Community discussions

MikroTik App
 
uldis
MikroTik Support
MikroTik Support
Topic Author
Posts: 3439
Joined: Mon May 31, 2004 2:55 pm

Attention v2.9.16 users!

Fri Mar 10, 2006 10:57 am

If you are using v2.9.16 then please change
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...
to
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...
 
spoiler
newbie
Posts: 27
Joined: Thu Mar 02, 2006 6:29 pm

Fri Mar 10, 2006 2:01 pm

Nice, 2 hours trying to figure out why nearby servers worked and others not... and why icmp was working with all of them, thought it was a BGP issue...

Just as a note... if you downgrade, setting will keep unchanged!
 
pekr
Member Candidate
Member Candidate
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Fri Mar 10, 2006 2:18 pm

guys, isn't it better to simply release 2.9.17?! Remember - not all ppl do visit this forum ....

-pekr-
 
uldis
MikroTik Support
MikroTik Support
Topic Author
Posts: 3439
Joined: Mon May 31, 2004 2:55 pm

Fri Mar 10, 2006 5:27 pm

guys, isn't it better to simply release 2.9.17?! Remember - not all ppl do visit this forum ....
Done
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Re: Attention v2.9.16 users!

Fri Mar 10, 2006 6:23 pm

If you are using v2.9.16 then please change
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...
to
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...
5s? Was previous value something like 1-2m? I think 5s is still too short for many users on slow dialup, cellular, etc. I'm just throwing this out there, not saying 5s is wrong though...

Sam
 
DirectWireless
Member Candidate
Member Candidate
Posts: 143
Joined: Wed Oct 06, 2004 8:09 am

Fri Mar 10, 2006 6:54 pm

We sell MT routers to corporate customers who manage them themselves (we provide consulting support ) and man I had a stack of phone messages this morning when I came in from frantic customers!
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Thu Mar 16, 2006 8:42 pm

[admin@MikroTik] ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m

this is my MT setup .. should i change 1m to 5s ?? and why ??
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Posts: 759
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Mon Mar 20, 2006 4:52 am

[admin@MikroTik] ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m

this is my MT setup .. should i change 1m to 5s ?? and why ??
Same here... suggestions?
 
aviper
Member Candidate
Member Candidate
Posts: 187
Joined: Thu Sep 15, 2005 5:48 pm

Mon Mar 20, 2006 10:52 am

Tip: The topic is: Attention v2.9.16 users! ...
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Mar 20, 2006 10:57 am

This value (roughly said) defines the time-span that it may take to completely open a TCP connection. This is started by a SYN packet, and if the SYN-ACK packet doesn't arrive during the time you can configure here, the "half-open" connection is dropped.

Then main reason to keep this short is that this is one way to run a denial-of-service attack: If your system is waiting 1 minute if some (every) half-open connection will finally become a fully-established connection, it has to keep a rather long table of connections. By just starting to open enough "half-open" TCP connections you can block a system so that it cannot accept legitimate new TCP connections anymore.

So having this value on a unnecesarry high value is kind of dangerous. And 1 minute is too high in my opinion. 5 seconds should be enough to establish a TCP connection - remember: that is not, that everything has to be over in 5 seconds - just that the connection has to be completely established in max. 5 seconds.

Best regards,
Christian Meis
 
changeip
Forum Guru
Forum Guru
Posts: 3818
Joined: Fri May 28, 2004 5:22 pm

Mon Mar 20, 2006 6:46 pm

I've seen dialup users take longer than 5 sometimes ... 5-10s would be a good middle ground. 1m is definately too long : )
 
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Tue Mar 21, 2006 11:01 am

30 seconds in my opinion.
it matters to the functions that limit number of connections.
Move along. Nothing to see here.

Who is online

Users browsing this forum: dave864, Google [Bot], sindy, xvo and 67 guests