Community discussions

MikroTik App
 
DrJoe
just joined
Topic Author
Posts: 7
Joined: Thu Sep 05, 2019 10:40 pm

Moving or "Inserting" a Filter Rule?

Wed Jan 08, 2020 6:26 am

In my filter rules, 0 is commented as "special dummy rule to show fasttrack counters", with chain being "forward". Rule 1 is "defconf: accept established, related, untracked", with chain being "input".
At rule 9 is "defconf: accept established, related, untracked", with chain being "forward". Would it give better speed for large amounts of related data if Rule 9 was moved to become Rule 1? It seems that established related packets would not need to go past rule 1 to be forwarded, and thus established, related packets would not be "tested" against the subsequent rules. If this would give more throughput, how can I move a Rule in WinBox? Or, alternatively, how can I "insert" a Rule between Rule 0 and Rule 1? Thanks for your input!
 
Guntis
MikroTik Support
MikroTik Support
Posts: 56
Joined: Fri Jul 20, 2018 1:40 pm

Re: Moving or "Inserting" a Filter Rule?  [SOLVED]

Wed Jan 08, 2020 7:18 am

It's a good idea to have rules that are frequently being hit, at the top, like established,related for example. Moving rules themselves is easy, in WinBox you can just drag and drop them to change their place.
You can also achieve the same result in Terminal, by using "move". For example, you could do "/ip firewall filter print", see the the numbers that interest you, and then do, for example "/ip firewall filter move 8 destination=1". While adding you new rules can also use "place-before" parameter to add the new rule before existing one.
 
mkx
Forum Guru
Forum Guru
Posts: 5043
Joined: Thu Mar 03, 2016 10:23 pm

Re: Moving or "Inserting" a Filter Rule?

Wed Jan 08, 2020 8:25 am

Would it give better speed for large amounts of related data if Rule 9 was moved to become Rule 1?

Adding to what @Guntis already wrote: firewall filter rules get executed sequentially from top to bottom ... for chain appropriate for particular packet. And chain gets determined before firewall filter rules start to be executed.

So a packet will either get treated by rules #0, #9, ... (if the packet is about to be forwarded elsewhere) or the packet will get treated by rules #1, #2, ... (if the packet's final destination is router itself).
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 7056
Joined: Mon Jun 08, 2015 12:09 pm

Re: Moving or "Inserting" a Filter Rule?

Wed Jan 08, 2020 1:34 pm

Remember that the whole rule evaluation (which operates to-to-bottom until a match is found) is executed only for rules in a specific chain, where the selected chain depends on the situation.
(input chain is evaluated for packets sent to the router itself, forward chain is evaluated for packets forwarded by the router).

Therefore, for clarity, it is best to group the rules in the UI e.g. first all rules in the forward chain, then all rules in the input chain. Of course keeping the relative order within those chains the same.
This has no effect at all on the performance but it is much clearer when studying the firewall rules.

So normally when I encounter such a config I drag all input chain rules to the bottom, starting with the lowest one and moving the next one just above it, etc, until only a list of forward rules and a list of input rules remain.
And, I often insert a rule like this:
/ip firewall filter
add action=log chain=------------ comment=------------------
between the rules that are in the forward chain and the input chain, for clarity.
(and also when I use the output chain and when I have created my own custom chains)
 
DrJoe
just joined
Topic Author
Posts: 7
Joined: Thu Sep 05, 2019 10:40 pm

Re: Moving or "Inserting" a Filter Rule?

Wed Jan 08, 2020 6:17 pm

Thanks to all who answered. Was able to move the line where I wanted. Had to attach the mouse, since touchpad on this laptop doesn't do well with dragging things. I didn't do the "grouping" suggested, but I only have 12 filter rules, and all are commented and easy to understand. If there were more rules, I think the organization of them that was suggested would really help. Thanks again to all of you.

Who is online

Users browsing this forum: ftimmers, zeljkobms and 66 guests