Community discussions

MikroTik App
 
kraal
Member Candidate
Member Candidate
Topic Author
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Mikrotik test results: How to count filter rules?

Mon May 09, 2022 7:58 pm

Hi,
It may sound like an odd question, but do you know how the "25" filter rules are counted on Mikrotik's products' test results pages ?
Is it :
  • a "total of 25 rules" (including all chains, i.e. all rules count towards increasing the counter)
  • a "25 rules for a single chain" (for instance forward, i.e. the rules in the other chains do not count towards increasing the counter, but all rules of the chain do count regardless of having them checked or not)
  • "25 rules" from the start of a chain (for instance forward) until the first "match" which is not a passthrough (i.e. only the rules in the chain that did not match the packet until the first matching non passthrough rule count)
  • something else
I was always thinking that it is the third case, however I have a doubt. Maye someone has the "right answer".

Thank you in advance
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Mikrotik test results: How to count filter rules?

Mon May 09, 2022 9:10 pm

there is some info in this link but i don't see the 25 rules explicitly and completely defined


https://wiki.mikrotik.com/wiki/Manual:P ... ning_Tests
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Mikrotik test results: How to count filter rules?

Tue May 10, 2022 1:46 am

Good question. It was mentioned in the past that each rule affects the performance differently, depending on a matcher (selected conditions) of that rule. Most extreme example would be L7 matcher. Obviously 25 rules with L7 matcher will be much slower than 25 rules of src-address matching.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik test results: How to count filter rules?

Tue May 10, 2022 6:08 pm

Good question. It was mentioned in the past that each rule affects the performance differently, depending on a matcher (selected conditions) of that rule. Most extreme example would be L7 matcher. Obviously 25 rules with L7 matcher will be much slower than 25 rules of src-address matching.
... hence I wouldn't hang on to exact numbers (neither number of rules nor performance). I would guess that the rules configured in tests are from the easy end of spectrum. If one looks at different numbers, one can get idea about rate of performance drop with increased number of rules (and increased complexity, bridging is easier on device than routing and both are easier than firewalling). And when looking at numbers with aim to choose device which will deliver performance required, add some margin or be prepared to get performance somehow lower than expected. If performance with actual configuration will exceed requirements, consider yourself lucky and avoid gambling sessinons for some time (because you already won your share of luck).

Who is online

Users browsing this forum: A9691, Amazon [Bot], AshuGite, sebus46, VinceKalloe and 82 guests