I’ve searched the net for some more specific information about how address-lists are implemented in RouterOS, more specifically - how firewall rules that match against an address list work.
I have a setup which needs a number of firewall rules (~10-20) to match against lists of IP addresses (~1000-3000 addresses). Right now this job is done by a Pentium4 linux box, with iptables, and ipset (http://ipset.netfilter.org/). There are no issues with performance - CPU is at 15% at peak, when traffic reaches 200Mbps.
I am considering switching to RouterOS on an RB1000, to simplify the configuration, and increase maintainability, but I’ve done a simple performance test, and the results were as follows:
downloading a file via http from Linux1 to Linux2 at ~250Mbps, with the firewall rules disabled - the cpu at RB1000 was at 20-30%
downloading a file via http from Linux1 to Linux2 at ~250Mbps, with the firewall rules enabled - the cpu at RB1000 was at 90-100% (!!)
downloading a file via http from Linux1 to Linux2 at ~250Mbps, with only 10 firewall rules enabled - the cpu at RB1000 was at 60-70%
downloading a file via http from Linux1 to Linux2 at ~250Mbps, with the firewall rules enabled, but the address list empty - the cpu at RB1000 was again at 20-30%
Does it mean, that each packet passing through the forward chain is matched against all entries in the address list?
Are there any docs on address-list implementation available?
Unfortunately I’m out of Pentium4 boxes that I could use for tests , but I’m going to try it on a dual Xeon machine tommorrow.
However, the thing that worries me, is that I’m seeing something like linear growth in CPU usage with the increasing number of address-list entries that are being tested in firewall rules. So if this is simply the way they are implemented, then I could save myself the trouble of running these tests and start looking for another solution. Still I’d love to get rid of this linux box and use something more admin-friendly, and I haven’t seen anything more admin friendly than RouterOS .
i have an address-list with 80,000-100,000 entries. I am careful to only search that list with certain tcp ports and new connection setups, not all packets. At 60-80mbps the router is only at 20-30% cpu. P4 3.2ghz.
My lists have 1000-3000 entries, but I need to check all traffic against them @ ~200Mbps. Also, in the worst case scenario, there could be as many as 20 firewall rules that do the checking.
What worries me, is that if the CPU usage growth is linear, the solution will not be scalable, and if in the future I will need to add more entries/firewall rules the machine might be overloaded.
Could you check if at 160Mbps, the CPU usage grows to 50-60% ?
Exactly the same as a single IP address, except that it’s a list of addresses. Just add IP addresses to a list and create a firewall rule.
If you add a firewall rule for 3000 addresses, your MikroTik will crawl. It’s more convenient to use address lists. For example, you can create one for LAN addresses, another one for blacklists and another for exceptions.
our Core2Duo routers with current 90kpps throughput (about ~600 Mbps) has CPU load 29%. I copied ten times a rule that uses address list with ~1000 addresses - CPU load increased to 34%
Yes, we are talking about address lists, not firewall rules with 3000 IP addresses.
Would be possible for you to copy this rule another 10 times, and another, say up to 50 rules, and check what the CPU load will be each time? That would be really helpful!
Thanks for your help. It looks like it may be linear, but also it may be something else I’ll do some extensive tests tomorrow, and I’ll post the results.
, but I’m going to try it on a dual Xeon machine tommorrow.