Page 1 of 1

Slow internet with firewall.

Posted: Mon Jul 06, 2015 12:20 pm
by smhula
Hi every one,

i'm facing an issue with my firewall setup,
when i activate the FW rules the internet connection gets very slow that people can't work.
here's the setup i have:

/ip firewall address-list
add address=192.168.0.0/24 list=kcwlan
/ip firewall filter
add action=drop chain=input connection-state=invalid disabled=no
add chain=input comment="Allow Access From LAN" disabled=no src-address-list=kcwlan
add chain=input comment="Accept establishes connection on input chain" connection-state=established disabled=no
add chain=input comment="Allow related traffic on the router itself" connection-state=related disabled=no
add action=drop chain=input comment="Drop All other traffic" disabled=no
add action=drop chain=forward comment="Block Forwarding of invalid packages" connection-state=invalid disabled=no
add chain=forward comment="Accept new connections from our bridge-lan" connection-state=new disabled=no src-address-list=kcwlan
add chain=forward comment="Accept established connections" connection-state=established disabled=no
add chain=forward comment="Accept related connections like: ftp, etc" connection-state=related disabled=no
add action=drop chain=forward comment="drop all other traffic" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Any issue with this basic setup?

thank you in advance for your attention.

Posted: Tue Jul 07, 2015 7:38 am
by jarda
Put established, related into one rule and put this rule as first of each chain. Also create the same fasttrack rule and put it in front of forward chain. You need to have at least 6.29 and it will bypass the queues, if used.

Re: Slow internet with firewall.

Posted: Tue Jul 07, 2015 8:17 am
by macgaiver
What type of connection do you have? What speed did you get?
How did you tested your speed?
Firewall rules are standard , they should work fine.

Re: Slow internet with firewall.

Posted: Wed Jul 08, 2015 9:44 am
by TomosRider
There is nothing wrong with your firewall setup, its pretty straightforward. Go to tools\profile and from there you can check what is going on with firewall CPU usage.

Re: Slow internet with firewall.

Posted: Fri Jul 24, 2015 8:47 pm
by smhula
Hi All, i have been busy and crazy for will all this problems to solve.
I really want to thank you guys/girls for your time, that's what makes the forums valuable.
One thing i like about difficulties or problems is that they often bring to us new ways of looking to the things, and that's what happened to me.

i kept digging and found some interesting discussions:

http://forum.mikrotik.com/viewtopic.php?t=41307
and
http://lists.clug.org.za/pipermail/clug ... 28095.html

And the following words made so much sense to me:

A firewall connection-state has only 1 status:
it is either new,established,related, OR invalid.
A single packet can not be more than one of these states.


that is like summarize the discussion on the second link:

/ip firewall filter

add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=<LAN> action=accept
add chain=input action=drop

add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=<LAN> action=accept
add chain=forward action=drop


I have applied this setup and the Internet looks like has a Ferrari engine now.

Any other view/opinion on this config?

Once Again: BIG THANK YOU TO ALL

Posted: Sat Jul 25, 2015 1:06 am
by jarda
Spare one rule with giving established, related in one rule. Boost the performance by using fasttrack.

Re:

Posted: Sat Jul 25, 2015 1:59 pm
by smhula
Spare one rule with giving established, related in one rule. Boost the performance by using fasttrack.
Hi Jarda, thank you for this input,
i have tried to do this but it seems that router OS doesn't allow me to do that (Winbox or command line),
can you explain me how to make it possible.

I can imagine how fast it will be.

Regards

Re: Slow internet with firewall.

Posted: Sun Jul 26, 2015 9:17 pm
by Pea
Just click both established and related in WinBox...

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 1:49 pm
by smhula
Hi Pea thank you for your attention,
What version of IOS are you using?
Because most of my routers are running on v6.15.
and don't allow.

Regards

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 3:22 pm
by TomosRider
If your licence allows, upgrade your ROS to latest version.

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 8:02 pm
by smhula
:D
Now i'm super fast.
Thank for being there.

Loving Mikrotik everyday more.

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 9:46 pm
by Pea
If you do not use simple queues etc. you can enable Fasttrack to increase your speed (ROS 6.29 and newer).
Just put this rule above other firewall rules:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
That Fasttrack is enabled you can check under IP->Settings and you should see packets counting in new dynamic dummy firewall rule.

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 10:14 pm
by smhula
Now i'm fast and Furious :D
Big Thanks.

Re: Slow internet with firewall.

Posted: Mon Jul 27, 2015 10:19 pm
by smhula
Hi, Any tips on Qos or preventing users on consuming all the bandwith alone?
if you could advise on a book/manual/tutorial or even posts, that explain what's happening (on QoS) i glad already.
:D

Posted: Sat Aug 01, 2015 7:12 pm
by jarda
Read manual about queues. You cannot use fasttrack together with queues as the fasttrack bypasses also the queues...

Re:

Posted: Sun Aug 02, 2015 7:33 pm
by smhula
Read manual about queues. You cannot use fasttrack together with queues as the fasttrack bypasses also the queues...

Thank you, i will look for them on the web.
Any book title you recommended?

Many thanks for your attention and support.