Community discussions

MikroTik App
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Connection tracking broadcast ?

Thu Jan 19, 2023 3:19 pm

I use this command for my edge routers at times. I was wondering if it could be also used for Mikrotik?
set system conntrack ignore rule 10 destination address 255.255.255.255
ive tried ..
/ip firewall filter add action=drop chain=forward dst-address=255.255.255.255
But it doesn't seem to work..
Goal is to prevent unwanted connections from being tracked and consuming resources.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Connection tracking broadcast ?  [SOLVED]

Thu Jan 19, 2023 3:43 pm

The "pseudo ROS" firewall rule won't do anything. Broadcasts are not routed between different router interfaces (which is where chain=forward works).

I'm not fluent in edge-ish, but I guess you would like to disable connection tracking for certain traffic. You can achieve that by rule something like this:
/ip firewall raw
add chain=prerouting action=notrack dst-address=255.255.255.255
which will instruct connection tracking machinery not to track those packets. If you want to do something about those packets later in firewall filter, then note that connection-state of those packets will not be known ... it will rather be "untracked". Beware: default firewall config has rule which explicitly allows untracked packets (part of "action=accept connection-state=established,related,untracked" rule).
Last edited by mkx on Thu Jan 19, 2023 3:44 pm, edited 1 time in total.
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 3:43 pm

I did this to try and log it and it looks like the broadcast connections are being blocked.

Does this look correct.. these rules are the first 2
add action=log chain=input dst-address=255.255.255.255
add action=drop chain=input dst-address=255.255.255.255
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 3:45 pm

The "pseudo ROS" firewall rule won't do anything. Broadcasts are not routed between different router interfaces (which is where chain=forward works).

I'm not fluent in edge-ish, but I guess you would like to disable connection tracking for certain traffic. You can achieve that by rule something like this:
/ip firewall raw
add chain=prerouting action=notrack dst-address=255.255.255.255
which will instruct connection tracking machinery not to track those packets. If you want to do something about those packets later in firewall filter, then note that connection-state of those packets will not be known ... it will rather be "untracked". Beware: default firewall config has rule which explicitly allows untracked packets (part of "action=accept connection-state=established,related,untracked" rule).
That is exactly what im trying to do.. Im going to remove the rule I added and add yours.

Thank you so much
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 3:45 pm

They are blocked in chain=input (because chain=input is used for traffic destined to router itself ... and broadcasts can target router, e.g. for DHCP discovery etc.) ... However they are not even hitting chain=forward because router will not pass them to another interface.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 3:48 pm

Im going to remove the rule I added and add yours.

If you're going to drop those packets, then you can drop them in raw (just change action to drop). If you're going to pass them, then default firewall filter rule will do. If you want to filter them using some fancy criteria, then you'll have to do it same as you'd do it for normal tracked connections.

If the amount of traffic you want not to be tracked is small portion of total amount, then I doubt you'll gain much WRT performance of router.
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 3:57 pm

They are blocked in chain=input (because chain=input is used for traffic destined to router itself ... and broadcasts can target router, e.g. for DHCP discovery etc.) ... However they are not even hitting chain=forward because router will not pass them to another interface.
I didnt even think about that, I really just wanted to have less connections tracked by the router that I didnt need. But now that you mention that with DHCP, would that drop broadcast rule of stopped router from doing DHCP, this router will be doing DHCP.. A lot actually lol
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 4:00 pm

I am trying to reserve resources on the router and keep as many states available as possible, do you think me going this route makes sense?

Still learning.. :-?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Connection tracking broadcast ?

Thu Jan 19, 2023 4:17 pm

Every DHCP handshake starts with DHCP discovery ... where DHCP client sends packet to 255.255.255.255 (with src-port=68 and dst-port=67 ... or the other way around, I always forget) and DHCP server has to reply to that. So yes, dropping all broadcast packets will interfere. It does seem that DHCP server for IPv4 hooks into network stack lower (closer to hardware) than firewall so it might even work despite such firewall filter. Not in IPv6 though.

Personally I wouldn't bother with filtering broadcasts (as it can potentially interfere with normal operations and it's hard to debug such cases). If amount of broadcasts will be high enough to make noticeable load on router, you'll have to deal with it at source of that traffic. Or you'll want to drop it early (like in raw), so not tracking it is IMO side step.

Who is online

Users browsing this forum: Ahrefs [Bot], emunt6 and 76 guests