Administrator: Created page with "TOC ==Connection tracking entries==
Sub-menu: `/ip firewall connection`
There are several ways to see what connections are making t..."

2015-01-29T11:54:20Z

Created page with "__TOC__ ==Connection tracking entries== Sub-menu: <code>/ip firewall connection</code> There are several ways to see what connections are making t..."

New page

__TOC__

==Connection tracking entries==

Sub-menu: <code>/ip firewall connection</code>

There are several ways to see what connections are making their way though the router.

In the Winbox Firewall window, you can switch to the Connections tab, to see current connections to/from/through your router. It looks like this:

[[Image:2009-01-26 1346.jpg]]

=== Properties ===

All properties in connection list are read-only

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-ro-table
|arg=seen reply
|type=yes {{!}} no
|desc=
}}

{{Mr-arg-ro-table
|arg=assured
|type=yes {{!}} no
|desc="assured" flag indicates that this connection is assured and that it will not be erased if maximum possible tracked connection count is reached.
}}

{{Mr-arg-ro-table
|arg=connection-mark
|type=string
|desc=connection mark set by [[M:IP/Firewall/Mangle | mangle]] rule.
}}

{{Mr-arg-ro-table
|arg=connection-type
|type=pptp {{!}} ftp {{!}} p2p
|desc=Type of connection, property is empty if connection tracking is unable to determine predefined connection type.
}}

{{Mr-arg-ro-table
|arg=dst-address
|type=ip[:port]
|desc=Destination address and port (if protocol is port based).
}}

{{Mr-arg-ro-table
|arg=gre-key
|type=integer
|desc=
}}

{{Mr-arg-ro-table
|arg=gre-version
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=icmp-code
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=icmp-id
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=icmp-type
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=p2p
|type=yes {{!}} no
|desc=Shows if connection is identified as p2p by firewall p2p matcher.
}}

{{Mr-arg-ro-table
|arg=protocol
|type=string
|desc=IP protocol type
}}

{{Mr-arg-ro-table
|arg=reply-dst-address
|type=ip[:port]
|desc=Destination address (and port) expected of return packets. Usually the same as "src-address:port"
}}

{{Mr-arg-ro-table
|arg=reply-src-address
|type=ip[:port]
|desc=Source address (and port) expected of return packets. Usually the same as "dst-address:port"
}}

{{Mr-arg-ro-table
|arg=src-address
|type=ip[:port]
|desc=Source address and port (if protocol is port based).
}}

{{Mr-arg-ro-table
|arg=tcp-state
|type=string
|desc=Current state of TCP connection :
* "established"
* "time-wait"
* "close"
* "syn-sent"
* "syn-received"
}}

{{Mr-arg-ro-table-end
|arg=timeout
|type=time
|desc=Time after connection will be removed from connection list.
}}

==Connection tracking settings==

Sub-menu: <code>/ip firewall connection tracking</code>

===Properties===

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-table
|arg=enabled
|type=yes {{!}} no {{!}} auto
|default=auto
|desc=Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the [[#Features affected by connection tracking | list]] of affected features. Starting from v6.0rc2 default value is auto. Which means that connection tracing is disabled until at least one firewall rule is added.
}}

{{Mr-arg-table
|arg=tcp-syn-sent-timeout
|type=time
|default=5s
|desc=TCP SYN timeout.
}}

{{Mr-arg-table
|arg=tcp-syn-received-timeout
|type=time
|default=5s
|desc=TCP SYN timeout.
}}

{{Mr-arg-table
|arg=tcp-established-timeout
|type=time
|default=1d
|desc=Time when established TCP connection times out.
}}

{{Mr-arg-table
|arg=tcp-fin-wait-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=tcp-close-wait-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=tcp-last-ack-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=tcp-time-wait-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=tcp-close-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=udp-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table
|arg=udp-stream-timeout
|type=time
|default=3m
|desc=
}}

{{Mr-arg-table
|arg=icmp-timeout
|type=time
|default=10s
|desc=
}}

{{Mr-arg-table-end
|arg=generic-timeout
|type=time
|default=10m
|desc=Timeout for all other connection entries
}}

'''Read-only properties'''
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-ro-table
|arg=max-entries
|type=integer
|desc=Max amount of entries that connection tracking table can hold. This value depends on installed amount of RAM. Note that system does not create maximum size connection tracking table when it starts, maximum entry amount can increase if situation demands it and router still has free ram left.
}}

{{Mr-arg-ro-table-end
|arg=total-entries
|type=integer
|desc=Amount of connections that currently connection table holds.
}}

==Features affected by connection tracking==

* NAT
* firewall:
** connection-bytes
** connection-mark
** connection-type
** connection-state
** connection-limit
** connection-rate
** layer7-protocol
** p2p
** new-connection-mark
** tarpit
* p2p matching in simple queues

[[Category:Manual|Connection tracking]]
[[Category:IP|Connection tracking]]
[[Category:Firewall|Connection tracking]]

Manual:IP/Firewall/Connection tracking - Revision history

Administrator: Created page with "__TOC__ ==Connection tracking entries== Sub-menu: /ip firewall connection There are several ways to see what connections are making t..."

Administrator: Created page with "TOC ==Connection tracking entries==
Sub-menu: `/ip firewall connection`
There are several ways to see what connections are making t..."