IPSec RAW firewall tables to bypass connection tracking - No CPU Usage difference

lotnybartek · December 18, 2016, 7:17pm

Hi

I made site to site IPSec connection 2xRB2011.

From Mikrotik Wiki:

If you have fasttrack enabled, packet bypasses ipsec policies. So we need to add accept rule before fasttrack

/ip firewall filter
add chain=forward action=accept place-before=1
 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related
add chain=forward action=accept place-before=1
 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related

However this can add significant load to CPU if there is a fair amount of tunnels and significant traffic on each tunnel.

Solution is to use RAW firewall tables to bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.

/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24

Problem is, I see no difference between these two methods. CPU load is around 30-40% when maxing out IPSec connection (around 6-8 Mbit).

Am I Missing something here?

Bart

Van9018 · December 19, 2016, 7:45am

CPU usage may be from encryption process, unrelated to routing. My RB750 400Mhz uses 60-80% for the encryption process when I max out my 10 mbps IPSec.

Go to System > Profile to see what is using the CPU. If it says “unclassified” is using high cpu, upgrade Router OS to 6.35.3. Mikrotik made improvements on the Profile tool to show less unclassified stuff.

lotnybartek · December 19, 2016, 7:58am

Right now I’m using: Hash Algorithm SHA1 and Encryption Algorithm AES-256. Today I’ll try MD5 and AES-128. Wonder if I see any noticeable difference.

What algorithms do you use?

BTW, Wiki says about a better way of bypassing ipsec policies - RAW firewall tables instead of normal filter rules - not about chosen algorithms and their impact to CPU load - which exist for sure.

emils · December 19, 2016, 8:14am

RAW Firewall will not increase encrypted traffic throughput or lower the cpu usage caused by encryption process. It simply is an alternative way for IPSec encrypted traffic to bypass connection tracking - load caused by firewall.

msatter · December 19, 2016, 8:17am

RAW are very nice, however it won’t give always a big speed advantage and have a look at this thread.

http://forum.mikrotik.com/t/why-source-based-blackhole-instead-of-firewall-drop/103496/22

lotnybartek · December 19, 2016, 10:18am

Changing algorithms - Hash and Encryption to MD5 and AES-128, reduced CPU load by about 10-12%.

What algorithms do you use in your IPSec connection?

Van9018 · December 19, 2016, 10:51am

I use MD5 for hash and 3des for encryption. That was the out of box config for my Mikrotiks.