Hi folks,

I'm looking for a generic "explanation" on what to take into account to have a configuration that even though is complex, will not slow down the router too much.
I looked here and there, and google was not really specific on the found answers.

At the moment, when I max out my ADSL link ( 12Mbps/1Mbps private setup), my router has a cpu load going from 35% to 60%.
The implications of that is that I have my girls "screamin" "I can't watch Youtube anymore" as the WiFi links become slow.

Now - having checked my configuration - I know it is complex, but I have also lots in my lan.
A short setup explanation.
Router RB493G with 2 mini PCI cards providing 2 Wireless LAN's. 1 in 2.4Ghz (protected/limited for children and Multimedia LAN), 1 in 5Ghz MiMo - point to point to one other router for our Gaming LAN (2 computer connected to that Router).

All ports of the Router (9 ethernet + 2 WiFi) are used for 4 Subnet/Lan's;
1. World -> Internet.
2. Internal Lan bridges the 2 WiFi networks and some 4 Ethernet ports.
3. Office Lan using 2 Ports (also VOIP).
4. Service network (My internet server is on that one).

On top of that - all networks are separated from each other with specific rules.
Now - I have added some more gimmicks into its configuration:
- Lots of filtering
- Mangling is set
- Packet and connection marking - traffic priority and network lockdown for the kids between certain times
- Tarpit setup for the gaming systems
- dynamic and static blacklists. Dynamic are updated through different sources (Web, Mail, System attacks, as direct router attacks), static IP's by importing various blacklists from some known sites.

The thing is. I know that what I did, the way I programmed it - has grown over time. However, I have 180 Filter rules, 24 Nat rules, 23 Mangle rules, and usually around 800 Blacklisted IP & Subnets in the respective address lists.

What can I do to lower the load of my router ?

Is there an alternative router that would be more powerful I could use ? knowing that I need 2 Wireless LAN's and at least 9 Ethernet ports ?

Are you using custom chains in firewall? It may speed up the processing as not all rules need to be passed when firewall rules are conditionally split into special chains.

Yes. I have specific chains that are activated on specific occurrences.
5 non regular chains (pub2dmz, virus, port_scan,SYNC_Protect and Times).
The blacklist is applied to the input chain (to block out any access requests to the router itself), and to the forward chain to limit access to these IP's/Subnets.

If you don't need queues or mangle reclassification of already running connections you can pass allowed connections around the firewall by fasttrack. Or at least part of them.

You can rethink and rebuild your firewall structure, that could help a bit. And after all you can buy more powerful router, of course...

Shouldn't queues be the answer? Because described behaviour is very familiar. One PC saturates the line by something and others have hard time squeezing their stuff through. Router's CPU might be almost idle and it still happens. Queues can make sure that all clients get their fair share of bandwidth. But I admit that my experience with this is limited to only lines with predictable speed, while ADSL does not sound like one (but it may be just bad experience with what we have here).

Shouldn't queues be the answer? Because described behaviour is very familiar. One PC saturates the line by something and others have hard time squeezing their stuff through. Router's CPU might be almost idle and it still happens. Queues can make sure that all clients get their fair share of bandwidth. But I admit that my experience with this is limited to only lines with predictable speed, while ADSL does not sound like one (but it may be just bad experience with what we have here).

You are right. I have set the queues already - optimized for gaming and interactive accesses (ssh and so).
But these are not the limiting factor.

Regarding the router - it has 680Mhz tact - which should be enough.
I however suspect the bridge between eth and 2 WiFi networks to be the real culprit... Will have to test some more.

If you don't need queues or mangle reclassification of already running connections you can pass allowed connections around the firewall by fasttrack. Or at least part of them.

That may be an idea. Will have to check that out. Do we have some example on configuration that use fasttrack in combination with queues ? queues ?
Thx.

You have to select if the connection will be queued or fasttracked. You cannot have both at once for the same connection.