Answer the question
In order to leave comments, you need to log in
Mikrotik. Feature of the break and the appearance of traffic?
Hello! Tell me, I noticed that on devices on ROS, if we block access to the host / subnet using firewall -> filter rules, while on the client PC, let's say ping to the blocked host, then the ping after blocking still continues to go, until you're done pinging that host.
those. If I understand correctly, ROS does not reset the current session opened before the lock began?
And I turned to the same thing, I have a failover scheme with two providers in another organization, the switching time between them in case of failure is about 10 seconds. so if you disable the main wire, then execute ping ya.ru -t on the client and wait 10 seconds for the second wire to become active, then it will not answer in the current ping window, but at the same time open another window after these 10 seconds, then everything will work.
On SOHO routers like D-link, asus and others, I have never seen this. Blocked client access - so it blocks access in the current second. (that is, you ping the host, I saw that everything, you don’t ping it anymore, in the same window)
Here, there is a feeling that he does not interrupt the current session, or vice versa, if you start trying to send something somewhere, and only after that, open access - he also does not care about the current session. Moreover, this applies to any type of traffic to the host (icmp, udp, tcp etc). This is fine? Or is it a feature of "masquerading" on ROS? Thank you.
Answer the question
In order to leave comments, you need to log in
Without knowing ALL your rules, it is unrealistic to answer this question.
I can only try to guess: you have a rule allowing "established" connections.
You can say there are no rules, i.e. I always put not to flood the "default config". in the filter rules is absolutely empty. but also tried with "default config".
Now I checked and really with ping when blocking, everything is fine with a specific host. But try, let's say, disable masquerading - and put ping ya.ru -t before that, then it will continue to ping the current host even after disabling masquerading. After disconnection, we start pinging mail.ru -t, it does not respond (after all, masquerading is turned off), turn on masquerading, and this host will not respond for another couple of minutes! Although it should have. In this case, any new host that will be put on ping after masquerading is enabled will respond immediately.
This is terribly inconvenient if, for example, you work with some permanent host via the Internet (for example, a terminal server), the connection breaks, your PC still tries to restore the connection, thereby trying to send more packets. The microt switches to the backup channel, but everything happens about the same as I described above, as a result, your downtime takes longer. although the Internet is already on the router.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question