Configuration optimization

Hello,

I have i mikrotik box with average 30~40% load . when i enable following rules , its load cames 100% and everything stops working . i have contacted with support and they said

Everything seems fine except that your configuration is very huge, and you need to hire a consultant to do some optimizations, there is room for improvement. I also suggest to upgrade to some multicore Intel i7 machine, as you are pushing the capability of Pentium4.

As i am an experienced mikrotik user i think these 20 lines of simple configuration should not be so heavy as 60~70% . and this system is very stable and i can not risk to change this with a new multi core because i have very bad experience with core 2 quad .

Please help me to optimize the following config. all address lists are dynamic so should use separate rules for each one .

32 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list64 connection-limit=50,32 

33 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list128 connection-limit=50,32 

34 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list192 connection-limit=50,32 

35 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list256 connection-limit=50,32 

36 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list384 connection-limit=50,32 

37 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list64_1 connection-limit=50,32 

38 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list128_1 connection-limit=50,32 

39 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list192_1 connection-limit=50,32 

40 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list256_1 connection-limit=50,32 

41 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list384_1 connection-limit=50,32 

42 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_list512_1 connection-limit=50,32 

43 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP1 connection-limit=50,32 

44 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP2 connection-limit=50,32 

45 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP3 connection-limit=50,32 

46 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP4 connection-limit=50,32 

47 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP5 connection-limit=50,32 

48 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP6 connection-limit=50,32 

49 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP7 connection-limit=50,32 

50 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP8 connection-limit=50,32 

51 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP9 connection-limit=50,32 

52 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP10 connection-limit=50,32 

53 X ;;; Limit Connections
     chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=dynamic_address_listP11 connection-limit=50,32

You haven’t given enough information to allow us to do that.

I would echo the advice you received from Mikrotik - “you need to hire a consultant to do some optimizations”.

Not so useful . here in forum is full of gurus . and i think there is enough information in my question . just suggest a tip or trick to combine those rules in less rules .

those look fine. how many address-list entries are there total, and how many average per list ?

There is about 60 address lists. since they are dynamic address list i can not average but minimum 10 and maximum 400 entries per address list .

Indeed, but to demand free help when you have already been told to speak to a consultant is more than a little impertinent

Which is probably part of the problem.

OK. My 2p. Every one of the rules you list does exactly the same thing, but for a different address list. My advice would be to look at the rule and see if it can be applied to all traffic regardless of address list (and therfore just have one rule rather than one for each address list) or, if not, to have rules which specifically allow this traffic from authorised addresses and otherwise deny it by default. However, given that you have not stated why the address lists exist, what they contain and what else they are used for, it is simply not possible to help you any further than this.

yes, your connection limit is 50,32 on every rule, so why repeat the rules ? Just dump all the users into a single list and then use a single rule.

So if we assume an average of 200 addresses per list, that’s 12,000 addresses. Assuming an IP address is in the list and that the order of the rules is not optimised, on average, 6,000 addresses would have to be checked in the lists for every matching packet (TCP/SYN) passing through the router. For every matching packet from an IP address which is not in the lists, every one of the 12,000 addresses in the lists must be checked.

That is horribly inefficient.

well, binary trees make things smarter =)

Indeed, if that is how it’s implemented. I did try to do the same thing for something else and it worked perfectly for single IP addresses, but when I came to how to deal with network blocks (e.g. 192.168.0.0/24), it got overly complicated.

That, however, is probably more of a reflection on my lack of programming skills than anything else

Exactly .
I have requested this feature many times but i thought nobody else interested .

Simple . each address list has its own unique job .

?..

Well, it was for a different application, but I’ll try to explain using ROS’s address lists:

/ip firewall address-list add list=testlist address=192.168.0.1 
/ip firewall address-list add list=testlist address=192.168.1.0/24
/ip firewall address-list add list=testlist address=192.168.1.2-192.168.2.22

Are all valid. The problem came when I tried to work out a way of organising this data into a tree such that where there are overlapping address ranges could still be found. So, for example, if there were just two address in the list:

/ip firewall address-list add list=testlist address=192.168.1.2-192.168.2.22
/ip firewall address-list add list=testlist address=192.168.2.2-192.168.3.33

How are these best represented in the tree so that I don’t end up traversing the wrong branch?

Sorry, pretty poor explanation!

I just tried to add ‘1.2.3.4-1.2.2.3’ item… it was successfully added %) what does it mean?

well, you may organize 2 b-trees, with minimal and maximal addresses of an item, I’m just unsure of your task… there could be many algorithms =)

Indeed. Like I said, it’s more a reflection on my lack of programming prowess than anything else!

The main problem is with dynamic address lists. I think the best way is hierarchical address lists where each address list borrows attributes from its parent and may have its own attributes in addition of parents attributes.