Community discussions

MikroTik App
 
wtechlink
just joined
Topic Author
Posts: 11
Joined: Tue Mar 03, 2020 3:09 am

Better firewalling performance than 2216?

Tue May 23, 2023 11:32 pm

I run an internet provider that pushes ~20Gb at peak usage. I upgraded our 1072's to 2216's and everything has been working really well, except the extremely disappointing CPU usage when doing firewalling. Mikrotik's webpage states that with 25 bridge filters at 512 byte size the 1072 will do 37,270Mbps and the 2216 will do 13,992Mbps.

I've got a dedicated 2216 bridging only to function as a firewall but it will hit 90%+ cpu usage when running packets through the 8 firewall filter rules I have setup for blocking spoofing, winbox ports, ntp, etc. I have multiple providers coming into my firewall with 100Gb and 25Gb ports so using the 1072 isn't really an option since it only has 10Gb ports. It kind of stinks that the 1072 is 6+ years old now and still offers the best Mikrotik performance in some respects but only has 10Gb ports.

Is there any new hardware coming with a processor better at firewalling or a version of the 1072 with 25Gb/100Gb ports?

I was thinking about moving the filter rules to raw, but with connection tracking off I don't think that will really help. Is there anything else I can do to help lower CPU usage and make this work?

Thanks!
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Better firewalling performance than 2216?

Wed May 24, 2023 4:26 pm

Running with connection tracking off cuts down CPU usage quite much since connections doesn't need to be kept or matched. You really should consider creating raw rules.

If you are using L3HW support, then you could create rules under /interface ethernet switch rule maybe instead.
 
wtechlink
just joined
Topic Author
Posts: 11
Joined: Tue Mar 03, 2020 3:09 am

Re: Better firewalling performance than 2216?

Wed May 24, 2023 9:02 pm

Running with connection tracking off cuts down CPU usage quite much since connections doesn't need to be kept or matched. You really should consider creating raw rules.

If you are using L3HW support, then you could create rules under /interface ethernet switch rule maybe instead.
I've already got the connection tracking turned off and the switch rules won't let me do things like block outgoing in address lists sadly.

But with connection tracking already being off will raw perform the same or better than filters?
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Better firewalling performance than 2216?

Wed May 24, 2023 9:40 pm

Just try, if only 8 rules you can copy them to raw in less then 5mins.
Also what you can do to gain a bit perfomance depending on your rules is to move ones who get more hits first in order if posible.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Better firewalling performance than 2216?

Fri May 26, 2023 9:03 am

Follow the guide here for firewalling/hardware offloading:
viewtopic.php?t=176358

Who is online

Users browsing this forum: Ramas and 38 guests