@erayd , I’m attempting something similar with DD-WRT.
The udp port 123 connection tracking is slowing the router and filling the connection table to the point where DNS is not working or delayed for several seconds attempting to get udp out and back in.
I’ve added this iptables line manually as root at the dd-wrt bash prompt:
iptables -t raw -I PREROUTING -p udp --dport 123 -j CT --notrack
But the results are a mix of success and unintended consequences. Afterward:
- udp connection tracking stops on the router (this is good)
- ntp traffic stops arriving at the linux NTP server within the router’s protected subnet (this is not good)
I’m not using NAT, but have about 5 port range forwarding rules in the DD-WRT web interface. It seems the rule to stop udp connection tracking also stops port forwarding.
Is it possible to stop tracking and still enable port forwarding?
I don’t really want to manage iptables rules manually. The web interface is so much easier.