main idea of my posts :)
 
LukasSVK
newbie
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: Connection Tracking

Fri Jul 27, 2012 2:51 pm

Another question: why all connections have to be connection tracked? Why not only natted connections??

Thx L.
 
dadaniel
Member Candidate
Member Candidate
Posts: 163
Joined: Fri May 14, 2010 11:51 pm

Re: Connection Tracking

Thu Jun 06, 2013 11:44 am

Any news about this topic? I'm also running into CPU load problems :(
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Connection Tracking

Thu Jun 06, 2013 1:39 pm

try at least RouterOS 6.0 version.
 
dadaniel
Member Candidate
Member Candidate
Posts: 163
Joined: Fri May 14, 2010 11:51 pm

Re: Connection Tracking

Thu Jun 06, 2013 5:39 pm

try at least RouterOS 6.0 version.
Already tried with v6... no difference.

Great that this is "no problem" for Sergejs... but why loading CPU when it is absolutely not neccesary? Please look at the starting date of this thread ... 2007 :?

Hello,

Yes, connection tracking uses CPU, I do not see any problems with 35%-40% on
100Mbps traffic.

Regards,
Sergejs

> Hi,
>
> When I disable all firewall rules (except two - allow all lan connections and
> block all other) cpu load stays at the same level. tools/profile displays
> firewall usage of ~35. So it looks it has nothing
> to do with these rules. Is there anything I can do to reduce the cpu load?
>
> greetings
> Daniel
 
User avatar
omidkosari
Trainer
Trainer
Posts: 632
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Connection Tracking

Tue Jun 11, 2013 10:34 am

Useful feature
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
sigxcpu
newbie
Posts: 27
Joined: Wed Sep 14, 2011 12:54 pm

Re: Connection Tracking

Sat Jun 22, 2013 11:49 pm

+1

NOTRACK it is just another target, should be pretty easy to add.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Connection Tracking

Sat Aug 24, 2013 5:54 pm

Yes something like NOTRACK would be awesome. Once Connection tracking is switched off maximal routing capacity is twice as with Connection traffic. There situations where connection tracking is just on because it's needed for an src-nat.

For example several internal subnets ( RFC 1918 IPs) connected to to a RB2011 which is also an internet-outbreak ( NAT ). In my Lab i had on a RB2011 a difference from 300 Mbit/s with conntrack vs 600Mbit/s without conntrack. Why to waive that extra 300Mbit/s capacity between the internal networks just because I've a <100Mbit/s uplink which needs natting?

I strongly believe that scenarios like that are common enough to implement such a feature.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Connection Tracking

Sat Aug 24, 2013 6:23 pm

Or the alternative to not tag by default but only tag with a TAG target

Sent from my SCH-I545 using Tapatalk 4
 
User avatar
omidkosari
Trainer
Trainer
Posts: 632
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Connection Tracking

Thu Oct 10, 2013 3:45 pm

MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
AlexS
Member Candidate
Member Candidate
Posts: 265
Joined: Thu Oct 10, 2013 7:21 am

Re: Connection Tracking

Mon Oct 14, 2013 8:47 am

Hi

if routeros is based on linux and iptables then

raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher
priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network
interface) OUTPUT (for packets generated by local processes)

raw is the table you want to look at.

Also I was wondering if any thought had been down to share connection tracking info between routeros nodes of a VRRP, that would allow for seamless fail over.....

This is available in linux, again assuming that routeros is based on that .
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Connection Tracking

Wed Mar 04, 2015 10:04 pm

Hey Mikrotik,

any news on that thing here? We really would like to see the possibility of connection tracking turned off for some traffic.

Julian
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Connection Tracking

Tue Jul 07, 2015 10:39 pm

...A solution, if possible, is to use tunnels and pure routing, and add a blackhole route to the private destination subnet (using a smaller prefix) to avoid ghost stall connections during route switching. When route switching has occured, the blackhole route will not be used anymore because the destination subnet route will have a bigger prefix. This should protect for wrong connection tracking...
could someone explain me better this trick ?
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Connection Tracking

Thu Jul 09, 2015 10:37 am

Ok.. now I realized I had misunderstood smaller prefix (the opposite of smaller subnet :D )

Who is online

Users browsing this forum: mlow, MSN [Bot] and 152 guests