Hi every one,

i'm facing an issue with my firewall setup,
when i activate the FW rules the internet connection gets very slow that people can't work.
here's the setup i have:

/ip firewall address-list
add address=192.168.0.0/24 list=kcwlan
/ip firewall filter
add action=drop chain=input connection-state=invalid disabled=no
add chain=input comment="Allow Access From LAN" disabled=no src-address-list=kcwlan
add chain=input comment="Accept establishes connection on input chain" connection-state=established disabled=no
add chain=input comment="Allow related traffic on the router itself" connection-state=related disabled=no
add action=drop chain=input comment="Drop All other traffic" disabled=no
add action=drop chain=forward comment="Block Forwarding of invalid packages" connection-state=invalid disabled=no
add chain=forward comment="Accept new connections from our bridge-lan" connection-state=new disabled=no src-address-list=kcwlan
add chain=forward comment="Accept established connections" connection-state=established disabled=no
add chain=forward comment="Accept related connections like: ftp, etc" connection-state=related disabled=no
add action=drop chain=forward comment="drop all other traffic" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Any issue with this basic setup?

thank you in advance for your attention.

Put established, related into one rule and put this rule as first of each chain. Also create the same fasttrack rule and put it in front of forward chain. You need to have at least 6.29 and it will bypass the queues, if used.

What type of connection do you have? What speed did you get?
How did you tested your speed?
Firewall rules are standard , they should work fine.

There is nothing wrong with your firewall setup, its pretty straightforward. Go to tools\profile and from there you can check what is going on with firewall CPU usage.

Hi All, i have been busy and crazy for will all this problems to solve.
I really want to thank you guys/girls for your time, that's what makes the forums valuable.
One thing i like about difficulties or problems is that they often bring to us new ways of looking to the things, and that's what happened to me.

i kept digging and found some interesting discussions:

http://forum.mikrotik.com/viewtopic.php?t=41307
and
http://lists.clug.org.za/pipermail/clug ... 28095.html

And the following words made so much sense to me:

A firewall connection-state has only 1 status:
it is either new,established,related, OR invalid.
A single packet can not be more than one of these states.


that is like summarize the discussion on the second link:

/ip firewall filter

add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=<LAN> action=accept
add chain=input action=drop

add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=<LAN> action=accept
add chain=forward action=drop

I have applied this setup and the Internet looks like has a Ferrari engine now.

Any other view/opinion on this config?

Once Again: BIG THANK YOU TO ALL

Spare one rule with giving established, related in one rule. Boost the performance by using fasttrack.

Spare one rule with giving established, related in one rule. Boost the performance by using fasttrack.

Hi Jarda, thank you for this input,
i have tried to do this but it seems that router OS doesn't allow me to do that (Winbox or command line),
can you explain me how to make it possible.

I can imagine how fast it will be.

Regards

Just click both established and related in WinBox...

Hi Pea thank you for your attention,
What version of IOS are you using?
Because most of my routers are running on v6.15.
and don't allow.

Regards

If your licence allows, upgrade your ROS to latest version.

Now i'm super fast.
Thank for being there.

Loving Mikrotik everyday more.

If you do not use simple queues etc. you can enable Fasttrack to increase your speed (ROS 6.29 and newer).
Just put this rule above other firewall rules:
That Fasttrack is enabled you can check under IP->Settings and you should see packets counting in new dynamic dummy firewall rule.

Now i'm fast and Furious
Big Thanks.

Hi, Any tips on Qos or preventing users on consuming all the bandwith alone?
if you could advise on a book/manual/tutorial or even posts, that explain what's happening (on QoS) i glad already.

Read manual about queues. You cannot use fasttrack together with queues as the fasttrack bypasses also the queues...

Read manual about queues. You cannot use fasttrack together with queues as the fasttrack bypasses also the queues...

Thank you, i will look for them on the web.
Any book title you recommended?

Many thanks for your attention and support.