Community discussions

MikroTik App
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Using NoTrack for WireGuard tunnel

Thu Aug 25, 2022 9:58 pm

I noticed that fasttracking the tunnel of a WireGuard connect did not matter and the dummy counters did not increase. So that traffic is being split of and handled directly. Then I remembered that was also done for IPSEC:

However, this can add a significant load to the router's CPU if there is a fair amount of tunnels and significant traffic on each tunnel.

The solution is to use IP/Firewall/Raw to bypass connection tracking, that way eliminating the need for filter rules listed above and reducing the load on CPU by approximately 30%.
/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Source: https://help.mikrotik.com/docs/display/ROS/IPsec


So I put a notrack for prerouting and also for ouput in RAW and WireGuard worked like before. You will miss the lines in connection tracking and maybe get some less load. Maybe even up to 30% percent as mentioned above.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: Using NoTrack for WireGuard tunnel

Thu Aug 25, 2022 10:20 pm

Not an expert, have a single peer in Wireguard, the only way in my case was to use action=accept, this was not working:
/ip firewall raw add action=notrack chain=prerouting in-interface-list=VPN
... 
/ip firewall filter add action=accept chain=input connection-state=established,related,untracked
plus the comment from sindy suggest to not use notrack
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Thu Aug 25, 2022 10:52 pm

the comment from sindy suggest to not use notrack
That's a misinterpretation. What I wrote there was that unlike with IPsec, with Wireguard you do not need to exempt the site-to-site traffic from getting NATed (by means of action=accept rules in nat or of action=notrack rules in raw). It did not mean that I suggest not to use notrack at all. Connection tracking is resource intensive so you may save some CPU by using the action=notrack rules, which is what @msatter is after, but the price to pay is that you lose the possibility to control the traffic exempted from connection tracking using a stateful firewall. And yes, an action=notrack rule in raw alone is not sufficient - it assigns connection-state=untracked to all matching packets, but that does not substitute an action=accept rule in filter. But if you set the match conditions strict enough in the action=notrack rule in raw, the action=accept rule in filter may accept anything with connection-state=untracked without using the same strict conditions again.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using NoTrack for WireGuard tunnel

Fri Aug 26, 2022 12:14 am

I addressed the tunnel and not the actual traffic going through that tunnel. You still have complete control if traffic is going to be encrypted traveling through that tunnel or not and will take an other path.

RouterOS handles the tunnel and that explains that I despite the tunnel being fasttracked did not hit the dummy counters for fasttracking. NAT does not ignore NoTrack and initiates the tunnel if you have the src-nat line active for it.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: Using NoTrack for WireGuard tunnel

Sun Sep 25, 2022 8:45 pm

Dear users, trying to use NoTrack following the suggestions from @msatter and @sindy for WireGuard in Road Warrior mode, read several times and did multiple tests, no success.
This is the firewall config part relevant:
/interface wireguard add listen-port=13231 name=WireGuard private-key="..." disabled=no
/interface wireguard peers add allowed-address=10.10.10.2/32 endpoint-port=13231 interface=WireGuard public-key="..." disabled=no
/ip address add address=10.10.10.1/30 interface=WireGuard network=10.10.10.0

/ip firewall raw add action=notrack chain=prerouting interface=WireGuard

/ip firewall filter add action=accept chain=input connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input dst-port=13231
... 
/ip firewall filter add action=accept chain=forward connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward connection-state=untracked interface=WireGuard out-interface-list=LAN
/ip firewall filter add action=accept chain=forward connection-state=untracked interface=WireGuard out-interface=WAN
The goal is to check if bypassing connection tracking will save some CPU.
I'm able to connect trough the tunnel but not going out to the internet or to the lan devices, I'm doing something wrong?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using NoTrack for WireGuard tunnel

Sun Sep 25, 2022 9:28 pm

What kind of gains in CPU performance are you expecting?
How do you know if CPU performance is being limited by wireguard? ( and affecting other uses or users )
Seems like a waste of time to me.........

if there is some clear advantage to the above approach that works in most instances then it should be included in any guide..........
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: Using NoTrack for WireGuard tunnel

Sun Sep 25, 2022 11:03 pm

Agree @anav, I don't expect anything, will probably be a waste of time but it's just for learning and testing.

PS: hope everything is going well after the hurricane, wish for the best to all canadians
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using NoTrack for WireGuard tunnel

Sun Sep 25, 2022 11:07 pm

We had it easy this time compare to those to our EAST, Cape Breton, PEI and parts of Newfoundland.
Good okay was just wondering the value is all............
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 9:56 am

During prerouting, the out-interface is not known yet. So your action=notrack rule in /ip firewall raw only matches on packets that came in via the WireGuard interface; packets in the opposite direction of the same actual connection are still handled by the connection tracking module. To prevent also these from being connection tracked, you have to use other rules in chain prerouting in raw, that match on src-address(-list), dst-address(-list), protocols, ports depending on how you select traffic for Wireguard; you cannot use connection-mark of course, but you cannot use even packet-mark or routing-mark because these are assigned after the packet passes through raw. And matching against an address-list is similarly "heavy" as matching against a connection list.

You haven't provided enough information, but it seems you want your Mikrotik to act as a Wireguard "server" providing the "client" access to internet; if so, adding a rule chain=prerouting in-interface=WAN dst-address=10.10.10.2 action=notrack to /ip firewall raw would allow any packet coming via WAN towards the address of the Wireguard "client" to get untracked, and as such be accepted in filter by the "accept untracked" rule. However, if my guess is right, it won't work anyway - you cannot disable connection tracking for this traffic, because you need to NAT the traffic, and NAT depends on connection tracking.

If the Mikrotik acts as a Wireguard "client" providing encrypted connection to the Internet for its LAN hosts via some remote "server", the allowed-address on the /interface wireguard peer row must be 0.0.0.0/0, not just the individual internal address of the "server". And it still won't work without a NAT, because in this scenario, you have to NAT the traffic from the LAN clients to 10.0.0.1.

So all in all - you can use notrack for a Wireguard tunnel, but only where no NAT is required, so typically for a site-to-site one.

Independent from all the above, the last two rules in your list above are useless because they are shadowed by the third one, which accepts any untracked packet, regardless the in-interface and out-interface(-list). The connection-state match condition matches on any of the connection states (which are mutually exclusive, as each packet has exactly one connection-state).
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 10:49 am

"So all in all - you can use notrack for a Wireguard tunnel, but only where no NAT is required, so typically for a site-to-site one."

I see RouterOS handling this without a problem. This is my intepretation.

Router as WG client, router initiates a UDP connection to server through NAT, RouterOS awaites the response after RAW/connection tracking and snatches the returning connection and handles it all by itself.

This is only the UDP WG tunnel and the destination IP is know and that the source of the returning WG tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 11:08 am

@msatter, what you write is related to Wireguard transport packets and of course correct, but I totally forgot about that layer since @Simonej places rules into chain forward and refers to WireGuard as in-interface in prerouting, so I've assumed he wanted to disable connection tracking for Wireguard payload packets.

@Simonej, can you see the difference between the two types of packets mentioned above?
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 12:06 pm

Very well explained, thanks @sindy.
My use case is the first one you mentioned, Wireguard "server" providing the "client" access to internet.
I'll test again using your suggestion and report.
@Simonej, can you see the difference between the two types of packets mentioned above?
Nope, sorry. Is the @msatter comment related to the specific site-to-site use case?
@msatter may I ask if you please post some example from your config?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 12:24 pm

Very well explained, thanks @sindy.
My use case is the first one you mentioned, Wireguard "server" providing the "client" access to internet.
I'll test again using your suggestion and report.
Apparently not well explained at all, so let me simplify it: if NAT of the payload traffic is required (which is the case in your scenario), you can not disable connection tracking of the Wireguard payload traffic.

But what you can do is to exempt the transport traffic of Wireguard from connection tracking, because there is no need to NAT the transport traffic.

Payload traffic is the one running inside the tunnel; transport traffic is the one between the devices forming up the tunnel (it consists of packets into which the payload ones have been encapsulated).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 4:38 pm

What would be the gain of being able to notrack transport layer wireguard (and not payload layer) as opposed to NOT using notrack at all.
In other words, is this an academic question, which is fascinating and really cool how granular one can control stuff, but probably not all that practical.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 5:07 pm

What would be the gain
To save the CPU. If vast majority of the traffic the device handles is Wireguard, skipping connection tracking for the Wireguard transport packets means the firewall will not check every transport packet against the full list of tracked connections. You cannot disable connection tracking completely if you need NAT.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 5:20 pm

Save what, too vague, 1% of the load, 20% of the load. For that one needs to know how much of the CPU is taken up by wireguard activity normally.
Relatively speaking how does that compare with any other traffic, to get a sense of the magnitude.
Then what is the capacity of the CPU (probably need to know RAM available as well) of the particular router.

Trying to get to. is the saving significant or not.
I am assuming if significant then everyone should be doing it as a matter of course for any MT setup.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using NoTrack for WireGuard tunnel

Mon Sep 26, 2022 5:33 pm

Save what, too vague, 1% of the load, 20% of the load.
Exactly. It requires a lab setup to tell the difference - create a wireguard tunnel between two devices on the table with some firewall rules involving connection tracking, use some bandwidth testing software to measure the throughput (not /tool bandwidth-test on the same pair of routers), and then add the exemption of Wireguard transport packets from connection tracking and measure the throughput again.

Who is online

Users browsing this forum: GoogleOther [Bot], Kanzler, valeb, xrlls and 98 guests