Slow internet with firewall.

smhula · July 6, 2015, 9:20am

Hi every one,

i’m facing an issue with my firewall setup,
when i activate the FW rules the internet connection gets very slow that people can’t work.
here’s the setup i have:

/ip firewall address-list
add address=192.168.0.0/24 list=kcwlan
/ip firewall filter
add action=drop chain=input connection-state=invalid disabled=no
add chain=input comment=“Allow Access From LAN” disabled=no src-address-list=kcwlan
add chain=input comment=“Accept establishes connection on input chain” connection-state=established disabled=no
add chain=input comment=“Allow related traffic on the router itself” connection-state=related disabled=no
add action=drop chain=input comment=“Drop All other traffic” disabled=no
add action=drop chain=forward comment=“Block Forwarding of invalid packages” connection-state=invalid disabled=no
add chain=forward comment=“Accept new connections from our bridge-lan” connection-state=new disabled=no src-address-list=kcwlan
add chain=forward comment=“Accept established connections” connection-state=established disabled=no
add chain=forward comment=“Accept related connections like: ftp, etc” connection-state=related disabled=no
add action=drop chain=forward comment=“drop all other traffic” disabled=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Any issue with this basic setup?

thank you in advance for your attention.

jarda · July 7, 2015, 4:38am

Put established, related into one rule and put this rule as first of each chain. Also create the same fasttrack rule and put it in front of forward chain. You need to have at least 6.29 and it will bypass the queues, if used.

macgaiver · July 7, 2015, 5:17am

What type of connection do you have? What speed did you get?
How did you tested your speed?
Firewall rules are standard , they should work fine.

TomosRider · July 8, 2015, 6:44am

There is nothing wrong with your firewall setup, its pretty straightforward. Go to tools\profile and from there you can check what is going on with firewall CPU usage.

smhula · July 24, 2015, 5:47pm

Hi All, i have been busy and crazy for will all this problems to solve.
I really want to thank you guys/girls for your time, that’s what makes the forums valuable.
One thing i like about difficulties or problems is that they often bring to us new ways of looking to the things, and that’s what happened to me.

i kept digging and found some interesting discussions:

http://forum.mikrotik.com/t/firewall-slow-down-forwarding-packets/37328/1
and
http://lists.clug.org.za/pipermail/clug-chat/2014-February/028095.html

And the following words made so much sense to me:

A firewall connection-state has only 1 status:
it is either new,established,related, OR invalid.
A single packet can not be more than one of these states.

that is like summarize the discussion on the second link:

/ip firewall filter

add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface= action=accept
add chain=input action=drop

add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface= action=accept
add chain=forward action=drop

I have applied this setup and the Internet looks like has a Ferrari engine now.

Any other view/opinion on this config?

Once Again: BIG THANK YOU TO ALL

jarda · July 24, 2015, 10:06pm

Spare one rule with giving established, related in one rule. Boost the performance by using fasttrack.

smhula · July 25, 2015, 10:59am

Hi Jarda, thank you for this input,
i have tried to do this but it seems that router OS doesn’t allow me to do that (Winbox or command line),
can you explain me how to make it possible.

I can imagine how fast it will be.

Regards

Pea · July 26, 2015, 6:17pm

Just click both established and related in WinBox…

smhula · July 27, 2015, 10:49am

Hi Pea thank you for your attention,
What version of IOS are you using?
Because most of my routers are running on v6.15.
and don’t allow.

Regards

TomosRider · July 27, 2015, 12:22pm

If your licence allows, upgrade your ROS to latest version.

smhula · July 27, 2015, 5:02pm

Now i’m super fast.
Thank for being there.

Loving Mikrotik everyday more.

Pea · July 27, 2015, 6:46pm

If you do not use simple queues etc. you can enable Fasttrack to increase your speed (ROS 6.29 and newer).
Just put this rule above other firewall rules:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related

That Fasttrack is enabled you can check under IP->Settings and you should see packets counting in new dynamic dummy firewall rule.

smhula · July 27, 2015, 7:14pm

Now i’m fast and Furious
Big Thanks.

smhula · July 27, 2015, 7:19pm

Hi, Any tips on Qos or preventing users on consuming all the bandwith alone?
if you could advise on a book/manual/tutorial or even posts, that explain what’s happening (on QoS) i glad already.

jarda · August 1, 2015, 4:12pm

Read manual about queues. You cannot use fasttrack together with queues as the fasttrack bypasses also the queues…

smhula · August 2, 2015, 4:33pm

Thank you, i will look for them on the web.
Any book title you recommended?

Many thanks for your attention and support.