IP RAW + Fasttrack is possible!

RouterOS General
1

Searching documentation on how to speed up our ccr1072 performance i found that http://forum.mikrotik.com/t/raw-accept-vs-ip-firewall-fasttrack-which-one-is-faster-and-light-weight/103629/1

For me this have no sense has the fasttrack need to be tagged in mangle that is after ip raw so i did some tests.

  1. first example:
    IP raw in place without accept on last for all packets and fasttrack disable:
NAME                    CPU        USAGE
firewall-mgmt                         0%
spi                                   0%
ethernet                              0%
console                               0%
firewall                             10%
networking                          7.9%
winbox                                0%
management                            0%
routing                             1.3%
profiling                           1.3%
queuing                               0%
bridging                              0%
unclassified                        1.6%
total                              22.1%

IP raw rules (DNS amp rules + 1 ip blocked)

1    chain=prerouting action=accept in-interface=AMS-IX src-port=53 limit=900,100:packet log=no log-prefix="" protocol=udp

 2    chain=prerouting action=drop in-interface=AMS-IX src-port=53 log=no log-prefix="" protocol=udp

 3    chain=prerouting action=drop log=no log-prefix="" src-address=109.115.xx.xx dst-address=95.141.xx.xx

2nd example:
IP raw in place WITH accept on last for all packets and fasttrack disable:

NAME                    CPU        USAGE
firewall-mgmt                         0%
spi                                   0%
ethernet                              0%
console                               0%
firewall                            5.3%
networking                          6.7%
winbox                                0%
management                          0.2%
routing                             1.7%
profiling                           0.1%
unclassified                        0.4%
total                              14.4%

IP raw rules (DNS amp rules + 1 ip blocked + accept)

1    chain=prerouting action=accept in-interface=AMS-IX src-port=53 limit=900,100:packet log=no log-prefix="" protocol=udp

 2    chain=prerouting action=drop in-interface=AMS-IX src-port=53 log=no log-prefix="" protocol=udp

 3    chain=prerouting action=drop log=no log-prefix="" src-address=109.115.xx.xx dst-address=95.141.xx.xx
 
 4    chain=prerouting action=accept log=no log-prefix=""

3 example:
IP raw without accept BUT with fast track

1    chain=prerouting action=accept in-interface=AMS-IX src-port=53 limit=900,100:packet log=no log-prefix="" protocol=udp

 2    chain=prerouting action=drop in-interface=AMS-IX src-port=53 log=no log-prefix="" protocol=udp

 3    chain=prerouting action=drop log=no log-prefix="" src-address=109.115.xx.xx dst-address=95.141.xx.xx




> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    chain=forward action=fasttrack-connection log=no log-prefix=""

 2    chain=forward action=accept log=no log-prefix=""




NAME                    CPU        USAGE
spi                                   0%
ethernet                              0%
console                               0%
firewall                            2.9%
networking                            7%
winbox                                0%
management                          0.2%
routing                               1%
profiling                           0.2%
unclassified                        0.6%
total                              11.9%

As anybody can see we can have better result filtering in raw and enabling fasttrack even the connection tracking is disabled.

2

These CPU %'s are used to change quite often so even on busy router I can see seconds when CPU mostly (ok, “more”) idle, and seconds, when CPU at 100% busy.
May your numbers be kind of that deviations so in fact the load is the same but ROS just do some CPU display issues?

I’d be more than happy to see Miktotik guys comment here on technical side of the question, but so far I’m not sure if a miracle is possible.

3

/tool profile show you cpu usage and values changes frequently, but you should not see big differences. My screenshots are the cpu average and the delta is 1-2%. Now the range on AMS router is 17%-19% with 4Gbps in and 8Gbps out. Linx router is 13-14% and have about 2Gbps on both directions

Disabling fasttrack i see cpu increase to 24-25%.