performance

lgkahn · December 2, 2015, 10:37pm

I am going to be setting up a transparent bridging firewall configuration with static ips.
The reason I need to bridge is that Comcast gives out an ip block with the default gateway on the same subnet
as your ip block. I do not want to do NAT and want to actually use the public ips.
I assume the standard bridge setup with the ip on the bridge and the correct default g/w to the single gateway ip will work.

Anyway,

Previously I used dd-wrt and iptables, but the latest builds do not have the kernel mods to pass the packets from the bridge to the firewall. With the older generation of hardware and the versions of software that do support this the most
bandwidth I can get with about a 175 rule firewall is 105 megabit/sec

I now need 150 meg and more in the future so am switch over to routeros .. Has anyone setup hardware with a similar setup and firewall size.. What hardware would you recommend in order to be able to inspect all packets and keep up with the traffic. All the benchmarks show 40 rules. Mine is significantly larger and I cannot find anything that shows how performance scales depending on the size of your firewall..

Thanks…

Also a related topic , one piece of the older iptables firewall I have been unable to figure out how to convert to router os
is the following:

any suggestions:

echo “disallowing packet fragments”
$IPTABLES -A FORWARD -f -j LOG --log-prefix "Battempt IP Fragment: "
$IPTABLES -A FORWARD -f -j DROP

Also,

the statement
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \

to help block syn floods talks about this limit.. but what is the limit. specificially what does 400,5 mean

in my older iptables firewall
I blocked syn floods if they exceeded the rate of
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

1 per second with a burst of 4

pukkita · December 3, 2015, 9:28am

lgkahn:

I am going to be setting up a transparent bridging firewall configuration with static ips.
The reason I need to bridge is that Comcast gives out an ip block with the default gateway on the same subnet
as your ip block. I do not want to do NAT and want to actually use the public ips.
I assume the standard bridge setup with the ip on the bridge and the correct default g/w to the single gateway ip will work.

Anyway,

Previously I used dd-wrt and iptables, but the latest builds do not have the kernel mods to pass the packets from the bridge to the firewall. With the older generation of hardware and the versions of software that do support this the most
bandwidth I can get with about a 175 rule firewall is 105 megabit/sec

I now need 150 meg and more in the future so am switch over to routeros .. Has anyone setup hardware with a similar setup and firewall size.. What hardware would you recommend in order to be able to inspect all packets and keep up with the traffic. All the benchmarks show 40 rules. Mine is significantly larger and I cannot find anything that shows how performance scales depending on the size of your firewall..

You can compare more powerful routers performance by the datasheets at routerboard.com and extrapolate… it will depend on the CPU used.

RB2011UiAS would be the minimum I’d try, even better a RB3011.

Also a related topic , one piece of the older iptables firewall I have been unable to figure out how to convert to router os
is the following:

any suggestions:

echo “disallowing packet fragments”
$IPTABLES -A FORWARD -f -j LOG --log-prefix "Battempt IP Fragment: "
$IPTABLES -A FORWARD -f -j DROP

Also,

the statement
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \

to help block syn floods talks about this limit.. but what is the limit. specificially what does 400,5 mean

in my older iptables firewall
I blocked syn floods if they exceeded the rate of
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

1 per second with a burst of 4

RouterOS uses iptables internally, have a look at http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

As per that wiki regarding “limit” parameter:

Matches packets at a limited rate. Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst.

count - packet count per time interval to match
time - specifies the time interval in which the packet count cannot be exceeded (optional, 1s will be used if not specified)
burst - initial number of packets to match: this number gets recharged by one every time/count, up to this number

So 400,5 mean 400 syn packets per second with a burst of 5. So to replicate your setting it would be 1,4

BTW, that won’t help you too much with a syn flood DDOS, use IP > Settings sync cookies (http://wiki.mikrotik.com/wiki/Manual:IP/Settings)

lgkahn · December 4, 2015, 8:53pm

thanks i have some more statistics

I have reduced my firewall rules to 129 by using address lists which the older h/w did not support.

anyway for 129 rules using rb2011 with speedtest maxing out at 170 megabit/sec
cpu utilization is about 65-70%

I also picked up a cr1016 older model
cpu utilization for same firewall and test is 1-2%

however, it is kinda noisy with the fans.. anyone have quiter replacement fans they can rercommend

thanks for all your help and input.

Strangely stetting up the rb2011 when i put it in bridge mode it automically added all the ports.
The 1016 did not and it took me a while to figure out to add the other ports to get the bridging working.

read about the syn cookies and it says this
syncookies seriously violate TCP protocol, do not allow o use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you.

do you normally only turn it on when a ddos attach occurs or is it ok to ignore this and use it all the time. i do have a dns and mail server on my network

thanks again