Community discussions

MikroTik App
 
cyberdocwi
just joined
Topic Author
Posts: 4
Joined: Fri Jan 23, 2015 8:56 am

Firewall Filtering Performance

Wed Sep 15, 2021 6:34 pm

Hello,

I am using a CRS109 that faces the internet as a switch, running RouterOS. It took me a little bit to figure out that I needed to remove the Hardware offloading to force packets through the CPU to firewall properly... as the switch chip bypasses any firewalling opportunities. Yes, the input chain will firewall, as the packet has to travel to the CPU, but I would like to also protect machines behind this switch that are using the forward chain.

To whomever drew the packet flow maps, thank you for pointing that out!

I can firewall using IP -> Firewall -> Filter Rules, but can also firewall using Bridge -> Filters.

Has anyone run CPU performance checks against which method is more efficient? The CRS109 is able to keep up with a CPU @ 40-60% when maximum packets are flowing from the internet (100 Mbs service).

Thank you for any feedback.

Christian
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Firewall Filtering Performance

Wed Sep 15, 2021 8:51 pm


I can firewall using IP -> Firewall -> Filter Rules, but can also firewall using Bridge -> Filters.
If i understand the Mikrotik-Wiki correctly, there shouldnt be any difference.
Nevertheless, I tried it a couple of week's ago with an CRS112-8P-4S-IN
with about 20 Filter-Rules , there wasn't any difference in Performance.


We endet up using IP -> Firewall -> Filter Rules
The only reason being every Filter-Rules rule are in a Central location.
Last edited by ConnyMercier on Thu Sep 16, 2021 9:30 am, edited 1 time in total.
 
cyberdocwi
just joined
Topic Author
Posts: 4
Joined: Fri Jan 23, 2015 8:56 am

Re: Firewall Filtering Performance

Thu Sep 16, 2021 12:16 am

Hello,

Thank you for the response. I am also leaning IP -> Firewall -> Filter because that is where I have put the rules in the last 15 years of using Mikrotik as a Router... and it is intuitive as opposed to going into the Bridge and locating the filtering there.

I did find in my testing that Gigabit saturation will floor the CPU at 100% and the circuit will slow down significantly. But for the 100 Mbps service we have, the CPU is in the 50's and the network line is saturated with expected performance.

Thank you for the comment.

Who is online

Users browsing this forum: GoogleOther [Bot], karlisi, kivimart, mkx, peterda and 99 guests