Yes, but a router needs first packet of stream to start 'connection' and therefore understand what is 'established' or other packets related to a connection. So you can't use any of those connection state functionality when route paths are not symmetric within your network :-} udp might work (not sure) because they are not a real connection anyway...
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad Sent: Saturday, 18 August 2018 3:57 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] conntrack timing for tcp session
I allow state from non syn packets so I don't check for invalid's and then just the standard allows
On 18 August 2018 at 14:13, Mike Everest <mike@duxtel.com> wrote:
Hi Alex,
If you don't have certainty of symmetric routing, then connection tracking has limited use because packets can be easily interpreted as 'invalid' if router received reply packet to a connection that was stablished via another router outbound.
For asymmetric routing, you need to set up your firewall filter rules without any reference to connections: so no connection-mark, nat-state, tcp-established/new/related, and so on.
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad Sent: Saturday, 18 August 2018 2:04 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] conntrack timing for tcp session
Hi
ROS has a default of tcp-established-timeout: 1d
But I have asym routing and not all the routers will see syn nor fin. I am thinking of bringing this down to 2 hours to match up with linux timeout .
currently i have keep alive set to 30 min on my linux boxes.
I don't think there is any reason why this should cause an issue. ???
Alex _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au