I add more than 200 rules in RAW table, Just all that rules filter DNS pack.When use L2TP/IPsec, the throughput capacity will downgrade half. but add VPN server address to the top. Just downgrade 1/4.
Disable all rules in RAW ,The throughput will restore.
Maybe it is time to split up the two tasks. One box for lpt/ipsec and one for the filtering.
But PPTP has fully through capacity with the 200 raw rules, very strange, dont know why.
Perhaps you’re filtering on content and/or L7 without an appropriate UDP port filter. Could you post an example of the RAW rules?
288 rules
no L7 just content
all block dns
24 ;;; Block GFW's pushed faked DNS record 5.9.90.55
chain=prerouting action=drop in-interface=Telecom src-port=53
content=\00\04\05\tZ7 packet-size=60-180 log=no log-prefix=""
protocol=udp src-address-list=My DNS
25 ;;; Block GFW's pushed faked DNS record 5.10.71.189
chain=prerouting action=drop in-interface=Telecom src-port=53
content=\00\04\05\nG\BD packet-size=60-180 log=no log-prefix=""
protocol=udp src-address-list=My DNS
26 ;;; Block GFW's pushed faked DNS record 5.199.170.160
chain=prerouting action=drop in-interface=Telecom src-port=53
content=\00\04\05\C7\AA\A0 packet-size=60-180 log=no log-prefix=""
protocol=udp src-address-list=My DNS
27 ;;; Block GFW's pushed faked DNS record 8.7.198.45
chain=prerouting action=drop in-interface=Telecom src-port=53
content=\00\04\08\07\C6- packet-size=60-180 log=no log-prefix=""
protocol=udp src-address-list=My DNS
Well you do filter by content…
Instead of doing everything in one chain, do the basic matching only once and then jump to dedicated chain:
add action=jump chain=prerouting in-interface=Telecom jump-target=dns-filter packet-size=60-180 \
protocol=udp src-address-list="My DNS" src-port=53
add action=drop chain=dns-filter content="\00\04\05\tZ7"
add action=drop chain=dns-filter content="\00\04\05\
...
OK all rules jump to one chian, the throughput restore to maximum, you are so professional. My problem was solved.
Thank you Sob.