Community discussions

 
dhcpy
just joined
Topic Author
Posts: 6
Joined: Tue Oct 19, 2010 6:38 am

inter VLAN trafic routing RAW

Tue Jun 12, 2018 10:47 pm

HEllo all,

I saw a MUM presentation, they say RAW is new firewall table and works for instance to not have packets going through Connection tracking, and this can improve throughput.

I have multiple VLANs (server farm, clients, development, and guest), and I think the traffic from clients to server farm can be pass without a Connection tracking.

is this rule well written?

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 in-interface=vlan200 in-interface-list=all src-address=192.168.2.0/24

EDIT
what I would like to do is improve throughput of local traffic, i.e. interVLAN traffic.
I see it hits packet count this rule, but I also see local connections between this 2 VLANs in Connection tracker. So i'm confused.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 738
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: inter VLAN trafic routing RAW

Wed Jun 13, 2018 12:12 am

From your raw firewall rule, you have 3 src's, vlan, in interface list, and src range. Only keep src range and remove other two
MTCNA, MTCTCE & MTCRE
 
sindy
Forum Guru
Forum Guru
Posts: 1390
Joined: Mon Dec 04, 2017 9:19 pm

Re: inter VLAN trafic routing RAW

Wed Jun 13, 2018 10:41 pm

The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).
 
dhcpy
just joined
Topic Author
Posts: 6
Joined: Tue Oct 19, 2010 6:38 am

Re: inter VLAN trafic routing RAW

Thu Jun 14, 2018 7:27 pm

The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).
Thanks you very much!!
Yes that was exactly the problem. I was still seeing the response in connTracking.
I did the subnet approach in 2 rules. Will try the access list approach too, hoping it would improve performance with the just 1 rule match

Who is online

Users browsing this forum: No registered users and 37 guests