MikroTik

Community discussions
https://forum.mikrotik.com/

inter VLAN trafic routing RAW

https://forum.mikrotik.com/viewtopic.php?t=135617

Page 1 of 1

inter VLAN trafic routing RAW

Posted: Tue Jun 12, 2018 10:47 pm
by dhcpy
HEllo all,

I saw a MUM presentation, they say RAW is new firewall table and works for instance to not have packets going through Connection tracking, and this can improve throughput.

I have multiple VLANs (server farm, clients, development, and guest), and I think the traffic from clients to server farm can be pass without a Connection tracking.

is this rule well written?

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 in-interface=vlan200 in-interface-list=all src-address=192.168.2.0/24

EDIT
what I would like to do is improve throughput of local traffic, i.e. interVLAN traffic.
I see it hits packet count this rule, but I also see local connections between this 2 VLANs in Connection tracker. So i'm confused.

Re: inter VLAN trafic routing RAW

Posted: Wed Jun 13, 2018 12:12 am
by CZFan
From your raw firewall rule, you have 3 src's, vlan, in interface list, and src range. Only keep src range and remove other two

Re: inter VLAN trafic routing RAW

Posted: Wed Jun 13, 2018 10:41 pm
by sindy
The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
Code: Select all
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).

Re: inter VLAN trafic routing RAW

Posted: Thu Jun 14, 2018 7:27 pm
by dhcpy
The way you have written the rule, it only excludes from connection tracking packets in one direction. So the response packets in the other direction do not match this rule, so the connection tracking gets them and tracks them.

So something like
Code: Select all
/ip firewall address-list
add list=my-vlan-subnets address=your.sub.net.1/mask_length
add list=my-vlan-subnets address=your.sub.net.2/mask_length
add list=my-vlan-subnets address=your.sub.net.3/mask_length

/ip firewall raw
add action=notrack chain=prerouting src-address-list=my-vlan-subnets dst-address-list=my-vlan-subnets
should do the trick, yet I'm not sure whether it would actually save resources (matching packet's src and dst addresses to address lists may be almost as expensive as matching packet's src and dst sockets to connection list which is what connection tracking does).
Thanks you very much!!
Yes that was exactly the problem. I was still seeing the response in connTracking.
I did the subnet approach in 2 rules. Will try the access list approach too, hoping it would improve performance with the just 1 rule match
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/