Community discussions

MikroTik App
 
boon_ee
just joined
Topic Author
Posts: 14
Joined: Fri Sep 22, 2006 4:31 pm

too many firewall rule

Fri Sep 29, 2006 7:56 pm

HI,

If i create too many firewall rule, would it slow down the mikrotik performance? Is there any limit on how many rule that we can apply on mikrotik?

Boon
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Fri Sep 29, 2006 9:56 pm

what hardware are you contemplating.
and yes, every rule can slow it down so like every other fw package you have to write efficient rulesets. you can group rules in chain's so your rules can get pretty efficient.
Move along. Nothing to see here.
 
wispnewbie
just joined
Posts: 14
Joined: Fri Aug 11, 2006 5:31 pm

Sat Sep 30, 2006 12:44 am

How hard is it to bog down a RB532? I've got some rulesets based on the examples listed at http://wiki.mikrotik.com/wiki/Protecting_your_customers but I'm curious as to how much it is slowing me down.

So how much is too much? And what do you mean by grouping rules in chains? Something similar to the "virus" chain at the url above? Can you give me an example of an efficient ruleset?

Sorry for all the questions, I've been wondering about this for awhile :-)
 
boon_ee
just joined
Topic Author
Posts: 14
Joined: Fri Sep 22, 2006 4:31 pm

Sat Sep 30, 2006 6:39 am

hi sten,

i'm using P4 2.8Ghz and 512RAM to work as router.
At the moment, i only create certain rule to block(drop packet) on certain port such as p2p,port 135-139, netbus and so on.
I was wondering if i keep adding the firewall or when it reach the limit, what would happen to router?
What is your reccomendation? Do you have example for that?
Like wispnewbie said, i also want to know how much is the how much?
 
Stryker777
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jul 07, 2006 11:40 pm
Contact:

Sat Sep 30, 2006 9:00 am

I tested a large number of rules to find out what it could handle. Added 256 rules to the firewall filter, 120 to the mange, and 80 queue rules. Did not hiccup at all. I stopped there. That is not a lot of rules by them selves but that was added to what i already had in my completed system. The point was to have dynamic queues/firewalls for pppoe users via 1 radius supplied firewall attribute. I had 4 to the 4th possibilities. It works perfect.
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sun Oct 01, 2006 7:49 am

How hard is it to bog down a RB532? I've got some rulesets based on the examples listed at http://wiki.mikrotik.com/wiki/Protecting_your_customers but I'm curious as to how much it is slowing me down.

So how much is too much? And what do you mean by grouping rules in chains? Something similar to the "virus" chain at the url above? Can you give me an example of an efficient ruleset?

Sorry for all the questions, I've been wondering about this for awhile :-)
heh, it's slowing you down about this |<--->| much.
every comparison counts.
an efficient ruleset is one that doesnt compare for the same value in the same match field more than once in as few total rules as possible. so comparing if say src-address equals a given value once is twice as efficient as comparing src-address for that value twice.

i dont believe much in virus chains but you gotta do what you think is right.
Move along. Nothing to see here.
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sun Oct 01, 2006 7:55 am

hi sten,

i'm using P4 2.8Ghz and 512RAM to work as router.
At the moment, i only create certain rule to block(drop packet) on certain port such as p2p,port 135-139, netbus and so on.
I was wondering if i keep adding the firewall or when it reach the limit, what would happen to router?
What is your reccomendation? Do you have example for that?
Like wispnewbie said, i also want to know how much is the how much?
depends alot on what kind of service you want to give.
each match field in every rule requires processing.
a p4 can do a lot of rules in each X microsecond slot time. the p4's weakness is context switching (it's not good at multitasking).
but none the less it can process quite a few more rules than say an p2 in X microseconds.

no optimization can be performed unless you can measure the effects your changes have.
Move along. Nothing to see here.
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sun Oct 01, 2006 7:58 am

I tested a large number of rules to find out what it could handle. Added 256 rules to the firewall filter, 120 to the mange, and 80 queue rules. Did not hiccup at all. I stopped there. That is not a lot of rules by them selves but that was added to what i already had in my completed system. The point was to have dynamic queues/firewalls for pppoe users via 1 radius supplied firewall attribute. I had 4 to the 4th possibilities. It works perfect.
i think i read somewhere that the upper limit is 65535 or somewhere close to it. the only one that i got that has more than 1500 rules (most are inactive) flakes out around that amount but that's probably because it's a really old version (v2.9.18)
Move along. Nothing to see here.
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 600
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Sun Oct 01, 2006 8:04 pm

the number of rules isn't as important as to what the rule does and how much traffic you push through it...

src or dst nat is more CPU intensive then a mangle rule which is more intensive then a drop rule.

there is no specific upper limit (other then maybe the 65535), it depends 100% on how you build the rules.

example, if you have 4000 rules, but rule #1 is to accecpt established connections, then each established connection only gets ran through that one rule, making the remaining 3999 rules un-processed, this makes the system much more effecieant. if you take out that first rule, you could easily bog down a PII or faster system, depending on traffic.
 
boon_ee
just joined
Topic Author
Posts: 14
Joined: Fri Sep 22, 2006 4:31 pm

Mon Oct 02, 2006 4:14 am

thanks for all the info guys.....
by the way, i can see the packet value(x number) keep going up on one of my firewall rule, (fyi,i try to drop p2p packet), is it mean x amount of packet been dropped silently or actually showing x amount of pakcet pass thru?
Or maybe i should ask how to know that my firewall rule are working?
thanks
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Mon Oct 02, 2006 9:25 am

1000 rules processed for _each_ packet make p4 2.8 pass through 76Mbps fdx. 50000 rules processed for _each_ packet reduce the throughput to 1.5 Mbps fdx.

Like mentioned before, in real life most of the traffic is processed with first 1 to 50 rules.

Eugene
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
changeip
Forum Guru
Forum Guru
Posts: 3806
Joined: Fri May 28, 2004 5:22 pm

Mon Oct 02, 2006 9:30 am

1000 rules processed for _each_ packet make p4 2.8 pass through 76Mbps fdx. 50000 rules processed for _each_ packet reduce the throughput to 1.5 Mbps fdx.

Like mentioned before, in real life most of the traffic is processed with first 1 to 50 rules.

Eugene
Eugene,

Good numbers. Can you run that same test on 3.0 and see if there is much of a difference?

Who is online

Users browsing this forum: McSee and 250 guests