I tried to search the forum for word max-entries but got "No posts were found…" So starting new one.
I have a CCR1036 with OS version 6.0 and CCR1016 with OS version 6.1. Both have the same strange issue. The size of connection tracking table is seriously small. Which makes it impossible to use it.
On the router with 16Gb of RAM
Code: Select all
[ard@z3k-router] > /system resource print
uptime: 4w3h50m37s
version: 6.0
build-time: May/17/2013 14:04:20
free-memory: 15.4GiB
total-memory: 15.9GiB
cpu: tilegx
cpu-count: 36
cpu-frequency: 1000MHz
cpu-load: 0%
free-hdd-space: 903.1MiB
total-hdd-space: 1024.0MiB
architecture-name: tile
board-name: CCR1036-12G-4S
platform: MikroTik
[ard@z3k-router] >
Code: Select all
[ard@z3k-router] > /ip firewall connection tracking print
…
generic-timeout: 10m
max-entries: 524288
…
[ard@z3k-router] >
Is it really not possible to specify higher value somehow? Connection limit feature is awesome, but still, with "max-entries: 524288" it is useless. On regular linux box with 16Gb of RAM it is possible to have millions records in conntrack table, slighly bigger backlog and other values. And network stack does not use all the ram even during attacks.
Maybe I am missing something and probably someone can elaborate the reason why it is so small.