Why is bridging slower then routing?

miro10hr · October 3, 2012, 9:14pm

I am looking at test results in every Mikrotik product and I notice that bridging when IP firewall or Conn tracking is turned on is slower then routing. For example

RB4xxG Series @680Mhz 64 byte frames
IP Firewall Conntrack Mode Mbps
off off Bridging 76.9
on off Routing 52.38
on off Bridging 44.95
on on Routing 39.68
on on Bridging 29.9

Why is that so? Usually routing takes more time, but I suppose that when firewall is on the bridged packet has to go through more processes then the routed packet. Is it like so?

normis · October 4, 2012, 8:57am

If you use “bridge firewall” the packet flow path is longer than with routing, check yourself: http://wiki.mikrotik.com/wiki/Packet_Flow

sup5 · October 4, 2012, 9:19am

how does MPLS fit in here?

miro10hr · October 5, 2012, 6:55am

While we’re at this subject, how is firewall turned on or off? There is no special enable firewall option, so I suppose when the first rule is added then the firewall is enabled. If there is no rules then it is off. Is that right?
I am asking this, because there is a enable connection tracking option, so I am interested, if connection tracking is enabled, but without any firewall rules, does this mean that firewall is on also?

normis · October 5, 2012, 7:02am

Yes there is a option like that.

firewall ON - /interface bridge settings set use-ip-firewall=yes
Conntrack ON - /ip firewall connection tracking set enable=yes