Hello!

I have CCR-1016 used as core router. Only routing (IPv4, OSPF, BGP) and simple queues. No NAT, very few mangle rules for packet marking. System serves about 1.5Gbps. CPU is about 25%. For the time present is set connection tracking to "no". But may be I'm wrong and do I need connection tracking to "yes" or "auto"? I tried, get about 200k active connections, got scared and set it back to "no".

Regards,
Boris

It depends, for the duties you mentioned Connection Tracking is not needed.

But depending on your mangle it may be needed, do you use any criteria that would involve tracking a connection?

You may use auto, ROS will enable connection tracking if needed.

With mangle I only mark local traffic to put it in unlimited simple queue (if there is another way to not pass local traffic to user queue I will glad to hear about)
Yes, I tried auto and got about 200k connetions with a first 10-15 seconds. Router serves about 8k IP's so I suppose total count of active connection may be greater. As I see - the limit to connection is set to 1M. What will happen if it will be reached? What is perfomance impact for CCR-1036 with this number of connections?

Regards,
Boris

You could use fasttrack to make local traffic to bypass queues, conntrack, etc entirely.

Would You please give an example? Is connection tracking needed in this case?

Yes, but need either your config export, or the conditions for local traffic (in/out interfaces for example).

No, fasttrack bypasses conntrack

Hello!

address-list ACL_LOCAL serves list of my local networks

Regards,
Boris

Have read about fasttrack. Restriction for fasttrak is only TCP and UDP pakets, so, not all user packets will be fasttracked and may go to queues.

If just mangle rules with Change mss are created to change MSS for PPPoE tunnels....

Do I need connection tracking?

Or I can create raw rules with no-track action for those which doesn't need NATing ?
Would the no-track action reduce CPU usage?

Thanks