Community discussions

 
dhcpy
just joined
Topic Author
Posts: 7
Joined: Tue Oct 19, 2010 6:38 am

inter VLAN trafic routing RAW

Tue Jun 12, 2018 10:47 pm

HEllo all,

I saw a MUM presentation, they say RAW is new firewall table and works for instance to not have packets going through Connection tracking, and this can improve throughput.

I have multiple VLANs (server farm, clients, development, and guest), and I think the traffic from clients to server farm can be pass without a Connection tracking.

is this rule well written?

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 in-interface=vlan200 in-interface-list=all src-address=192.168.2.0/24

EDIT
what I would like to do is improve throughput of local traffic, i.e. interVLAN traffic.
I see it hits packet count this rule, but I also see local connections between this 2 VLANs in Connection tracker. So i'm confused.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1003
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: inter VLAN trafic routing RAW

Wed Jun 13, 2018 12:12 am

From your raw firewall rule, you have 3 src's, vlan, in interface list, and src range. Only keep src range and remove other two
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 2454
Joined: Mon Dec 04, 2017 9:19 pm

Re: inter VLAN trafic routing RAW

Wed Jun 13, 2018 10:41 pm

The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
dhcpy
just joined
Topic Author
Posts: 7
Joined: Tue Oct 19, 2010 6:38 am

Re: inter VLAN trafic routing RAW

Thu Jun 14, 2018 7:27 pm

The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).
Thanks you very much!!
Yes that was exactly the problem. I was still seeing the response in connTracking.
I did the subnet approach in 2 rules. Will try the access list approach too, hoping it would improve performance with the just 1 rule match

Who is online

Users browsing this forum: Markut, mkx and 45 guests