Hello,
I am wondering what will be the performance difference with two setup using different rules, does anybody have an insight?
Setup A:
With Brige use-ip-firewall=no
6 Bridge Filters, repeated 10 times for different IP subnets
Setup B:
With Brige use-ip-firewall=yes
6 Firewall rules, using same address list for 10 different IP subnets
–
If no one would know the answer right away, how would you suggest this be tested for performance comparison ?
Most kindly,
It’s impossible to say as the bridge firewall is not single alone task on imaginary device without any context or environment how it could be expected from your question. Also the rules could be different. Just make the test in your case and you will see. For testing use iperf on two enough capable computers and put the tested device in between of them.
If he smartly uses “established/related” rule, IMHO “use-ip-firewall=yes” mode will win
Thanks for this insight, it`s much appreciated.
I think this is very important to consider while doing tests to compare both.
It bring the following question though;
I assume those establish/related rules would need to be at the top, am I correct ?
Absolutely.
After further cnofiguration and tests, it appears that the lists I would like to use are part of the ARP protocol which cannot be filtered with firewall rules.
I am wondering if it would be possible for RouterOS to implement the lists at that location;
2016-03-21_12-46-46.jpg
Perhaps Bridge could have it’s own Address List Tab.
–
Any thoughts ?