Hi Shane! If you have multiple border routers, with possibility that connections are established with outbound packets via one border and reply packets via another border, then connection tracking is no use anyway - since the reply packets will be not part of any established connection on that 'other' router. So the point may be moot :-} But if that is not possible, then perhaps consider using fasttrack which essentially bypasses firewall (and qos ;) while still having advantage of connection tracking (it is a kind of connection tracking anyway I guess ;) In the end, though, 1072 is pretty slick, and you need a lot of traffic to bog it down - have you monitored CPU profiles with connection tracking enabled? It is rare that traffic handling will peg a CPU - usually only large routing table manipulation is the primary culprit for CPU pegging (i.e. BGP with multiple global route tables) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Shane Clay Sent: Monday, 24 June 2019 10:59 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Core Routers and Connection Tracking
Hi All
We have a few CCR1072's as our border routers, core routers and PE routers. They are pure routers (OSPF, BGP, Routing) with no NAT, Mangle, etc. They just route packets around on public IPs. We're providing internet services to our customers and our IaaS environment.
In this scenario it makes sense to me that we would disable connection tracking. Extra over head with no real value? However, once you turn this of you lose the ability to use Established/Related rules in your firewall input chain, making DNS/upgrading/NTP etc a bit of a pain since return packets are dropped.
So, I'm curious, are others using CCR's in these scenarios? Do you have connection tracking on or off? Why?
Shane
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au