Hello,
i have 2 rule and they are :
6 chain=forward action=accept src-address=x.x.x.x
dst-limit=4000,20,src-address/1m log=no log-prefix=""
7 chain=forward action=drop src-address=x.x.x.x log=no log-prefix="
so when i start send flooding with hping from x.x.x.x to the internet i see 60k PPS on that VLAN and only 4k pps proccess on my uplink now the issue is how can i set that vlan that only pass 4k pps ?
i do not want use queue because i want use this rules for all of my clients and i do not want limit them in bps.
i really thank you if you can help me,
thanks
Re: firewall rules not work for some specific reason
In queue you can set source IP address. Why you don't want to use it? If you want limit all your clients you can set source IP 0.0.0.0/0 I believe.
-
-
blackmetal
Member Candidate
- Posts: 227
- Joined:
Re: firewall rules not work for some specific reason
i have tried that now! and set source ip but still i have same amount of pps on my vlan
Re: firewall rules not work for some specific reason
Might be related to fasttrack or established/related rules. Have you tried putting these above any other forward rules and/or disabling fasttrack?Hello,
i have 2 rule and they are :
6 chain=forward action=accept src-address=x.x.x.x
dst-limit=4000,20,src-address/1m log=no log-prefix=""
7 chain=forward action=drop src-address=x.x.x.x log=no log-prefix="
so when i start send flooding with hping from x.x.x.x to the internet i see 60k PPS on that VLAN and only 4k pps proccess on my uplink now the issue is how can i set that vlan that only pass 4k pps ?
i do not want use queue because i want use this rules for all of my clients and i do not want limit them in bps.
i really thank you if you can help me,
thanks
-
-
blackmetal
Member Candidate
- Posts: 227
- Joined:
Re: firewall rules not work for some specific reason
i have no fasttrack rule all of them are for mikrotik built in fast track and yes i move my rules at first lines above all other rules and issue exist yet,
Re: firewall rules not work for some specific reason
I'm not sure I understand your requirement.
The firewall acts on L3. The hperf is sending the data to the router's L3 interface in the VLAN, and the firewall properly throttles the pps as the packets are routed from the subnet which lives in the VLAN to the uplink. Do you want to throttle the pps between two member ports of the same vlan?
The firewall acts on L3. The hperf is sending the data to the router's L3 interface in the VLAN, and the firewall properly throttles the pps as the packets are routed from the subnet which lives in the VLAN to the uplink. Do you want to throttle the pps between two member ports of the same vlan?
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: firewall rules not work for some specific reason
it seems like you try to do a l3 firewall rule on a l2 interface? does your router route in and out of the vlan? if not - you must use bridge firewall and/or queues
-
-
blackmetal
Member Candidate
- Posts: 227
- Joined:
Re: firewall rules not work for some specific reason
hi,
yes my router route in and out ... this is my topology
My Upstream -> ETH1-Uplink <-> My CCR 1036(it has bgp too) <-> VLAN10(for dedicated server) <-> ETH2-SwitchUPLINK<-> CRS326/Brocade <-> ETH10/User-Dedicated-Server
so when i used that firewall rules i have same amount of pss on VLAN10 on my router but i do not have that amount on ETH1-Uplink and it cause high cpu load for me,
do you understand me?
yes my router route in and out ... this is my topology
My Upstream -> ETH1-Uplink <-> My CCR 1036(it has bgp too) <-> VLAN10(for dedicated server) <-> ETH2-SwitchUPLINK<-> CRS326/Brocade <-> ETH10/User-Dedicated-Server
so when i used that firewall rules i have same amount of pss on VLAN10 on my router but i do not have that amount on ETH1-Uplink and it cause high cpu load for me,
do you understand me?
Re: firewall rules not work for some specific reason
So
The CPU shows a high load as the firewall processing is also done by the CPU, so no matter whether the packet is finally forwarded or dropped, the CPU had to inspect it and decide what to do with it. There is no way to lower the CPU load if you let the traffic volume reach the Mikrotik from outside.
- without those firewall rules in question, the full volume of the traffic from a source in vlan10 towards the internet is passed to the uplink,
- with the rules in place, the traffic is throttled so it does not get to the uplink in full volume
The CPU shows a high load as the firewall processing is also done by the CPU, so no matter whether the packet is finally forwarded or dropped, the CPU had to inspect it and decide what to do with it. There is no way to lower the CPU load if you let the traffic volume reach the Mikrotik from outside.
-
-
blackmetal
Member Candidate
- Posts: 227
- Joined:
Re: firewall rules not work for some specific reason
understood,
if i want have limited traffic on vlan10 i should limit traffic on the switch right? so the traffic does not reach VLAN10 and CCR does not process it ? in any other way traffic should reach vlan10 right?(when traffic reach vlan10 i can decide drop or forward it right?)
if i want have limited traffic on vlan10 i should limit traffic on the switch right? so the traffic does not reach VLAN10 and CCR does not process it ? in any other way traffic should reach vlan10 right?(when traffic reach vlan10 i can decide drop or forward it right?)
Re: firewall rules not work for some specific reason
Correct in all points. Just instead of throttling the traffic on the switch between the source device and the Mikrotik, it might be possible to set a bandwidth limit directly on that device, depending on what it actually is (you normally can on linux server, you normally cannot on a smartphone).