Hi,
I have created a rule that puts some matching IP addresses on an address list, then use the list to do other stuff.
However, during the day, I have seen that the rule that "matches" the address list (using it in the scr-address-list field), does not seem to work, and the next rule comes into play.
My list can get pretty big, around 7 - 8k entries, and I was wondering if there was any limit on how large an address list is matchable by a rule in the firewall filter / nat / mangle rules.
Can someone please clarify?
Re: Largest Matchable Address List
there was known issues with older versions having these problems. are you on the latest RouterOS version?
I have a list with 100,000 entries almost and it hasn't been an issue. I am very selective about what gets matched on that list however, not every single packet gets checked.
I have a list with 100,000 entries almost and it hasn't been an issue. I am very selective about what gets matched on that list however, not every single packet gets checked.
Re: Largest Matchable Address List
Thanx for the quick response!
I'm using RouterOS 3.6. Is that known to have that issue?
I don't want to match every packet with that list also, but when I tried to do this:
/ip fir man add chain=prerouting src-address-list=ggnn action=jump jump-target=mychain
/ip fir man add chain=mychain src-address-list=gx action=return
/ip fir man add chain=mychain action=add-src-to-address-list address-list=gx address-list-timeout=12h
It keeps working, but after a while, as the list "gx" grows, at some point it just stops matching, and passes to the next rule. I've not yet been able to figure out where is that "point of not working" yet.
I've not upgrade RouterOS for a while, as new versions seems to have new bugs. The most notorious was the CPU timing problems when I upgraded to 3.13 and subsequently upto 3.17 (then gave up).
I'm using RouterOS 3.6. Is that known to have that issue?
I don't want to match every packet with that list also, but when I tried to do this:
/ip fir man add chain=prerouting src-address-list=ggnn action=jump jump-target=mychain
/ip fir man add chain=mychain src-address-list=gx action=return
/ip fir man add chain=mychain action=add-src-to-address-list address-list=gx address-list-timeout=12h
It keeps working, but after a while, as the list "gx" grows, at some point it just stops matching, and passes to the next rule. I've not yet been able to figure out where is that "point of not working" yet.
I've not upgrade RouterOS for a while, as new versions seems to have new bugs. The most notorious was the CPU timing problems when I upgraded to 3.13 and subsequently upto 3.17 (then gave up).
Re: Largest Matchable Address List
I'm using RouterOS 3.6. Is that known to have that issue?
Code: Select all
What's new in 3.17:
*) fixed /ip firewall address-list;
Re: Largest Matchable Address List
huh, one more step - andThe most notorious was the CPU timing problems when I upgraded to 3.13 and subsequently upto 3.17 (then gave up).
Code: Select all
What's new in 3.18:
*) updated drivers & kernel - fixed fast clock issue on x86;
Re: Largest Matchable Address List
Aah... You're the man! 
Do you recommend I move to the latest 4.5? Or stick with 3.30? I'm running a production system consisting of 24 MTs, of which 3 have quite a complex setup (lots of rules, queues, etc).
Do you recommend I move to the latest 4.5? Or stick with 3.30? I'm running a production system consisting of 24 MTs, of which 3 have quite a complex setup (lots of rules, queues, etc).
Re: Largest Matchable Address List
for VPN server we're still using 3.28 + routing-test. that's not far from v4 =)