Community discussions

 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 11:35 am

/ip firewall address-list add address=5.43.16.0/20 list=WAN-IN-FILTER
/ip firewall address-list add address=10.0.0.0/8 list=WAN-IN-FILTER
/ip firewall address-list add address=172.16.0.0/12 list=WAN-IN-FILTER
/ip firewall address-list add address=192.168.0.0/16 list=WAN-IN-FILTER
I have such an address list which I use for filtering out traffic with source IP belonging to my network.
What is more efficient from these two options:

1)
connection tracking -> off
/ip firewall filter add action=drop chain=forward in-interface-list=WAN_INTERFACES src-address-list=WAN-IN-FILTER
2)
connection tracking -> on
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=drop chain=forward in-interface-list=WAN_INTERFACES src-address-list=WAN-IN-FILTER
??
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?  [SOLVED]

Sun Jul 14, 2019 12:18 pm

Matching each packet to an address-list of few items should be less CPU-intensive than matching it to a much larger list of existing tracked connections, so if you don't need connection tracking for other purposes (bear in mind that the functionality of NAT depends on connection tracking), the first approach is more efficient.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 12:43 pm

Yes, I currently have connection tracking turned off. I don't need it for anything else.
So I'll stick to my current setup. Thanks!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 1:22 pm

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 1:46 pm

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
I thought about rp-filter, but it seems I can't. I have two ISPs and two full-view BGP sessions with them, so returning packets might come via the other link (and rp_filter would discard them).
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: What is more efficient for ACL on WAN: conntrack->off or on with established?

Sun Jul 14, 2019 11:32 pm

asymmetric routing & rp-filter don't go hand-in-hand, that's true.

Who is online

Users browsing this forum: No registered users and 115 guests