Introduction
/ip firewall connection
There are several ways to see what connections are making their way through the router.
In the Winbox Firewall window, you can switch to the Connections tab, to see current connections to/from/through your router. It looks like this:
Properties
All properties in the connection list are read-only
| Property | Description |
|---|---|
| assured (yes | no) | Indicates that this connection is assured and that it will not be erased if the maximum possible tracked connection count is reached. |
| confirmed (yes | no) | Connection is confirmed and a packet is sent out from the device. |
| connection-mark (string) | Connection mark that was set by the mangle rule. |
| connection-type (pptp | ftp) | Type of connection, the property is empty if connection tracking is unable to determine a predefined connection type. |
| dst-address (ip[:port]) | Destination address and port (if a protocol is port-based). |
| dstnat (yes | no) | A connection has gone through DST-NAT (for example, port forwarding). |
| dying (yes | no) | The connection is dying due to a connection timeout. |
| expected (yes | no) | Connection is set up using connection helpers (pre-defined service rules). |
| fasttrack (yes | no) | Whether the connection is FastTracked. |
| gre-key (integer) | Contents of the GRE Key field. |
| gre-protocol (string) | Protocol of the encapsulated payload. |
| gre-version (string) | A version of the GRE protocol was used in the connection. |
| icmp-code (string) | ICMP Code Field |
| icmp-id (integer) | Contains the ICMP ID |
| icmp-type (integer) | ICMP Type Number |
| orig-bytes (integer) | Amount of bytes sent out from the source address using the specific connection. |
| orig-fasttrack-bytes (integer) | Amount of FastTracked bytes sent out from the source address using the specific connection. |
| orig-fasttrack-packets (integer) | Amount of FastTracked packets sent out from the source address using the specific connection. |
| orig-packets (integer) | Amount of packets sent out from the source address using the specific connection. |
| orig-rate (integer) | The data rate at which packets are sent out from the source address using the specific connection. |
| protocol (string) | IP protocol type |
| repl-bytes (integer) | Amount of bytes received from the destination address using the specific connection. |
| repl-fasttrack-bytes (string) | Amount of FastTracked bytes received from the destination address using the specific connection. |
| repl-fasttrack-packets (integer) | Amount of FastTracked packets received from the destination address using the specific connection. |
| repl-packets (integer) | Amount of packets received from the destination address using the specific connection. |
| repl-rate (string) | The data rate at which packets are received from the destination address using the specific connection. |
| reply-dst-address (ip[:port]) | Destination address (and port) expected of return packets. Usually the same as "src-address: port" |
| reply-src-address (ip[:port]) | Source address (and port) expected of return packets. Usually the same as "dst-address: port" |
| seen-reply (yes | no) | The destination address has replied to the source address. |
| src-address (ip[:port]) | The source address and port (if a protocol is port-based). |
| srcnat (yes | no) | Connection is going through SRC-NAT, including packets that were masqueraded through NAT. |
| tcp-state (string) | The current state of TCP connection :
|
| timeout (time) | Time after connection will be removed from the connection list. |
Connection tracking settings
/ip firewall connection tracking
Properties
| Property | Description |
|---|---|
| enabled (yes | no | auto; Default: auto) | Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features. This means that connection tracing is disabled until at least one firewall rule is added. |
| loose-tcp-tracking (yes; Default: yes) | Disable picking up already established connections |
| tcp-syn-sent-timeout (time; Default: 5s) | TCP SYN timeout. |
| tcp-syn-received-timeout (time; Default: 5s) | TCP SYN timeout. |
| tcp-established-timeout (time; Default: 1d) | Time after which established TCP connection times out. |
| tcp-fin-wait-timeout (time; Default: 10s) | |
| tcp-close-wait-timeout (time; Default: 10s) | |
| tcp-last-ack-timeout (time; Default: 10s) | |
| tcp-time-wait-timeout (time; Default: 10s) | |
| tcp-close-timeout (time; Default: 10s) | |
| udp-timeout (time; Default: 10s) | Specifies the timeout for UDP connections that have seen packets in one direction |
| udp-stream-timeout (time; Default: 3m) | Specifies the timeout of UDP connections that have seen packets in both directions |
| icmp-timeout (time; Default: 10s) | ICMP connection timeout |
| generic-timeout (time; Default: 10m) | Timeout for all other connection entries |
Read-only properties
| Property | Description |
|---|---|
| max-entries (integer) | Max amount of entries that the connection tracking table can hold. This value depends on the installed amount of RAM. Note that the system does not create a maximum-size connection tracking table when it starts, it may increase if the situation demands it and the system still has free RAM, but the size will not exceed 1048576 |
| total-entries (integer) | Amount of connections that the connection table holds currently |
Features affected by connection tracking
- NAT
- firewall:
- connection-bytes
- connection-mark
- connection-type
- connection-state
- connection-limit
- connection-rate
- layer7-protocol
- new-connection-mark
- tarpit