Hi,
we have about 3 full rack in a datacenter and we want use CCR 1016-12g as transparent firewall for manage our network and block some connections and prevent dos , so we decide use ccr 1016-12g with 2gb ram, so my questions are :
how many rules it can handle without problem?
can it handle about 200 firewall rules ?
our average uplink usages is about 30~35mbit but some times we have peak about 300-400mbit ,
i want know is it good that use ccr 1016-12g as firewall for my network ?
if i receive dos attack ccr does not failed and goes high load?
thanks,
it can handle a lot more rules, just group them smart.
create chains, and do further condition-evaluation and accept/reject in them, e.g avoid spaghetti-code.
say create a rule for dst-address=x.x.x.x to jump to chain ch-x.x.x.x, and do the various TCP/UDP port and src address combinations there. or you can group them based on incoming interface.
normally whatever is the last rule needs the longest time to check all the configured rules before finding a valid match.
move rules which handle the most traffic to the top, leave the “exceptions” at the end.
basically your firewall’s performance depends on how many rules it needs to check before the packet can be accepted or dropped.
if it fits your strategy, you can use port-ranges in rules to decrease the numbers of the filter rules, but YMMV.
if you can, use fast-track. as soon a flow has been admitted for forwarding, there is no need for further analysis for this connection.
fighting DOS is not easy. it depends on the size of your “normal” traffic, what you can do. but anyway, to send a beam of packets to a host @30Gbps is not a big deal nowadays, so for volumetric attacks you can’t be prepared enough. it’s not your router, which will break first, it’s more likely your connection to the internet which will be saturated at the first place.
or even your ISPs’.
if your upstream service provider supports RTBH, make use of it. i know, black-holing an IP is not good, but if it saves your connectivity link/router from being overloaded, it can be a good save though.