Community discussions

MUM Europe 2020
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Mon Aug 16, 2010 9:01 am

Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 8:18 pm

Hello,
I have a Mikrotik CCR 1036 and i have about 10 IP FIlter rules on it, in some cases (like high pps) my cpu usages is around %70 so my question is if i disable all of my ip filter firewall rules and migrate them to RAW , is it cause better performance and reduce cpu usages?
Thanks,
 
pe1chl
Forum Guru
Forum Guru
Posts: 5977
Joined: Mon Jun 08, 2015 12:09 pm

Re: Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 8:21 pm

No, that will actually increase CPU usage, assuming you are running with connection tracking and have an "accept established/related" rule in your filter list.
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Mon Aug 16, 2010 9:01 am

Re: Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 8:32 pm

my connection tracking is disabled on my routers so there is no connection tracking. and my rules are only permit or deny so there is no complicated rules.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5977
Joined: Mon Jun 08, 2015 12:09 pm

Re: Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 8:42 pm

In that case there will be no difference I think.
The point is that with connection tracking active (and already having taken the performance that costs) it is unwise to filter in the raw table because in
the raw table the router always has to evaluate all the deny rules, while in the filter table it usually hits on the "accept established/related" rule at the top
and never has to evaluate all those specific rules below that which match specific cases.
Without connection tracking it has to do that anyway and it will matter very little where you do it, unless you have a lot of denied traffic.
(e.g. when you are trying to fend off some attack)
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Mon Aug 16, 2010 9:01 am

Re: Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 8:48 pm

Thank you for your comment,
Still waiting for other guys comments to choose best decision.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1796
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Moving rules from Filter to RAW cause better performance?

Tue Aug 20, 2019 10:01 pm

 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Mon Aug 16, 2010 9:01 am

Re: Moving rules from Filter to RAW cause better performance?

Wed Aug 21, 2019 7:26 am

Thanks Buddy for guide me! but i read that thread and it was like a argument between two person who one of them agreed with filter chain and another one agreed with RAW chain, but personally i am agree with raw chain because it will drop before it can checkd by any other secion like queue and etc.
so whats your idea finally?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1796
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Moving rules from Filter to RAW cause better performance?

Wed Aug 21, 2019 10:56 am

as stated there("conntrack by default is most expensive RouterOS facility"), the high cost of/before "filter" table is the connection tracking logic. If it's disabled, it won't matter whether it's in raw or filter.

Who is online

Users browsing this forum: MSN [Bot] and 88 guests