☰

Add note about conntrack to networksettings

DN42 Wiki (BURBLE-MNT) committed 2020-05-17 21:18:05 +0000 commit 53aa78eada0ff51cdff536156444c4ad846cba56

				howto/networksettings.md
			
          @@ -32,4 +32,13 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.

           $ sysctl -a | grep forwarding

           ```

          +### Note on firewalls, conntrack and asymmetric routing

          +

          +Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.

          +

          +In some cases your router will not see traffic from both sides e.g. requests are sent via different path not including your networks

          +but responses are fowarded via your network. This will prevent conntrack from assigning any meaningful state information to these packets

          +and your firewall will drop it if it is configured to drop packets with invalid state.

          +

          +

           Happy Routing!

          \ No newline at end of file

...	...	@@ -32,4 +32,13 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
32	32	$ sysctl -a \| grep forwarding
33	33	```
34	34
	35	+### Note on firewalls, conntrack and asymmetric routing
	36	+
	37	+Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.
	38	+
	39	+In some cases your router will not see traffic from both sides e.g. requests are sent via different path not including your networks
	40	+but responses are fowarded via your network. This will prevent conntrack from assigning any meaningful state information to these packets
	41	+and your firewall will drop it if it is configured to drop packets with invalid state.
	42	+
	43	+
35	44	Happy Routing!
...	...	\ No newline at end of file