Manual:IP/Firewall/Connection tracking

From MikroTik Wiki
< Manual:IP‎ | Firewall
Revision as of 10:58, 19 May 2011 by Marisb (talk | contribs)
Jump to navigation Jump to search

Connection tracking entries

Sub-menu: /ip firewall connection

There are several ways to see what connections are making their way though the router.

In the Winbox Firewall window, you can switch to the Connections tab, to see current connections to/from/through your router. It looks like this:

2009-01-26 1346.jpg

You can also Turn on and off the connection tracking altogether, in the Tracking menu, accessible with a button of the same name in this window. Note that turning off the connection tracking will make NAT and most of the Firewall not work, because they rely on this feature.

Connection tracking settings

Sub-menu: /ip firewall connection tracking


Property Description
enabled (yes | no; Default: yes) Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features.
tcp-syn-sent-timeout (time; Default: 5s) TCP SYN timeout.
tcp-syn-received-timeout (time; Default: 5s) TCP SYN timeout.
tcp-established-timeout (time; Default: 1d) Time when established TCP connection times out.
tcp-fin-wait-timeout (time; Default: 10s)
tcp-close-wait-timeout (time; Default: 10s)
tcp-last-ack-timeout (time; Default: 10s)
tcp-time-wait-timeout (time; Default: 10s)
tcp-close-timeout (time; Default: 10s)
udp-timeout (time; Default: 10s)
udp-stream-timeout (time; Default: 3m)
icmp-timeout (time; Default: 10s)
generic-timeout (time; Default: 10m) Timeout for all other connection entries
tcp-syncookie (yes | no; Default: no)

Read-only properties

Property Description
max-entries (integer) Max amount of entries that connection tracking table can hold. This value depends on installed amount of RAM.
total-entries (integer) Amount of connections that currently connection table holds.

Features affected by connection tracking

  • NAT
  • firewall:
    • connection-bytes
    • connection-mark
    • connection-type
    • connection-state
    • connection-limit
    • connection-rate
    • layer7-protocol
    • p2p
    • new-connection-mark
  • p2p matching in simple queues