Community discussions

MikroTik App
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Connection Tracking, off or on ?

Fri Jun 17, 2016 8:17 am

I have recently disabled connection tracking in all of my microtiks, borders routers, peering routers, Core routers, NAS routers, POP routers, everything. 
Is it advisable to keep it on or off ?

IT seems to be handing the Microtik a lot, so I completely switched them off. 
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 10:12 am

Leave it as "auto" and Mikrotik will wisely choose to enable it or not. If hardware resources are an issue, set it as "auto" and if RouterOS enables it, try to find out why and then if you can move/disable the service which switches tracking on.
Many features require ConnTrack to work (nat, firewall, mangle and services which depend on this ones like PPPoE change MSS feature) and will not behave properly if it's disabled, even if they may seem to work ok.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 10:14 am

Leave it as "auto" and Mikrotik will wisely choose to enable it or not. If hardware resources are an issue, set it as "auto" and if RouterOS enables it, try to find out why and then if you can move/disable the service which switches tracking on.
Many features require ConnTrack to work (nat, firewall, mangle and services which depend on this ones like PPPoE change MSS feature) and will not behave properly if it's disabled, even if they may seem to work ok.
Ouch. 
But everything is working fine. 
So, do you mean, Connection tracking should be on for PPPoE router ?
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 10:21 am

Ouch. 
But everything is working fine. 
So, do you mean, Connection tracking should be on for PPPoE router ?
Yes, it should. Set it as "auto" and get bigger hardware if load is an issue.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 10:32 am

Ouch. 
But everything is working fine. 
So, do you mean, Connection tracking should be on for PPPoE router ?
Yes, it should. Set it as "auto" and get bigger hardware if load is an issue.
The hardware is 1036 16GB RAM and hardly 2600 PPPoE sessions. 
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 11:05 am

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack?

Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone with you)
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 11:16 am

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack?

Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone with you)
The 1036 was running for like 4-5 hours, then instantly disconnecting and reconnecting all client and CPU reaching 99% and when I see profile, it was showing firewall usage 93%, so I removed Connection tracking and since then 1036 has not restarted once. 
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 11:31 am

In that case I suggest you reenable ConnTrack, generated some supout.rif files when the problem is happening and contact support@mikrotik.com with as much information as possible. How many PPS and how much bandwidth are we talking about? How many rules do you have in you firewall filter/nat/mangle?
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 11:33 am

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack?

Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone with you)
The 1036 was running for like 4-5 hours, then instantly disconnecting and reconnecting all client and CPU reaching 99% and when I see profile, it was showing firewall usage 93%, so I removed Connection tracking and since then 1036 has not restarted once. 
Hi,

did you disable it on pppoeserver and you did not faced any problem ?
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 11:59 am

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack?

Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone with you)
The 1036 was running for like 4-5 hours, then instantly disconnecting and reconnecting all client and CPU reaching 99% and when I see profile, it was showing firewall usage 93%, so I removed Connection tracking and since then 1036 has not restarted once. 
Hi,

did you disable it on pppoeserver and you did not faced any problem ?
Its disabled from the firewall directly. 
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 12:00 pm

In that case I suggest you reenable ConnTrack, generated some supout.rif files when the problem is happening and contact support@mikrotik.com with as much information as possible. How many PPS and how much bandwidth are we talking about? How many rules do you have in you firewall filter/nat/mangle?
Already had a long discussion with support email to MT team, and they were unable to find anything. 
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 12:01 pm

The 1036 was running for like 4-5 hours, then instantly disconnecting and reconnecting all client and CPU reaching 99% and when I see profile, it was showing firewall usage 93%, so I removed Connection tracking and since then 1036 has not restarted once. 
Hi,

did you disable it on pppoeserver and you did not faced any problem ?
Its disabled from the firewall directly. 

its auto at my pppoeserver's and i would like to learn if it is better to disable it.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 12:12 pm

Already had a long discussion with support email to MT team, and they were unable to find anything. 
Well, then you need bigger hardware. Get another 1036 and set them side by side, they will share the PPPoE load automatically (I would set 3 in total, to make sure the system will still give service if one unit go down). You will need OSPF if you are not using it already.

I have lots of PPPoE spread over the net, so I don't have experience with anything over 500 clients per server.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 12:17 pm

Okay but its hardly 1.5Gbps of traffic flowing for 2500 PPPoE session. 
Cannot believe why 1`036 would give up. 
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 12:59 pm

How many rules are in your firewall filter/mangle/nat? Queues?

I remember an issue I had some time ago: on a 1036 acting just as FW and OSPF gateway, I created a fw rule to check for L7 content. I just restricted by dst-port 80 and enabled it. CPU load was around 25-30% (normal usage is around 7%) but the FW started loosing packets and latencies increased 10-20ms. Had something like 200Mbps total traffic. To me, it seemed that a specific rule (maybe just that kind of rule) can't be processed by too many cores at once, although the FW system is multithreaded. Restricting the rule by src-ip/dst-ip/dst-port and placing it on the proper order solved the problem.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Connection Tracking, off or on ?

Fri Jun 17, 2016 1:01 pm

How many rules are in your firewall filter/mangle/nat? Queues?

I remember an issue I had some time ago: on a 1036 acting just as FW and OSPF gateway, I created a fw rule to check for L7 content. I just restricted by dst-port 80 and enabled it. CPU load was around 25-30% (normal usage is around 7%) but the FW started loosing packets and latencies increased 10-20ms. To me, it seemed that a specific rule (maybe just that kind of rule) can't be processed by too many cores at once, although the FW system is multithreaded. Restricting the rule by src-ip/dst-ip/dst-port and placing it on the proper order solved the problem.
I hardly have 6-7 rules, and all are generic rules, just packet markers rules for my caching servers. 

Who is online

Users browsing this forum: agus, CGGXANNX and 19 guests