All of our APs and backhaul routers have connection tracking turned off and when using V2, there were firewall rules to limit which IPs could connect to the device.

I have changed 4 backhaul routers from wraps to war-2 and I find that when connection tracking is turned off, the firewall rules are ignored.

Is it possible to change this behavior in a future update so that firewall rules are not ignored when connection tracking is turned off?

Thanks.

Butch

The feature is working as we intended with v3. In the future, we may re-evaluate this feature and extended it with more options.

But CBQ works without connection tracking?

I am wondering if the connection tracking casues the data stream to loose the benefit of the IXP-420 networking optimizations and means the processor has to do the work.

CBQ will still operate as expected with or without connection tracking enabled.

There are no correlation between firewall/nat (connection tracking) support, and how the IXP-42x network processor operates.

I understand that in V3 the firewall feature is designed to require the connection tracking feature and that it is working as designed.

Since the V2 firewall did not require connection tracking and the V3 firewall does require connection tracking, I am wondering why the design change with V3?

I do not need connection tracking on the APs and backhaul routers but I do want/need the firewall protection to control access to the units. Is there some benefit to having connection tracking turned on for my configuration that I am overlooking?

Butch

It is a new kernel and new iptables, that is why. Firewall is stateful and thus it requires state tracking (or connection tracking). Before you get too upset, what sort of throughput do you get with and without connection tracking? What sort of bandwidth do you require? If you need less than you can get with tracking on, then just leave it on and get on with your job. If you need more than you can get with it on, then you are lucky indeed, since that is a lot of traffic and you must have a very good client base. In that instance why not simply throw a larger router at your gateway and do your firewall there?

I did not mean to give the impression that I am upset. Quite to the contary, I am very happy with V3 and the War-2 boards.

I am just trying to understand about connection tracking, what it is, and how it works..

I have enable connection tracking on a War-2 client and have disabled the helpers. I will see what that does for me.

Thanks.

Butch