Hello,
Running a RB1100AHx2, when I make a transfer between two vlans (reaching CPU), the item that consumes the more CPU is “firewall” according to the profiler.
Is that expected for an abt. 100 rules set?
I would have guessed that my setup (bonding, bridges and vlan on top) would have consumed more CPU that the firewall…
Thank you
Depends on firewall organisation. You can offload it by fasttrack and/or make better rule structure using custom chains.
I just tried disabling most of the rules (as default is to accept traffic) and I got a 11Mb/sec increase.
I’ll check the custom chains, any howto/manual you know that is worth reading?
Load depends on:
depending of what features you are using, you can accept - connection-state=established,related in beginning of firewall and improve performance dramatically.
I tried fasttrack and that really kicks ass! Good point, thanks guys.
Now, it created a dummy rule “to show fasttrack counters” but it doesn’t seem to match fasttracked connections as I targeted a single host (using dst address). After a few minutes I had a few kb on that rule but +1000Mb on the fasttrack dummy rule.
That’s because the fasttrack rule only matches the first packet that causes the connection to be fasttracked. After that, fasttrack “warps” the remaining packets through the router without looking at the firewall anymore. The dummy rule counts these packets.
So packet 1 is accepted by whatever rule accepts new connections.
Packet 2 is accepted by the fast track rule and the connection now skips firewall
Packets 3 and beyond are fasttracked, and counted by the dummy rule.
Hope this helps.
Packet 1 goes through your full firewall and if gets through →
Packet 2 is used to add fasttrack flag to corresponding connection tracking entry with fasttrack-connection
Packet 2 is accepted by separate rule just after fasttrack-connection rule
Packet 3 and beyong sees fasttack flag in connection tracking entry and goes fastpath and are counted by the dummy rule.
Thing is I applied fasttrack on a rule specifically targeting dst-address w.x.y.z and there wasn’t much traffic going towards this IP at the time I tried it, only a few Kb. However the fasttrack one quickly showed Gb of data.
So this is still faster than having a rule at the very top of the firewall ruleset allowing established and related traffic I guess. Really significant?
Yes - because it skips all of the features that burn cpu cycles to execute, such as queues and mangle rules and firewall rules. Think of it like a reflex action - sometimes you jump or jerk an arm or make some movement without even thinking - it’s because the signal to do this skips going to your brain - it just triggers an automatic response. Fast track is like this - it skips the brain and goes right to the correct interface like a reflex. The connection tracking table contains enough information to include the NAT translation information, so each packet is simply written to the outgoing interface with whatever IP/TCP/UDP headers the table prescribes.
Subtle but important difference from what I said - thanks for pointing it out for me.
Excellent! Thank you for the information and your time.
Should I be able to enable fasttrack for a specific source / destination address ?
Or will it be enabled for all the traffic that is forwarded through the router?
I’m asking cause I still don’t get why I had so many Gb accounted on the dummy rule.
Honestly, I ignore the dummy rule - the counters on it never really made sense to me, and there are several members of this community who vehemently hate the dummy rule (jarda comes to mind). I just use graphing tool to monitor how much data goes through my router - it’s low-resolution and doesn’t account for specific sources, etc - but it suits my own needs as a residential user.
Thanks for mentioning my effort. Unfortunately it is still without any positive effect. And doesn’t seem to be better in the future.
But I have to say that the fasttrack is way much better than hw assisted nat that was requested by many people here in the past.