Hello,
I have a Mikrotik CCR 1036 and i have about 10 IP FIlter rules on it, in some cases (like high pps) my cpu usages is around %70 so my question is if i disable all of my ip filter firewall rules and migrate them to RAW , is it cause better performance and reduce cpu usages?
Thanks,
No, that will actually increase CPU usage, assuming you are running with connection tracking and have an “accept established/related” rule in your filter list.
my connection tracking is disabled on my routers so there is no connection tracking. and my rules are only permit or deny so there is no complicated rules.
In that case there will be no difference I think.
The point is that with connection tracking active (and already having taken the performance that costs) it is unwise to filter in the raw table because in
the raw table the router always has to evaluate all the deny rules, while in the filter table it usually hits on the “accept established/related” rule at the top
and never has to evaluate all those specific rules below that which match specific cases.
Without connection tracking it has to do that anyway and it will matter very little where you do it, unless you have a lot of denied traffic.
(e.g. when you are trying to fend off some attack)
Thank you for your comment,
Still waiting for other guys comments to choose best decision.
Have a look here: http://forum.mikrotik.com/t/single-ip-constantly-trying-to-log-to-my-mikrotik/130857/1
Thanks Buddy for guide me! but i read that thread and it was like a argument between two person who one of them agreed with filter chain and another one agreed with RAW chain, but personally i am agree with raw chain because it will drop before it can checkd by any other secion like queue and etc.
so whats your idea finally?
as stated there(“conntrack by default is most expensive RouterOS facility”), the high cost of/before “filter” table is the connection tracking logic. If it’s disabled, it won’t matter whether it’s in raw or filter.