Community discussions

MikroTik App
 
arddennis
just joined
Topic Author
Posts: 4
Joined: Sat Mar 09, 2013 12:54 pm

connection tracking, max-entries

Sat Jul 13, 2013 1:52 am

Hello,

I tried to search the forum for word max-entries but got "No posts were found…" So starting new one.
I have a CCR1036 with OS version 6.0 and CCR1016 with OS version 6.1. Both have the same strange issue. The size of connection tracking table is seriously small. Which makes it impossible to use it.

On the router with 16Gb of RAM
[ard@z3k-router] > /system resource print 
             uptime: 4w3h50m37s
            version: 6.0
         build-time: May/17/2013 14:04:20
        free-memory: 15.4GiB
       total-memory: 15.9GiB
                cpu: tilegx
          cpu-count: 36
      cpu-frequency: 1000MHz
           cpu-load: 0%
     free-hdd-space: 903.1MiB
    total-hdd-space: 1024.0MiB
  architecture-name: tile
         board-name: CCR1036-12G-4S
           platform: MikroTik
[ard@z3k-router] >
I have pretty small max-entries value 524288
[ard@z3k-router] > /ip firewall connection tracking print  
             …
             generic-timeout: 10m
             max-entries: 524288
             …
[ard@z3k-router] >
If I enable connection tracking I lead to table overflow once a week. Each time I receive an attack connection tracking gets filled. Today the only normal way to filter traffic is blackhole route attacked ip.

Is it really not possible to specify higher value somehow? Connection limit feature is awesome, but still, with "max-entries: 524288" it is useless. On regular linux box with 16Gb of RAM it is possible to have millions records in conntrack table, slighly bigger backlog and other values. And network stack does not use all the ram even during attacks.

Maybe I am missing something and probably someone can elaborate the reason why it is so small.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: connection tracking, max-entries

Sat Jul 13, 2013 2:13 am

As far as I remember, the conntract table gets resized automatically when you are reaching its current size limit.
The real limit is the ammount of RAM on the router.

If you get problems with syn floods, enable syn cookie.
 
arddennis
just joined
Topic Author
Posts: 4
Joined: Sat Mar 09, 2013 12:54 pm

Re: connection tracking, max-entries

Sat Jul 13, 2013 2:29 am

Thank you, I will try to catch the value next time.

The bad thing is the router sometimes reboots during such attacks. It becomes unavailable and then become accessible again, but after reboot by watchdog.

Maybe I just connected connection tracking and this unavailability and this is not the case. I was able to find my another post here by following it in "User Control Panel", there conntrack max is explained http://forum.mikrotik.com/viewtopic.php?t=70616#p360357 I was just not subscribed to that post and threfore didn't receive a notices.

Sorry for second post for the same question.
 
joshhboss
Member Candidate
Member Candidate
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: connection tracking, max-entries

Thu Jan 26, 2023 3:12 am

As far as I remember, the conntract table gets resized automatically when you are reaching its current size limit.
The real limit is the ammount of RAM on the router.

If you get problems with syn floods, enable syn cookie.
Does that work similar to PfSense 1kb per state/connection ?

Who is online

Users browsing this forum: Bing [Bot], hatred, koer and 93 guests