Community discussions

MikroTik App
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Filter rules performance and ordering strategy ?

Tue May 10, 2022 4:35 pm

This thread is a "spin-off" of my thread about "how are counted filter rules on Mikrotik's products' test result pages".
It will focus more on filter rules definition and ordering performance.

It was mentioned in the past that each rule affects the performance differently, depending on a matcher (selected conditions) of that rule. Most extreme example would be L7 matcher. Obviously 25 rules with L7 matcher will be much slower than 25 rules of src-address matching.

I could not find any information about how to "rank" rules by performance (besides the obvious L7 matcher). Question 1: Does anyone have a link to such a ranking ?

For instance, I'm wondering the following from a performance point of view, maybe you could share your experience:
  • globally I have in my rules set 1) input chain rules 2) output chain rules, and finally 3) forward chain rules -> Question 2: Is this order important (i.e. would it change anything if I put input and output rules after forward ones) ?
  • for readability reasons, I usually (except for some cases where grouping ports makes sense) have 1 port per rule for a target device/interface. I.e. for N ports I have N rules. Question 3: Does it have a real impact on performance versus having a single rule with "port1, port2, port3, ... portN" (if not rechecking the src or destination each time) ?
  • I use "jump" rules based on "in interfaces" (i.e. if in. interface = "interface name" then jump to chain), Question 4: is there a performance difference doing it this way versus using src IP addresses with mask ?

Further here is my global "rules ordering strategy" (for the forward chain):
  • fastrack connection
  • allow established, related, untracked
  • drop invalid
  • if protocol = icmp then jump to ICMP chain (then I do not check again for the protocol in the following rules and last rule of the chain is a drop)
  • if protocol = udp and port 123 allow traffic (ntp)
  • for each in. interface <vlan_interface> jump to specific "vlan_name" chain (Then in each chain I do not check the input interface anymore, and only have rules checking the protocol/dst port/out interface, and finish the chain with a drop)
  • drop all the rest

Logs are only done at "drop" time (I have very few "filter related" logs per day). Maximum number of filter rules (including the rules before the jump and the rules for the specific input vlan) is 19. Around ninety percent of the traffic is handled by the 2-3 first rules in each specific vlan chain (i.e. for legit traffic, rule number 7 up to 9 accepts the traffic, except for some specific chains which may need some more checks) and the vlan chains are ordered such as the ones which have most traffic are put on the top of the list. I also have "sub chains" for specific rules shared by multiple VLANs (for instance for printers, or to access to some shared services).

Question 5: Does this strategy sound "ok" to you ?

I know that one improvement I could do is to replace each "drop" at the end of each specific vlan chain by a "return" and move the jump to the ICMP chain and ntp rules just before the "drop all the rest" rule. This would "save" two matches for most of the non-fast-tracked as well as for non-icmp traffic, But I would lose from a readability perspective. This is why I'm not doing it.

Question 6: Would it be worth it to move these rules to the end in your experience/opinion ?

Thank you in advance !
Last edited by kraal on Tue May 10, 2022 5:07 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 5:03 pm

Yes, it is always advisable to use separate chains for seldomly evaluated rules and branch to them with a jump rule.
Also, when you need content matching (usually you do not need it and if you think you need it, you probably need to think again) it is not advisable to use it in filter rules, but rather you should use it in mangle rules where you filter on L7 only for traffic without connection mark, then apply a connection mark in your rule filtering on L7 content.
Then you can use the connection mark to handle these connections (block them, assign a priority, assign a packet mark to use in a queue, whatever).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 5:11 pm

It does not matter in which order the chain shows up on the list. What matters or is best practice is a chain is ordered within itself.
Thus one should never see a forward chain rule mixed in with input chain rules etc.................

This is problematic. One does not deal with ICMP and udp 123 (NTP) rules in the forward chain, perhaps you meant INPUT CHAIN??
Further here is my global "rules ordering strategy" (for the forward chain):
fastrack connection
allow established, related, untracked
drop invalid
if protocol = icmp then jump to ICMP chain (then I do not check again for the protocol in the following rules and last rule of the chain is a drop)
if protocol = udp and port 123 allow traffic (ntp)
for each in. interface <vlan_interface> jump to specific "vlan_name" chain (Then in each chain I do not check the input interface anymore, and only have rules checking the protocol/dst port/out interface, and finish the chain with a drop)
drop all the rest


Furthermore, do not waste your time with a gazillion ICMP rules, and jump, tis overly complex with no gain. Simply accept ICMP in the input chain and move on to more important things.

KISS --> Defaults + What you need to allow + drop all.
viewtopic.php?t=180838
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 5:58 pm

It does not matter in which order the chain shows up on the list. What matters or is best practice is a chain is ordered within itself.
@Anav, this is an excellent opportunity for you to write a another new "best practice" with explanations. : -)

Thus one should never see a forward chain rule mixed in with input chain rules etc.................
I may have misunderstood your point but when it comes to for example inp/fwd it's rather a WinBox gui problem (viewtopic.php?t=171917#p840505). This does typical confuse new users when performing their first config.

KISS
Agreed, XOXOXO ;-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 6:24 pm

My 2 cents: most of rules (apart from L7 rules) probably take more or less similar amount of resources to process. So the ordering of rules (within a chain) should consider these rules:
  • rules affecting more packets should be higher in the chain
  • more specific rules should be higher than more general rules with opposite action.
    Example would be: "accept UDP packets with dst-port=123" higher than "drop UDP packets"

The exact priority of rules above is not cast in concrete, the resulting rule order needs to deliver correct behaviour first and good performance comes second.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 7:44 pm

@anav thank you for your answer and time. But...

This is problematic. One does not deal with ICMP and udp 123 (NTP) rules in the forward chain, perhaps you meant INPUT CHAIN??

Problematic to have ICMP and NTP rules in the forward chain ? Uh... why ?
I have intervlan traffic, and need some ICMP traffic to be allowed between some VLANs which are part of an interface list.
The NTP server is not on the router, and devices in VLANs need to contact it (and the router as well, that's why there is an output rule as well).
Can you please tell me how to achieve this "with input rules only" to make it less "problematic" ?

Furthermore, do not waste your time with a gazillion ICMP rules, and jump, tis overly complex with no gain. Simply accept ICMP in the input chain and move on to more important things.

Gazillon ? Waste your time ? Overly complex ? No gain ? Simply ? Move on ? More important things ?
Nice combo sentence... I'm happy to read that you know better than I do what should be "more important" to me :-D

That being said, I definitively won't keep a flat 100 rules long forward chain. I prefer to have 12 jumps and chains composed of 3 to 13 rules each.
Now you can prefer coarse-grained filter rules, I prefer fine-grained ones. But that's a choice.
If you want some "gains" of this choice: accept fast, fast chain evaluation ending, increased readability, increased understandability of what is allowed and happening on the network, increased maintainability, easier detection of suspicious events to name a few.
Last edited by kraal on Tue May 10, 2022 7:50 pm, edited 1 time in total.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 7:50 pm

  • rules affecting more packets should be higher in the chain
  • more specific rules should be higher than more general rules with opposite action.
    Example would be: "accept UDP packets with dst-port=123" higher than "drop UDP packets"
Completely agree on this. this is what I'm doing, and I add that jumps to sub-chains that used the most should be as high as possible in the chain, or add that what is checked in the "jump" rule should not be re-checked in the sub chain.

The question was more about the computing complexity of each rule.
For instance : which one is faster to match: address or interface ? address list or interface list ?
Or as I wrote above: 4 rules that accept traffic to 4 different tcp ports or a single rule which accepts tcp traffic to all 4 ports (separated by a ",")

Does anyone have figures showing "when it stops being negligible" ?
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 8:17 pm

Does anyone have figures showing "when it stops being negligible" ?
The impact and scalability of FW rules is depending on device capabilities like number and speed of CPU cores, RAM size and l3hw offload in the switch chip.
So it is hard to come up with numbers among different MT devices.

For RB4011/5009 in my experience routing performance is not impacted in a relevant way up to ca. 100 "normal" FW rules. I never used L7 rules so far.
But your mileage may vary.

And yes, it would be nice if Mikrotik would specify those "25 rules" used for the "official" measurements.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 9:06 pm

The impact and scalability of FW rules is depending on device capabilities like number and speed of CPU cores, RAM size and l3hw offload in the switch chip.
So it is hard to come up with numbers among different MT devices.

I agree that overall raw performance will depend on the device its resources and how they are used

I was wondering if anyone had access to "official" statements such as (I'm completely inventing the case) "address matching is faster than interface name matching and consumes less memory" or "if it makes sense, regroup ports to be checked in a single rule as port field is checked using regexp matching which is less CPU intensive and memory consuming than having separate rules."

This kind of statement could help better write rules.

For RB4011/5009 in my experience routing performance is not impacted in a relevant way up to ca. 100 "normal" FW rules.

100 total for input + output + forward chain ?
What happens above those 100 rules ? Is the performance drop linear or exponential ? (I'm asking because I'm interested in the 5009 once PIM-SM is supported)
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 9:47 pm

100 total for input + output + forward chain ?
Yes, 100 "non raw" rules in total.
What happens above those 100 rules ? Is the performance drop linear or exponential ? (I'm asking because I'm interested in the 5009 once PIM-SM is supported)
For our uses cases, it is good enough if RB5009 forwarding can max out the 1GB uplinks. This works with 100 rules.
Some not so scientific lab experiments showed 1.5 - 2 GB/s for RB5009 with NAT and 100 rules and 3-4 GB/s with NAT and 25 rules.
L2 Bridging with VLAN filtering has full HW support on RB5009 and works with wirespeed and no CPU impact.

Regarding rule order:
As rule processing is stopped on first matching rule, it is advised to put the rules matched with higher probability first. Idealy, the rule packet counters decend with higher rule number as far as possible to still achieve the desired logic.
On routers, I usually place the accept/forward rules for "established, related" on top of the input/forward rules. They match by far the biggest amount of packets.
Everything possible with RAW rules (like dropping IP spoofs on input) should be done with RAW rules so packets are dropped early before connection tracking starts.

Mixing order of input/forward/output rules does not impact performance, as input packets are only matched against input rules, forward packets only against forward rules etc.
But keeping order of input/forwrad/output rules obviously increases maintanability of the rule set.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 10:41 pm

No worries, Kraal, now that I know you have a LAN based NTP server on the input chain. That makes more sense for other LAN users to be able to access or not the NTP server.

Also I have never encountered a config where someone felt it necessary to overcontrol ICMP on the forward chain. I think its bogus on your part but as you can tell I am sceptical sort LOL. Most of the time people dont understand that even though vlans are blocked from each other, one can still ping the IP address of any subnet within the router as normal function. If you want to block the ability to do that there was a way but dont remember, as it seemed pointless to me.

I would be curious to see how you have structured your vlan rules as I typically dont have that many or as complex a setup and simply grouping vlans in smart interface lists allows me to minimize the number of rules for the functionality desired.

I am aware of using jump for close to what you stated, in this case DST nat rules where one has a fixed WANIP and many associated rules. In this case it makes sense where if the fixed IP changes one only changes one line of the config!!
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=1.2.3.4 action=jump jump-target=port-forward
add chain=port-forward protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.1.10
add chain=port-forward protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.10.33
...
add chain=port-forward protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.20.13
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 11:00 pm

@Anav, this is an excellent opportunity for you to write a another new "best practice" with explanations. : -)
viewtopic.php?t=180838
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 11:25 pm

No, no - I mean a new one that's more detailed! ; -) "KISS"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Tue May 10, 2022 11:48 pm

No, no - I mean a new one that's more detailed! ; -) "KISS"
Whats missing LOL.............. Its all there...................
Oh I forgot, do not smash the MT device with a bat when frustrated?
Last edited by anav on Wed May 11, 2022 2:46 pm, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 10:23 am

So you have no evidence that using some weird matching scheme from which you build a number of chains is better than using a single flat rule list?
Or that processing speed is even affected by the number of chains?
And you did all that just to watch packets flow through your nicely built chains?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 10:48 am

The processing of chains is sequential until a rule accepts or rejects the traffic. So when you have 100 rules that each check for a combination of match criteria (input interface, protocol, port number) it is more efficient to group them into separate chains for partly the same criteria but not matching most of the traffic.
E.g. when you really want to split hairs on ICMP traffic (what types/codes you want to allow or not) it is better to first match all ICMP with a rule that jumps to a separate chain for ICMP handling and in that chain do all that checking. Most traffic will not be ICMP and it will not take that branch, and will not have to process all those rules.

Similarly it is often good to separate chains for clarity, e.g. I often match on an interface(list) matching traffic coming from internet and send it off to a separate chain like input-inet. This can also improve performance when there is a lot of traffic from several other interfaces.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 10:52 am

[...]
Similarly it is often good to separate chains for clarity[...]
But, besides clarity, is there any proven performance improvement?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 11:51 am

I explained above how it works. When you have 20 rules that each check different variant of ICMP and you replace that with a jump to a separate chain it will perform a factor of ~20 better.
Of course that will not make your router 20 times faster. It is only about the firewall part.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:02 pm

Also I have never encountered a config where someone felt it necessary to overcontrol ICMP on the forward chain. I think its bogus on your part but as you can tell I am sceptical sort LOL. Most of the time people dont understand that even though vlans are blocked from each other, one can still ping the IP address of any subnet within the router as normal function. If you want to block the ability to do that there was a way but dont remember, as it seemed pointless to me.

Yes but 1) I don't want to give access to anybody to infrastructure devices, 2) I want to be able to use ping between some VLANs without having to access infrastructure devices 3) I don't want to go to the server rack to plug a laptop into the management vlan access port each time I need to do a ping 4) I didn't had the time yet to implement dashboards which will give all users an insight of devices / services which may be down or the ping time to a machine. 5) users are able and willing to use ping to check when needed

As a result I had to add forward rules to allow some ICMP.
Again if there is any other way I'll implement it willingly.
But if you want to call it bogus (as intervlan ping shouldn't be allowed from a security persoective) or lazyness, feel freee I won't be angry at you :-)

I would be curious to see how you have structured your vlan rules as I typically dont have that many or as complex a setup and simply grouping vlans in smart interface lists allows me to minimize the number of rules for the functionality desired.

In fact, nothing fancy. As stated in the first post, there are some common rules, then jumps to vlan-specific rulesets triggered by a match on the in_interface. The jumps are ordered by priority/occurrence and so are rules within each ruleset.

For instance for the operating VLAN (one with the most specific rules): allow traffic to WAN, allow https traffic to the reverse proxy server hosted on the shared services VLAN, allow tcp/udp for AFP/ NFS to NAS, allow git over ssh, all three deployed on the storage VLAN, jump to the dns chain to allow DNS traffic to the piHole server (tcp/udp + to tcp blocked pages) which is hosted on the shared services VLAN, jump to the printing chain to access to network printers and scanners. 1 rule to drop silently unwanted broadcast traffic, and the catch all final rule to drop anything else and log it... a total of 12 "specific" rules.

Another example: The management VLAN has 16 specific rules as there are specific needs (such as ability to ssh to firewalls and DMZ, access proxy for update, specific protocol/ports for devices remote management, specific logging in order to easily identify issues without having them burried with other logs)

Some do only have 2-3 rules, for instance the printing VLAN which is only allowed to access the local proxy for updates and to access selected ports of devices on the network. Each ruleset has at least 1 rule for dropping silently some traffic (in order to avoid flooding the logs as these packets are understood but considered to be ignored)

Is it difficult to manage ? Definitively not. Was it difficult to set up ? Not in my opinion. It took some time for each VLAN to document requirements, but this was an iterative process over a few days (not full time of course): allow all and log everything, then analyse each log and decide to allow or drop silently and document it. Now, if there is a change, a new service, new device or if anything else new / unexpected happens it get logged and easily detected. As it is documented it could be reused easily.

I am aware of using jump for close to what you stated, in this case DST nat rules where one has a fixed WANIP and many associated rules. In this case it makes sense where if the fixed IP changes one only changes one line of the config!!

Exactly
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:07 pm

[...]
When you have 20 rules that each check different variant of ICMP and you replace that with a jump to a separate chain it will perform a factor of ~20 better.
[...]
Yes... the concept is simple, and can be applied to all type of traffic.

Ignoring estabilished,related, untracked and invalid, than obviously must be processed first of everything, without any needs to split them,
first splitting traffic by type (ICMP/UDP/IPSEC-ESP/TCP/GRE/IPv6-encap/not redirected) avoid than the packet is processed more times for check each firewall rule,
instead "at least" is processed once for each "redirect" (and "return", if needed) but not for all subsequently checks on firewall.
The same apply on RAW and NAT section.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:13 pm

Theory looks nice!
How about some real world numbers?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:19 pm

Home user on SMIPS surely note the difference,
Other home hardware for sure do not notice the difference...

But about big network, like some of my firewall than each serve near 500 user with Giga of traffic, the latency and CPU usage change drastically.
Obviously hardware count!!!
One RB1100AHx2 compared with a CCR1036-12G-4S....

About real world, sorry but I can't "play" with hardware on production, and can't post configuration or screenshot of firewall ;)
But when I change devices for upgrade, some test reveal the difference...

I not understand why you don't agree logically with the concept "less processed, less latency. Less used CPU, more fluency" ...
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:28 pm

So you have no evidence that using some weird matching scheme from which you build a number of chains is better than using a single flat rule list?
Or that processing speed is even affected by the number of chains?
And you did all that just to watch packets flow through your nicely built chains?

I don't understand your aggressivity... Anyway...

pe1chl gave you an answer. If you want mine, here it is: do you think that if you have 99 rules before the rule which should match, the CPU will "randomly and with a 100% success rate guess" that these 99 rules are not matching and thus avoid them or do you think that it will have to "compute" them all to have an answer ?

If you selected "guess" I don't know what else I should write to convince you, I'm stuck. However if you selected "compute" you may then start understanding that the less operations you ask the CPU to compute, the faster overall computing will be. So what other evidence do you need to understand that, if each rule has the same intrinsic complexity, "6 unmatched rules,jump,10 unmatched rules,drop" is 6 times more performant than "99 unmatched rules, drop" ?

That's why there is a difference on the test results pages between the line "none" and "25 rules"...

It is not "theory" it's logical thinking. If somebody tells me that a normal human being jumped naked into pool full of liquid nitrogen, I don't have to see it for myself to know that this person is now dead... Logial thinking is enough.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:33 pm

Oh, and if you still need more evidences, turn off connection fast track...
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:39 pm

When you have 20 rules that each check different variant of ICMP and you replace that with a jump to a separate chain it will perform a factor of ~20 better.
I know ICMP is just an example for the principle here. But if we are at it anyway:
I never got why so many people try to tamper with ICMP in FW rules. Except in very special cases, the only ICMP rule required is "accept all ICMP on all interfaces".
ICMP is an important underlying part of IP and blocking it causes troubles like path MTU discovery failure, lost "host not reachable" messages and many more.
Despite popular and wrong believe there is nothing added to security by blocking incoming ICMP on WAN. In the best case, it does not cause problems.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 12:43 pm

So you open a topic about the uncertain performance benefit of your said rules, and now you're calling me aggresive when I'm asking for numbers?
Sheesh.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:05 pm

So you open a topic about the uncertain performance benefit of your said rules, and now you're calling me aggresive when I'm asking for numbers?
Sheesh.

Did you even read the first post ? And the 6 questions that were asked ?
Did you read the post where I listed few of the advantage, including maintainability, understandability and so on of using jumps?
Yes you are aggressive and dishonest, not because you ask for numbers, but because of this type of comments coming ou t of nowhere:

And you did all that just to watch packets flow through your nicely built chains.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:07 pm

Topic title is "Filter rules performance and ordering strategy ?"
I see nothing about performance, yet.
Please, continue.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:16 pm

Topic title is "Filter rules performance and ordering strategy ?"
I see nothing about performance, yet.
Please, continue.
Please SHUT UP. The topic is not about you.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:19 pm

Of course it's not about me.
It's about firewall performance and I want to read more about it, can we stay on topic?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:27 pm

You have gained a place in my foe list. It is very short, but you deserve it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:29 pm

@Znevna
If you can't trust a little, what someone is writing, this forum is not for you.
At this point, why should others consider whatever you write?

@pe1chl
I hope I'm not there too... ;)
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:33 pm

I never got why so many people try to tamper with ICMP in FW rules. Except in very special cases, the only ICMP rule required is "accept all ICMP on all interfaces".

I don't fully agree with you.

From my understanding, using VLANs is (among other things) meant to provide isolation.
This results in the fact that when using VLANs, inter-VLAN traffic ICMP is blocked (yes it depends on manufacturers)
In order to not get into trouble where ICMP is required, one needs to allow this traffic with rules (at least it does not work if I do't add a rule on my router).
As such, I agree that ICMP should be allowed, at least between infrastructure equipment / management VLAN.

However If you know that there should be no traffic between some VLANs why accepting all ICMP then versus accepting it only where/when it is wanted/considered legit ?
For instance, why should untrusted devices be able to ping trusted ones ?
To me the "accept all ICMP on all interfaces" increases the attack surface and as such only allowing inter-VLAN ICMP traffic based on requirements makes sense (but maybe I'm wrong)
This does not seem to me to be a "very special case" so I'm interested in your / other's opinon.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:39 pm

Topic title is "Filter rules performance and ordering strategy ?"
I see nothing about performance, yet.

Did you read the question mark at the end of the topic title ?
As I assume that you understand the meaning of this character, and that you are able to read, the core problem must be that you're not willing to read. You guess, then bark...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 1:46 pm

Please, let's stop this mess and get back to the OP.
I am getting several complaints about this topic from some users (from those who are just reading and are annoyed by the direction the topic is going)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 3:00 pm

Very nice points Kraal, I have a better understanding of the complexity of your setup and what you are trying to accomplish (Im just a layperson learning).
I was not contemplating so many single rules for ONE VLAN, and what you say makes perfect sense and as backed up by others here and is similar to the example I provided about dst-nat.
My thinking was that you had multiple VLANs in various rules and thus INTERFACE LISTS seemed to be a more logical approach which does not apply in your case.

However I do agree with the PINK BLOB, there is no need to overcontrol ICMP. Why. because it
a. provides needed functionality testing etc...........
b. It does NOT MEAN access to data, its simply a utility and that means VLANS have full data integrity and separation with ICMP fully enabled and thus no need for any other rules.

Finally I agree with Zvenana in that I too, would also like to know the performance gain by using the JUMP rules.
Intuitively, with my Llama senses, it seems that there will be some!
Obvious even to the most sleepy cat, such a design is easier to troubleshoot/review (being thusly organized) and as stated if one parameter on the initial jump rule needs changing well...........it affects only one rule and not XX rules!!

Conclusion: Even it performance gains are marginal, the clarity of the config, and efficiency for changes makes it palatable and well FUN, who doesnt like to jump, besides the lazy cat!
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 4:35 pm

However I do agree with the PINK BLOB, there is no need to overcontrol ICMP. Why. because it
a. provides needed functionality testing etc...........
b. It does NOT MEAN access to data, its simply a utility and that means VLANS have full data integrity and separation with ICMP fully enabled and thus no need for any other rules.

Point b) is not fully true. Data can be sent/retrieved using ICMP tunneling due to some ICMP design choices in the protocol. One could consider at first sight protocol tunneling as a low probability risk as it requires "infected" devices (and ability to forge frames to achieve data exfiltration) but it does exist and it works. Not convinced ? check https://github.com/jamesbarlow/icmptunnel (just found it, I may try it this week-end if I can).

As such I still don't see why vlans which do not need to know about other vlans should be able to use ICMP to communicate with those other VLANS. Generalizing to "accept all ICMP from all interfaces" is not the right approach IMHO. It's blocked and you don't need it to be open ? leave it as is.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 6:40 pm

Well we can agree to disagree.
However it you need to be so anal........... then the following is a KISS solution.
Untrusted vlans are blocked from requesting a reply and the other vlans retain that capability.
........................
/ip firewall
add action=accept chain=input in-interface-list=No-Request protocol=icmp icmp-options=!8:0
add action=accept chain=input  in-interface-list=!No-Request  accept ICMP" protocol=icmp
/interface list
add name=No-Request
/interface list member
add interface=VLANUntrusted-1   list=No-Request
add interface=VLANuntrusted-2   list=No-Request
......
add interface=VLANuntrusted-X   list=No-Request
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 10:36 pm

As such I still don't see why vlans which do not need to know about other vlans should be able to use ICMP to communicate with those other VLANS. Generalizing to "accept all ICMP from all interfaces" is not the right approach IMHO.

Input channel is about connecting router itself. E.g. ping default gateway from a VLAN device. Or running traceroute from router, packets with low TTL triggering ICMP Time Exceeded from remote hosts targeting router (and its input chain).
But that doesn't affect traffic between routed networks, that's chain forward. And if firewall rules block all traffic between two VLANs, that includes also ICMP. So hosts from one VLAN csn not probe hosts in another VLAN, ICMP probes included.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Filter rules performance and ordering strategy ?

Wed May 11, 2022 10:52 pm

internet is full of firewall optimization guidelines which can be applied on MikroTik too


https://www.google.com/search?q=firewal ... tion+guide
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 2:11 am

But that doesn't affect traffic between routed networks, that's chain forward. And if firewall rules block all traffic between two VLANs, that includes also ICMP. So hosts from one VLAN csn not probe hosts in another VLAN, ICMP probes included.
I beg to differ!! I was confused because I was thinking we had a drop rule in the input chain that should have blocked ICMP and yet a user on VLANX could ping the gateway of VLANY, but this occurs because the input chain had an allow (default) rule for ICMP that was non discriminatory (from all to router). Therefore to meet the OPs requirement the rules above were provided.

The KEY TAKEAWAY is that ICMP to a gateway IS TOO THE ROUTER and thus input chain, NOT forward chain!!

a. Routing on the MT device sends all traffic heading for any address on the "Router" via the input chain! This holds true for any internal interface on the router.
b. The exception is DST-NAT traffic which takes precedence (occurs prior to) and traffic in this case follows the Forward chain.

Therefore I am not sure what you mean by firewall rules and the FORWARD CHAIN blocking ICMP. I think you are mistaken!!
WHat the forward chain rules do is BLOCK actual DATA traffic between vlans/users.

For KRAAL, the conclusion is any icmp rules on the forward chain are a WASTE OF TIME (bogus)!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 3:05 am

Devices behind router can use ICMP too, so if you're worried about someone misusing it for unwanted tunelling, you'd have to deal with it in forward chain.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 10:23 am

We diverged from the initial topic, but anyway, maybe I'll learn something new.

The KEY TAKEAWAY is that ICMP to a gateway IS TOO THE ROUTER and thus input chain, NOT forward chain!!

Why are you writing about ICMP to a gateway ? You can ping devices as well, and while pinging the gateway relates to the input chain, pinging a device on another vlan relates to the forward chain.

For KRAAL, the conclusion is any icmp rules on the forward chain are a WASTE OF TIME (bogus)!

Ok ot's bogus, it's a waste of time... As I wrote I wont be angry at you because of your opinions.
Now consider the following:

  • You have two vlans: vlanA and vlanB
  • You have no ICMP related rule in your forward chain
  • You have a rule at the end of your forward chain which drops everything
  • You need to allow pings from a deviceA on vlanA to deviceB on vlanB for whatever reason (let's say it's not your choice, a service uses ping for whatever reason you have no control over it and if you block it it stops working)
  • You have no "accept all from vlanA to vlanB" rule in the forward chain

How do you do to allow deviceA to ping deviceB, without adding a "bogus, waste of time ICMP rule" to the forward chain ?
My understanding is that the forward chain is the right place.
I want to learn, and I accept the fact that I may be missing something important.
Maybe the right way to do it is different. But as you wrote: KISS please.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 11:00 am

When you have two VLANs, and you do not want to have routing between them, then it is unreasonable to have a request like "but hosts should be able to ping each other".
As you already wrote before, being able to ping is being able to exchange information. Which you don't want.
OTOH, there is no reason why hosts should not be able to ping the gateway, as it cannot be used to exchange information.

The whole reason why this thread gets out of hand is that unreasonable requirements are formulated and implemented.
Some people recognize that the suggested way is an efficient way to implement the requirements, others focus on the "why would you want to do that???" only.
There is no way you can get these two groups to agree.

Please close the topic.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 12:26 pm

The whole reason why this thread gets out of hand is that unreasonable requirements are formulated and implemented.
Please close the topic.

I don't think that for instance allowing ping monitoring from a device on a specific VLAN to devices in other VLANs for synthetic monitoring is an unreasonable requirement. Limited monitoring (host alive): yes, but is it "unreasonable" ?

And what about when you have a hardware device on a VLAN which is not supposed to reach the WAN but continuously tries to ping a remote unknown host and you need to fake a pong in order to avoid alerts (red led on the device's front panel). Stupid implementation: yes (out of my control and in the current case even the device producer was not aware of the problem as they are only using an IC which embeds this behavior), but is it an "unreasonable" requirement to try to get rid of such alerts ?

But you're right, let's close the topic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 5:08 pm

Hi Kraal,
No need all is good. I was fixated on being able to contact the interfaces (gatewayIP/address) etc. and not on device to device. My apologies and I do appreciate your patience with me!
Simply done lets say you have IT tech that does this work for you - checking if devices are live.
.............
/ip firewall
add action=accept chain=forward in-inteface=vlanX  src-address=IT-TECH-IP out-interface=vlanY protocol=ICMP protocol options=8:0

If the tech needs to do the same for Vlans A,B,C as well, then create an interface list including A,B,C,Y call it untrusted.
/ip firewall
add action=accept chain=forward in-inteface=vlanX  src-address=IT-TECH-IP out-interface-list=untrusted protocol=ICMP protocol options=8:0
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 5:29 pm

My apologies and I do appreciate your patience with me!
No worries, and I indeed prefer the word "patience" to the "anal..." one you used before ;-) (maybe they are somewhat related but that's another topic. lol)
BTW, the examples you gave are more or less what I have in my chain.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 6:48 pm

@kraal,
you want really close your topic "Filter rules performance and ordering strategy ?" ?
Thanks.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 7:45 pm

@rextended wrote: @kraal, you want really close your topic "Filter rules performance and ordering strategy ?" ? Thanks.

@rextended: Why? When did you become the new /morals/ethics/design/thread/post/structure/content/police?? Pick anyone you like!

As long as someone finds it interesting to discuss a topic, there is no reasonable reason for you to start some kind of censorship just because it doesn't appeal to you personally.
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 8:03 pm

@kraal,
you want really close your topic "Filter rules performance and ordering strategy ?" ?
Thanks.
I was talking about the icmp rules topic (which is by the way "off topic"). So the answer is "no".
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 8:55 pm

@Larsa, I do not want close any topic, it appear a request coming from @kraal (the OP) and other users.
Is also why I have asked first, for do not misunderstand.
It is evident that before writing, you do not read the previous topics.
And please don't write that way again.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Thu May 12, 2022 8:58 pm

I was talking about the icmp rules topic (which is by the way "off topic"). So the answer is "no".
Ok, thanks for the clarification :)
I had a hunch about it :roll:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 12:56 am

Larsa misunderstood your english is all. She hasnt latched onto your particular dialect like the rest of us............ :-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 1:03 am

Dialect? Is clear... Is a question, is not "now I want close this topic".

@pe1chl
[...] Please close the topic.
@kraal
[...] But you're right (@pe1chl), let's close the topic.
@rextended
@kraal,
you want really close your topic "Filter rules performance and ordering strategy ?" ?
Thanks.

Where is the dialect on "you want really close your topic"?
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 7:27 am

@Rextended, it was I who read carelessly and missed the others.

I humbly apologize for this, it was entirely my fault!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 10:46 am

@Larsa
is one of the very few times that someone have answered me with kindness.
I thank you.
Sincerely.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 2:16 pm

Are we finished holding hands yet! ;-)
Getting back to reality, the problem with your statement is simple you are missing the main part of the question "DO"!
From
"you want really close your topic"?

To
DO "you want really close your topic"?
++++++++++++++++++++++++++++++++++++++++

The latter is a clear question without tone, less ambiguous and shows the writer is not certain whether you really want to close or not the topic.
The former is more of a sarcastic approach and is posed in a more confrontational tone and infers that there is a problem with the recipient of the question.

Hence, larsa glammed onto the tone whereas us that know you, simply read it as a simple question because we have learned that improper tone and syntax are byproducts of your dialect.
Dialect being a kind word for, you communicate in english in a stilted manner - basically cut your words/sentences too short most of the time, and this is not the first time where it can and has created a bit of confusion. I find it charming and amusing otherwise I would cry to much! :-)

+++++++++++++++++++++++++++++++++++++++++++
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter rules performance and ordering strategy ?

Fri May 13, 2022 2:57 pm

¯\_(ツ)_/¯

Who is online

Users browsing this forum: No registered users and 71 guests