Hi,
It may sound like an odd question, but do you know how the “25” filter rules are counted on Mikrotik’s products’ test results pages ?
Is it :
a “total of 25 rules” (including all chains, i.e. all rules count towards increasing the counter)
a “25 rules for a single chain” (for instance forward, i.e. the rules in the other chains do not count towards increasing the counter, but all rules of the chain do count regardless of having them checked or not)
“25 rules” from the start of a chain (for instance forward) until the first “match” which is not a passthrough (i.e. only the rules in the chain that did not match the packet until the first matching non passthrough rule count)
something else
I was always thinking that it is the third case, however I have a doubt. Maye someone has the “right answer”.
Good question. It was mentioned in the past that each rule affects the performance differently, depending on a matcher (selected conditions) of that rule. Most extreme example would be L7 matcher. Obviously 25 rules with L7 matcher will be much slower than 25 rules of src-address matching.
… hence I wouldn’t hang on to exact numbers (neither number of rules nor performance). I would guess that the rules configured in tests are from the easy end of spectrum. If one looks at different numbers, one can get idea about rate of performance drop with increased number of rules (and increased complexity, bridging is easier on device than routing and both are easier than firewalling). And when looking at numbers with aim to choose device which will deliver performance required, add some margin or be prepared to get performance somehow lower than expected. If performance with actual configuration will exceed requirements, consider yourself lucky and avoid gambling sessinons for some time (because you already won your share of luck).