Hi,
I have certain port opened in router, that is nat-ed to one lan ip:port. But its amount of traffic with all my dumb firewall rules just dont seem to match my routers cpu power... I would like to excempt that traffic from firewalling altogether, in both directions. Or somehow route this traffic to my other router, which could then deal with firewalling only that specific traffic? Possibly without removing ways to bandwidth-limit that traffic if need arises.
I know I can fasttrack certain traffic, but I hear it also removes any chance to rate-limit that traffic. I could probably notrack that traffic? Could I possibly avoid nat-router firewall already at routing stage and shovel it out to port x on lan side?
Probably I am describing some very common technique for networking people. What is the possibly good ways to accomplish that - giving one router a break from conntracking and firewalling etc of specific lan ip?
-
-
BrateloSlava
Member Candidate
- Posts: 170
- Joined:
- Location: Ukraine, Kharkiv
Re: Routing/firewalling exceptions
I don't understand - why don't you do some experiments? And check the change in load on your router? For example, after a command like this:
Code: Select all
/ip firewall raw add action=notrack chain=prerouting comment="No track MO-TP" dst-address=172.22.0.10Re: Routing/firewalling exceptions
Asking here as to not experiment too much in the woods 
Just dont know what is the common approaches to accomplish it. Will give notrack a try, thank you.
PS. In fw raw/prerouting, using my dstnated lan box ip, this matches no packets. At preroute chain its my wan ip being dst... Guessing nat isnt done yet, so target lan ip is not known yet.
Will read some more about these things.
Just dont know what is the common approaches to accomplish it. Will give notrack a try, thank you.
PS. In fw raw/prerouting, using my dstnated lan box ip, this matches no packets. At preroute chain its my wan ip being dst... Guessing nat isnt done yet, so target lan ip is not known yet.
Will read some more about these things.
Re: Routing/firewalling exceptions
Sometimes it's easier not to mess with raw (and notrack) because raw rules are very rigid compared to filter rules (and, AFAIK, connection tracking is crucial for NAT). Instead it's possible to add another accept rule which matches traffic which should not be fasttracked and place it above the fasttrack rule. Which means that traffic can be then subject to queues or mangling or any other CPU-bound functions.
Re: Routing/firewalling exceptions
Been doing that so far - accepting sooner etc. Still something, either need to pass firewall or conntracking keeps my cpu at 100% and bit too often also needs power-cycle to get over it... I was thinking the way I described in first post, just need to find a way to do it.
Unless I specify no ip and just tcp port in raw, it seems to match (trying with passthru and log action) incoming traffic by that port number. Just not sure what happens to return packets if notrack would be added as action.
I probably need to go experiment with some other dstnat rule and other lan ip first.
Unless I specify no ip and just tcp port in raw, it seems to match (trying with passthru and log action) incoming traffic by that port number. Just not sure what happens to return packets if notrack would be added as action.
I probably need to go experiment with some other dstnat rule and other lan ip first.
Who is online
Users browsing this forum: No registered users and 8 guests