Issue:
Every time we setup firewal filter options the performance of the router drops almost 97%. We have an ethernet handoff that is 1GB which with no firewall settings will test at about 300Mbs and drop to about 30Mbs with firewall settings in place. We have just a very simple filter with three ip addresses being allowed in and dropping all other inputs to Ether1, that’s it! This kills the performance drastically.
Solution:
I would like to have a filter option that will drop all input to Ether1 but still allow full capability of the Fiber connection in place or at least very minimal drop in performance. We have tried fast tracking DNS but it doesn’t improve at all.
Which device type are you working with? Most SOHO models can’t route at wirespeed.
SOHO models come with factory default firewall rules which give almost higher routing/firewalling performance while giving decent protection. You may want to have a look at those settings and continue from there.
I’m open to suggestions if you know of a better model that will give optimum performance. This is a new location which will be main router for all traffic on that network, so really we are currently looking to replace it with a more robust unit. We have been using Mikrotik for so long I just hate to go with anything else unless there is nothing else good enough.
What do you think of this unit CCR1009-7G-1C-1S+PC? Or is our problem going to be the firewall settings slowing it down no matter what we upgrade to?
The CRS112-8P-4S is a switch. You can run it as router, but it was not designed for this purpose.
Better choice would be RB4011 or the CCR1009-7G-1C-1S+PC, depending on your requirements.
The question I have always in these situations is do I put the DHCP servers on the Router or the Switch.
If the switch can magically move packets between devices on the switch on its own ports without passing such traffic to the router (assuming between devices on the same vlans or subnets) aka it learns them, then I would say that keeping DHCP on the router is probably better (and is mainly used when vlans need access to other vlans or the internet iaw fw rules). Otherwise, I think it may be better done on the switch??
Any IP service (e.g. DHCP server) can be run by any network-connected device, it just needs to have adequate capacity. However it doesn’t have to be a dedicated device. But when concetrating multiple services to a single device, take care to reduce number of failure points in your LAN. A typical MT router can run without additional switches in LAN (they all come with multiple ports and a small LAN … or part of larger LAN in case of some emergency … can run off it exclusively), so I’d place those essential services on router. Additionally routers have typically faster CPU and those services won’t affect routing performance too much.