Community discussions

MikroTik App
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 7:06 pm

Question the hive;

What are pros and cons of using RAW instead of filters assuming you do not have connection tracking turned on. (or even if you do)
You can match input chain by adding a jump to dst address type local, jump to a raw-input chain.

Any other pros/cons to this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 7:17 pm

In most cases most of the extra bloatware is not required. Use drop all at end of input chain and forward chain and get a life, go see a movie.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:01 pm

Raw is less processor load. A lot less.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:19 pm

Raw should only be considered by advanced users. The wrong use or unexpected consequences of raw are not trivial and in 99% of cases not needed especially by homeowners.
It would be a rare case IMHO that use of raw over standard filters would make a significant difference in the user experience.

Being trainer certified, probably fine to use if you have heavy load and a client needs an efficient as possible setup. On the other hand any setup should be designed at 50% capacity max from the get go. So I still have my doubts.

What peeves me is the MT recommended bloatware firewall page where all these newbies are getting the idea to stuff their config which sheite they dont really understand nevermind dont need.
So hoelve dont promote or support this BS or I will have to visit, and drink your booze, eat your food and convince your spouse I am a far better option (assuming your a he/hij lol)
Last edited by anav on Fri Jan 20, 2023 8:27 pm, edited 1 time in total.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:19 pm

Raw is less processor load. A lot less.
Assuming that the router has connection tracking turned on. What if it is off? I would assume RAW would be the FIRST place to drop or accept data, but just trying to understand if there is any CONs to it or not.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:20 pm

Raw should only be considered by advanced users. The wrong use or unexpected consequences of raw are not trivial and in 99% of cases not needed especially by homeowners.
It would be a rare case IMHO that use of raw over standard filters would make a significant difference in the user experience.
So we have an advanced user using it. We also have a router without connection tracking. Why is Filter Better than RAW on Input and forward, or why is RAW better in those cases?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:28 pm

IMHO there is no reason to use raw unless performance is being affected, either at the router level or user level.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 8:40 pm

Why do you quote whole preceding post? Does it help answering? Do you repeat what your interlocutor says when you discuss? Just use "Post Reply" button.
Why? Does it cost more to use or cost less, or the same?
Last edited by BartoszP on Sat Jan 21, 2023 2:03 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 9:23 pm

Cost is not important to me. Clear concise, simple config is what matters to me.
Is the user traffic flowing, does it meet the requirements. Anything extra is time I can spend elsewhere...........

If user traffic is not flowing or some requirements are not met, then we adjust the config.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 10:27 pm

Why do you quote whole preceding post? Does it help answering? Do you repeat what your interlocutor says when you discuss?
Well that's not what I am asking. I am asking, is there any Pros/Cons to using RAW only in this specific instance.
Last edited by BartoszP on Sat Jan 21, 2023 2:00 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Pros/Cons using RAW vs Filter

Fri Jan 20, 2023 11:41 pm

As far as I understand packet flow, if connection tracking is disabled the only pro of using filters (vs. raw) is that it offers distinction between input/forward/output chains ... if that matters, then its much harder to recreate same firewall functionality in raw.
I don't see any other (important) difference.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 1:21 am

Why do you quote whole preceding post? Does it help answering? Do you repeat what your interlocutor says when you discuss?
Well that's not what I am asking. I am asking, is there any Pros/Cons to using RAW only in this specific instance.
Isolating a single idea within a config without context is simply not relevant. Whether you are asking do I pick my nose with a wooden spoon or a spatula, Im saying dont pick your nose.
What your asking has no relevancy to anything tangible, other than wasting your own time. L8r

If I was you I would have read my first response, and said got it, and left my computer and headed to either 1860's Saloon and Hard Shell Café or BB's Jazz, Blues and Soups!!
Get your priorities straight man! :-)
Last edited by BartoszP on Sat Jan 21, 2023 2:01 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 1:33 am

If you do not drop, for example DDoS attack on RAW side, it consume also:
connection-tracking resources (when is enabled)
mangle on prerouting resources (when are present)
dst-nat resources (when are present)
bridge resources (if involved)
cpu resources to subtract -1 to TTL (or drop packet)
again mangle on forward (when are present)
and finally are dropped on drop-all-at-the-end on filter.

Using RAW, you do not deplete all involved resources to drop on filter, but you drop packet instantly.

RAW is fast than filters, but the reason for use RAW is not the speed, is the used resource between the ingress and the drop of the packet.
But obviously is not black or white, each need must be pondered,
for example drop all packet with spam source directly on RAW if you host by NAT a webserver, reachable forom outside, inside your network,
instead of deplete resources on router for drop later on filter the packets from spam or malicious sources.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 2:37 am

If you do not drop, for example DDoS attack on RAW side, it consume also:
connection-tracking resources (when is enabled)
mangle on prerouting resources (when are present)
dst-nat resources (when are present)
bridge resources (if involved)
cpu resources to subtract -1 to TTL (or drop packet)
again mangle on forward (when are present)
and finally are dropped on drop-all-at-the-end on filter.

Using RAW, you do not deplete all involved resources to drop on filter, but you drop packet instantly.

RAW is fast than filters, but the reason for use RAW is not the speed, is the used resource between the ingress and the drop of the packet.
But obviously is not black or white, each need must be pondered,
for example drop all packet with spam source directly on RAW if you host by NAT a webserver, reachable forom outside, inside your network,
instead of deplete resources on router for drop later on filter the packets from spam or malicious sources.
Egads rextended, I hope you dont spend your whole life pondering such vacuous concerns............... Okay as long as its done as an excuse to enjoy a bottle of Italian Red..............
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 7:37 am

If you do not drop, for example DDoS attack on RAW side, it consume also:
connection-tracking resources (when is enabled)
mangle on prerouting resources (when are present)
dst-nat resources (when are present)
bridge resources (if involved)
cpu resources to subtract -1 to TTL (or drop packet)
again mangle on forward (when are present)
and finally are dropped on drop-all-at-the-end on filter.

Using RAW, you do not deplete all involved resources to drop on filter, but you drop packet instantly.

RAW is fast than filters, but the reason for use RAW is not the speed, is the used resource between the ingress and the drop of the packet.
But obviously is not black or white, each need must be pondered,
for example drop all packet with spam source directly on RAW if you host by NAT a webserver, reachable forom outside, inside your network,
instead of deplete resources on router for drop later on filter the packets from spam or malicious sources.
And I do agree with this. Lets use a specific example, all I wish to allow to the router is ICMP, and a list of admin_IPs addresses, everything else should be stopped.

This can be accomplished in the input chain of the firewall by :
src-address=admin_IP action=accept
protocol=icmp action=accept
and action drop

Three rules. but it has to go though all of what you mentioned before, CPU resources etc.. Even if you don't have connection tracking on, it still goes though those services in RouterOS.

So the next question is SHOULD I do it in RAW only. How.

chain=prerouting dst-address-type=local action=jump jump-target=in-raw
chain=in-raw src-address=admin_ip action=accept
protocol=icmp action=accept
action=drop

So 4 rules vs 3, but you also don't waist any CPU before that, it just drops anything that does not match that.

So the question is, in this specific example, why not use RAW if you are trying to make the router preform at its best. IS there a CON or something with with this specific example that would make this not more efficient than using filter rules. ? Note there may not be, I can't think of it, but hence why I am asking here. ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 1:54 pm

There should be fifth rule, second in chain=in-raw ... dropping all. If you introduce a custom chain and packet passes through all rules without matching, then processing returns to previous chain right after the action=jump rule.

For this particular case, with single rule in custom chain, I'd add the additional selection criteria (src-address) to the first rule. But I agree that if there were some more rules in custom chain, it would be quite effective.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 1:54 pm

why so much rules?

1) chain=prerouting src-address-list=secure_IPs dst-address-list=secure_IPs action=accept
[...]
n) drop-all-at-the-end
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 4:06 pm

If you do not drop, for example DDoS attack on RAW side, it consume also:
connection-tracking resources (when is enabled)
mangle on prerouting resources (when are present)
dst-nat resources (when are present)
bridge resources (if involved)
cpu resources to subtract -1 to TTL (or drop packet)
again mangle on forward (when are present)
and finally are dropped on drop-all-at-the-end on filter.

Using RAW, you do not deplete all involved resources to drop on filter, but you drop packet instantly.

RAW is fast than filters, but the reason for use RAW is not the speed, is the used resource between the ingress and the drop of the packet.
But obviously is not black or white, each need must be pondered,
for example drop all packet with spam source directly on RAW if you host by NAT a webserver, reachable forom outside, inside your network,
instead of deplete resources on router for drop later on filter the packets from spam or malicious sources.

beautiful explanation about the topic, thank you
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 5:46 pm

So in this instance, any reason NOT to use RAW instead of input filters?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Pros/Cons using RAW vs Filter

Sat Jan 21, 2023 7:21 pm

It seems clear to me that, for me, there is nothing against it, but just one rule is enough to deal with it, in addition to the others for the rest.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 2:58 am

RAW table supports the ability to filter only for input chain if you want. Use dst-address-type=local. That's what input chain does, except RAW is before conn_track, and input is after.

If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start using conn_track and good luck on a DDoS attack.

But as others have stated, RAW table is meant for advanced users with in-depth understanding of iptables + various RFCs for best practices. Randomly using some "Drop the rest" rule will also break all traffic initiated to/by the router such as BGP peers etc. You need to truly understand the Netfilter packet flow and logic.

You could follow the firewall rules here for raw filtering on the edge while not breaking any RFCs:
viewtopic.php?t=176358
Last edited by DarkNate on Sun Jan 22, 2023 3:03 am, edited 1 time in total.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 3:02 am

But I am curious, OP is a certified MikroTik trainer. Does MikroTik certifications not teach this basic Linux networking 101 stuff to their trainers?

This makes me doubt the expertise and in-depth knowledge of MikroTik certified trainers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 3:37 am

Hi Dark Nate,
Do you recommend then simply getting another MT router to act as stateless edge router that gets public IP and if so, how do you then feed the next router ( my current router ) with that connection so that internet still flows in both directions?? Do you create a LAN on the stateless router........ ????????
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 3:53 am

Hi Dark Nate,
Do you recommend then simply getting another MT router to act as stateless edge router that gets public IP and if so, how do you then feed the next router ( my current router ) with that connection so that internet still flows in both directions?? Do you create a LAN on the stateless router........ ????????
For home users? Stateful + stateless rules is fine on a single router. That's what I do on my personal home router. It will die on 20G DDoS but I don't have 20G internet bandwidth, so it doesn't matter for home much.

For production, edge routers should be separated from distribution/core/access layer routers. Edge should always be stateless even if it's a million dollar Juniper router, unless your plan is for it to die during Multi-gigabit DDoS which seems to be the preferred method of dying by these consultants/trainers etc. Not really about the OP personally but I've seen 10s of certified consultants from different countries all saying crazy shit about stateless vs stateful firewall on the network devices (routers, L3 switches etc).
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:18 am

About this matter

I have a doubt:

Doing Traffic filtering on a switch by using Hardware ACLs before traffic reach the router can be a feasible way to firewall a router without loosing the high performance fast-path mode?
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 562
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 12:16 pm

@chechito: it is an excellent way to filter the router, but you need an extra device to do that, and you should have a switch that supports an high number of rules. They are stateless rules and works at wire-speed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 2:43 pm

For home users? Stateful + stateless rules is fine on a single router.
Now you are contradicting yourself ////

remember........---> If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start using conn_track and good luck on a DDoS attack.

So I will ask once again how to setup a router in front of my current router that is stateless??
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 3:46 pm

When it comes to DDOS attack: it is quite "cheap" (with regard to router's resources) to mitigate those in raw. So that's the way to go.

Things become interesting when DDOS first starts and appropriate raw rules are not yet in place. If device only does raw filtering, without connection tracking and what not, then device will live but passing those DDOS further down the line (possibly hitting a stateful firewall causing that box to struggle) if traffic is not blocked due to pre-existing rules. If same border router runs stateful firewall (as all SOHO routers do), then the box will die due to DDOS attack, but the devastating effect will likely be contained. When administrator recovers such device, he can add raw rules to mitigate attack (and everything should be pretty dandy, including device running raw rules and connection tracking).

As some argued in this thread it is possible to go with stateless firewall. I agree, but it's much harder. For example, raw rule will treat every packet as independent piece. Which makes accepting return traffic quite a bit harder (because destination port will be just anything). So using ultimate "drop all" rule will need many preceeding accept rules where single "accept related" rule in stateful firewall will take care of many of raw rules.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:04 pm

About this matter

I have a doubt:

Doing Traffic filtering on a switch by using Hardware ACLs before traffic reach the router can be a feasible way to firewall a router without loosing the high performance fast-path mode?
Read the official explanation:
https://help.mikrotik.com/docs/display/ ... geFirewall

You will quickly understand it is designed only for LAN/L2 filtering. It cannot be fully realised for internet origin or internet bound traffic.
forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:05 pm

For home users? Stateful + stateless rules is fine on a single router.
Now you are contradicting yourself ////

remember........---> If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start using conn_track and good luck on a DDoS attack.

So I will ask once again how to setup a router in front of my current router that is stateless??
Which part of home user vs production network do you not understand?

Edit:
And anav you should stop pretending to be a network engineer or anybody who's actually work in networks at a corporate or SP level. Stick to your home labbing threads at best.
Last edited by DarkNate on Sun Jan 22, 2023 5:12 pm, edited 1 time in total.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:09 pm

I will break it down in plain English:
1. Using only stateless-ness on edge routers, ensures your router will never die during massive DDoS or even just massive traffic spikes. And also ensures you are dropping traffic before it never enters conn_track avoiding waste of resources.
2. DDoS protection should be done using FastNetMon + DDoS Scrubbing provider + BGP Blackholing community with your IP Transit provider

But RAW table is the only option in MikroTik because they refused to support nftables ingress hook (before packet assembly) and they refused to support XDP/DPDK (before sk_buff).

If you need a truly advanced end-to-end stateless firewall, you need a NOS and hardware that supports XDP/DPDK natively and hardware offloaded.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:19 pm

@chechito: it is an excellent way to filter the router, but you need an extra device to do that, and you should have a switch that supports an high number of rules. They are stateless rules and works at wire-speed.

Thinking about that another approach can be using the newer 2116/2216 which have an integrated switching ASIC, supporting 512 / 1024 ACL respectively, in this cases we dont need adittional hardware having a resepctable ammount of ACL rules available

And in case of for example a CCR1072 adding a CRS 317 which is not too much expensive and supports 1024 ACL rules, to give a 1072 an extra breath running at fast-path
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:26 pm

About this matter

I have a doubt:

Doing Traffic filtering on a switch by using Hardware ACLs before traffic reach the router can be a feasible way to firewall a router without loosing the high performance fast-path mode?
Read the official explanation:
https://help.mikrotik.com/docs/display/ ... geFirewall

You will quickly understand it is designed only for LAN/L2 filtering. It cannot be fully realised for internet origin or internet bound traffic.
forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)

I refer more to these
Switch Chip Features -> Rule Table (not Bridge -> Packet Filter)
Switch Chip Rule Table runs at wirespeed Hardware Accelerated
https://help.mikrotik.com/docs/display/ ... -RuleTable

this are able to include useful parameters like:

dst-address (IP address/Mask)
dst-address6 (IPv6 address/Mask)
src-address (IP address/Mask)
src-address6 (IPv6 address/Mask)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:27 pm

Thanks for the additional clarity DarkNate, it helped a lot.
Sadly or Gladly there will continue to be a plethora of non IT engineers reading your posts and asking questions, get use to it! :-)
My intent is to add to my current setup a little something something, but not go overboard, will mull it over.
Last edited by anav on Mon Jan 23, 2023 3:20 am, edited 1 time in total.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Pros/Cons using RAW vs Filter

Sun Jan 22, 2023 5:44 pm

I refer more to these
Switch Chip Features -> Rule Table (not Bridge -> Packet Filter)
Switch Chip Rule Table runs at wirespeed Hardware Accelerated
https://help.mikrotik.com/docs/display/ ... -RuleTable

this are able to include useful parameters like:

dst-address (IP address/Mask)
dst-address6 (IPv6 address/Mask)
src-address (IP address/Mask)
src-address6 (IPv6 address/Mask)
Ah that, yes. You can use it for strong, plain, basic filtering stateless, it is faster than RAW table (CPU). But you should be careful to keep in mind, it doesn't have all the parameters and knobs available on iptables. As long as you know what you're doing, it is a perfectly valid alternative to raw.

Personally, I've never seen RAW table causing CPU issues, so I never tried using the switch filters. For me, RAW works fine, even in 100G+ production networks, no one complained to me that RAW tables broke their network or affected line-rate routing.
 
User avatar
gmsmstr
Trainer
Trainer
Topic Author
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Pros/Cons using RAW vs Filter  [SOLVED]

Sun Jan 22, 2023 10:33 pm

Well thanks for all that read and replied.

Summary:
Question: Is running RAW only rules preferable to running Filter Input rules to protect said router that is NOT doing connection traffic?

Answer: Based on what I know and what others have confirmed, if you are not running connection tracking, then yes, it would be preferred to run a RAW firewall to protect the router. There was no negative feedback other than that it is an advanced function and should be used with care.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 873
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Pros/Cons using RAW vs Filter

Mon Jan 23, 2023 12:44 am

I disagree with your summary: this is not rocket science and the answer is very straightforward…

Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls, however, only focus on individual packets, using preset rules to filter traffic.

As in all things the type of Firewall implemented varies with each vendor .. in the case of MikroTik Stateful Firewall is the best option for Router protection and “RAW” does have a roll to play especially when whitelisting IP’s that may otherwise be blocked by the Stateful Filter.

3rd generation FW is where all the current science takes everyone except MikroTik ….

A good read on Firewalls
https://www.baeldung.com/cs/firewalls-s ... s-stateful

Who is online

Users browsing this forum: Bing [Bot], britgent, migod, mtkvvv, sindy and 89 guests