Conntrack problem

Hi. I am seeing a problem with conntrack, how can I turn it off or optimize it for the 10G channel?


At this moment there is a bug open for it. Please see ⚓ T5080 Conntrack enabled by default .No resolution that I know of as of now.

OTOH, what is the exact problem you are hitting? I can run 10Gbit easily with conntrack enabled, even though I would like to see it disabled.


Today I noticed a big loss on the servers that are behind vyos, long could not understand the problem why it occurred, until I cleared the table conntrack

vyos@r14# set system conntrack ignore 
Possible completions:
+> rule                 Rule number

This will completely disable conntrack and the table will not be clogged?

If you check conntrack -L -o extended The table is still being kept.

Show full config of conntrack ignore rules

firewall {
all-ping disable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects disable
source-validation disable
syn-cookies enable
twa-hazards-protection disable

system {
config-management {
commit-revisions 100
conntrack {
ignore {
console {
device ttyS0 {
speed 115200

I hope I understood you correctly.

You have to use rules which source or destination address will ignore conntrack

Are you sure conntrack ignore rules work? Last time I checked and discussed this in the slack channel there was a bug that prevented this from working.

Another solution, which I did is increment the conntrack table massively.

set system conntrack hash-size '131072'
set system conntrack table-size '2097152'

As I remember it may not work for IPv6
But IPv4 should work

Thanks, I’ll give it a try.