Hi. I am seeing a problem with conntrack, how can I turn it off or optimize it for the 10G channel?
Hi,
At this moment there is a bug open for it. Please see ⚓ T5080 Conntrack enabled by default .No resolution that I know of as of now.
OTOH, what is the exact problem you are hitting? I can run 10Gbit easily with conntrack enabled, even though I would like to see it disabled.
Sander
Today I noticed a big loss on the servers that are behind vyos, long could not understand the problem why it occurred, until I cleared the table conntrack
vyos@r14# set system conntrack ignore
Possible completions:
+> rule Rule number
This will completely disable conntrack and the table will not be clogged?
If you check conntrack -L -o extended The table is still being kept.
Show full config of conntrack ignore rules
firewall {
all-ping disable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects disable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
system {
config-management {
commit-revisions 100
}
conntrack {
ignore {
}
}
console {
device ttyS0 {
speed 115200
}
}
I hope I understood you correctly.
You have to use rules which source or destination address will ignore conntrack
Are you sure conntrack ignore rules work? Last time I checked and discussed this in the slack channel there was a bug that prevented this from working.
Another solution, which I did is increment the conntrack table massively.
set system conntrack hash-size '131072'
set system conntrack table-size '2097152'
As I remember it may not work for IPv6
But IPv4 should work
Thanks, I’ll give it a try.