Community discussions

MUM Europe 2020
 
abcwarbot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

firewall slow down forwarding packets

Wed Apr 28, 2010 8:11 pm

Hi ppl.

I have a RB450G using ether1 port for WAN and ether5 as multiple vlan interfaces with diferent ip segment and src-nat. I set a firewall filter to protect my box from internet and internal spammers. For that matter i kind of combined many rules founded in mikrotik wiki. I noted after firewall setup, the increment of ping response time, increment of internal network SSH login time and http browse response time to networks that RB450G route on the LAN interface. I need to test if my firewall rules are rising the response time for the applications named before.
My RB450G is around 2-6% of utilization.

How can i check which firewall policy is increasing packets process..?
What are the essential rules needed to be added into filter ..?

Have anyone experience this type of issue, how did you solved..??


Best regards
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 10:12 am

Every packet is processed by every firewall filter until matched. So if you have many rules it will slow down packet forwarding.

To increase forwarding speed you should add three rules at the top of firewall rule list
*) accept established connections
*) accept related connections
*) drop invalid connections
 
User avatar
omidkosari
Trainer
Trainer
Posts: 629
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 11:24 am

Every packet is processed by every firewall filter until matched. So if you have many rules it will slow down packet forwarding.

To increase forwarding speed you should add three rules at the top of firewall rule list
*) accept established connections
*) accept related connections
*) drop invalid connections
If those rules are at top of other rules then it will ignore a lot of rules bellow . maybe you want drop some conditions of established or related connections but if
*) accept established connections
*) accept related connections
are at top then other will be ignored . am i correct ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 11:34 am

maybe you want drop some conditions of established or related connections
Then move those special condition rules before accepting established and related.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 629
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 11:38 am

And why
*) drop invalid connections
Should be last one of those three rules ? isn't faster if first drop invalid connections ?
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 11:56 am

A firewall connection-state has only 1 status:
it is either new,established,related, OR invalid.

A single packet can not be more than one of these states.
Doug
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8345
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 12:04 pm

yep, there are much more valid connections than invalid ones =)

if it's not your case - then you should fix your network, not move the rule at the top =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 629
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 3:15 pm

I say if invalid connections are not usually useful then it is better to drop them at first rule .
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 3:20 pm

I say if invalid connections are not usually useful then it is better to drop them at first rule .
I just listed rules that should be at the top... It is not an ordered list so it doesn't say that invalid rule should be third.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 629
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 3:23 pm

I have seen such order at other places like user contributed wiki and mature user forum posts and it was always a question for me .
Do you suggest to put that rule at first or not ? why ?
thanks .
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8345
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 3:32 pm

omg... an example. two rules: accept established, drop invalid. let's suppose we have 1000 packets of established and 10 packets of invalid connections per second

case A:
1) accept established
2) drop invalid
there are 1020 rules processed (1000 packets of established connections are accepted by 1st rule, 10 invalid packets are passed by 1st rule, and those 10 are dropped by 2nd rule)

case B:
1) drop invalid
2) accept established
now 2010 rules processed (1000 of 1st rule + 1000 of 2nd rule + 10 of 1st rule)

almost two times more =) so the main statement is to accept all connections we have already checked by the first rule, i.e. accept established

p.s. again: established connection cannot be invalid; invalid connection cannot be established
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: firewall slow down forwarding packets

Thu Apr 29, 2010 8:24 pm

Reset all your firewall rule counters. Let your router run for a few days.

If you 'invalid' connection-state rule has higher counter, move it higher in the rule-set.

If you 'established' connection-state rule has higher counter, move it higher in the rule-set.

If you 'related' connection-state rule has higher counter, move it higher in the rule-set.

...

You get the idea. Basically, you're network is individual to you only. What works for you may/may not work for everyone else.

Testing is the key here.
Doug
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 12:05 am

i cant find the post, but mikrotik suggested putting invalid rule BEFORE established rule, because certain established packets are considered established when they shouldn't be. i will see if i can dig up their explanation. invalid should be before established to weed out hackers that modify packets.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8345
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 12:37 am

so, connection-state is not single-valued?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
abcwarbot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 1:17 am

Hi ppl.

From what i read, i understood is nessesary to place these 3 rules first:

1 - allow established
2 - allow related
3 - drop invalid

But i have other rules i need to apply to any packet in the input and forward chain. So where do i place this rules above or below .?

My RB450G is not at high CPU %, so is it real my network is slowed down because of firewall rules..??

I used the RB450G as the default gateway for all my network, it routes traffic to remote IPSec networks through other gateways within the LAN. Before i installed the RB450G my connectivity to these remote networks were "fast" but after installed the RB450G, ssh, telnet and httpd takes about 15-20 seconds to response. Ping instead has a normal response delay.

Any suggestion..?


Best regards
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 1:38 am

I am fairly certain a single packet can have only 1 state at a time, meaning a packet could not be 'invalid' and 'established' at the same time. This means if you drop invalid connections before established, or vise versa would not matter.

It may be wise to put invalid rule before established rule if more invalid connections came in (they wouldn't hit the established rule every time taking more processing power).

If it is true you can have multiple states per packet, Mikrotik should allow this to be entered on a filter rule.
Doug
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 5:23 am

then how come when you put invalid first you drop more packets than when its afterwards? try it yourself and you will see the difference.

i searched for about 30 mins to find that answer I got back originally, I know I wasn't dreaming. There was a specific reason to drop invalid first for hacker reasons... i wish the original MT guru would post what he told me : ) he explained it much better. something to do with established accepting packets as part of a connection that might be closed. you'll notice that they stay in the connection tracking table even after they aren't valid anymore.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 9:11 am

I've created a test.

Add these two rules at position 0 and 1 in the mangle table.
/ip firewall mangle
add action=jump chain=prerouting comment="Prerouting State Check" disabled=no \
    jump-target=State-Check
add action=jump chain=postrouting comment="Postrouting State Check" disabled=\
    no jump-target=State-Check
Then create these rules:
/ip firewall mangle
add action=jump chain=State-Check comment=Invalid connection-state=invalid disabled=no jump-target=State-Invalid
add action=jump chain=State-Check comment=Established connection-state=established disabled=no jump-target=State-Established
add action=jump chain=State-Check comment=Related connection-state=related disabled=no jump-target=State-Related
add action=jump chain=State-Check comment=New connection-state=new disabled=no jump-target=State-New
add action=return chain=State-Established comment=Invalid connection-state=invalid disabled=no
add action=return chain=State-Established comment=New connection-state=new disabled=no
add action=return chain=State-Established comment=Related connection-state=related disabled=no
add action=return chain=State-Invalid comment=Established connection-state=established disabled=no
add action=return chain=State-Invalid comment=New connection-state=new disabled=no
add action=return chain=State-Invalid comment=Related connection-state=related disabled=no
add action=return chain=State-New comment=Established connection-state=established disabled=no
add action=return chain=State-New comment=Invalid connection-state=invalid disabled=no
add action=return chain=State-New comment=Related connection-state=related disabled=no
add action=return chain=State-Related comment=Established connection-state=established disabled=no
add action=return chain=State-Related comment=Invalid connection-state=invalid disabled=no
add action=return chain=State-Related comment=New connection-state=new disabled=no
To check the stats, run this command:
/ip firewall mangle print stats where chain~"State-[^Check]"
If you get any bytes/packets showing up, then a rule can have multiple states. So far, I haven't seen any though.

If you drop invalid connections after established connections, it's still a drop. The packet still get's dropped, thus no chance to become an established connection.

Maybe I'm misunderstanding though.

Anyway, I'm very curious, that's why I created this test. changeip, thank you for posting this information.
Doug
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 7:26 pm

i know that a packet won't have multiple states, but the established rule doesnt always match only established packets. it can also match invalid packets. let me see if i can get a plain and clear example pic of it...
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 7:32 pm

Right now these match, I will let it run for a day and see if they get out of balance.

Image

I could swear that in the past there were situations that they acted differently. If I run for a day and they still match I will have to eat my words : )
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: firewall slow down forwarding packets

Fri Apr 30, 2010 11:55 pm

I'm also running my test still as well. I'll keep updated with findings.

It may be possible that established state packets could include invalid state packets, but not vise versa, however I don't think this is the case.

Anyway, keep updated with the status.
Doug
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8345
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: firewall slow down forwarding packets

Sun May 02, 2010 5:03 pm

something to do with established accepting packets as part of a connection that might be closed. you'll notice that they stay in the connection tracking table even after they aren't valid anymore.
actually, AFAIR, just presence in ConnTrack table doesn't mean 'established'. if, according to conntrack table, connection is already closed, then data frames should be considered invalid, for example
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
abcwarbot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

Re: firewall slow down forwarding packets

Mon May 03, 2010 7:40 pm

Hi ppl.

Here is my network design. Stil have http sessions expired, ssh sessions slow login.
I placed the rules commented before:

allow established
allow related
drop invalid

My cpu is at 2%. My connections to remotes vpn have good ping responses but expired http sessions.

Please some advice


Best regards
You do not have the required permissions to view the files attached to this post.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Mon May 03, 2010 9:04 pm

so there are 3 vpn servers? how are you handling packets going back thru the original route? are you using a routing protocol? connection-tracking needs to handle two way traffic so it can see complete tcpip exchange. maybe your issue is async routing. icmp redirects might cause packets to go a different way than initially setup.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
abcwarbot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

Re: firewall slow down forwarding packets

Mon May 03, 2010 11:14 pm

Hi ppl.

@changeip

I have 2 VPN servers aside with the RB450G main router. The main router servers as default Gw for every PC on the LAN. All PCs need to reach the remote VPN LANs. Main router routes all packets to the remote LANs pointing to the local address of each of the VPN servers.

I dont use any special feature, just static routes. I used to have a Linksys RV082 doing the job and no problems so far.

172.17.1.0/24 gw 172.16.1.3
172.18.1.0/24 gw 172.16.1.3
172.19.1.0/24 gw 172.16.1.2

This is how my static routes should look.
Any suggestion..?


Best regards
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall slow down forwarding packets

Tue May 04, 2010 1:52 am

so pc1, pc2 and pc3, when replying to requests, always send their replies to 172.16.1.1 because that is their default gateway. that router then forwards traffic (in and out same interface) to the vpn routers, and ALSO sends ICMP redirects to the pc1-3 machines to tell them there is a better gateway. now traffic starts flowing thru the 2 vpn gateways, but its possible some packets are either duplicated or lost because of ICMP redirect functions. I wonder if you can setup the vpn servers on hop downstream from main gateway instead of side by side.

think about connection-tracking... all 3 routers won't share the same connection tracking table. so if you are doing any firewalling on established connections, now you might have only some packets hitting that router and the connection handshake isnt proper / complete. make sense? you could test this theory by setting up static routes on pc1-3 for those 3 subnets to go directly to their vpn gateway instead of thru the main router.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
abcwarbot
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

Re: firewall slow down forwarding packets

Tue May 04, 2010 2:44 am

Hi ppl.

@changeip

Thanx for your answer. If i placed static routes in the PCs, the services work without issue. How can i fix this matter...?
Placing the VPN servers inside the LAN is not an option, is there any other way..?
What do you suggest..?


Best regards
 
WirelessRudy
Forum Guru
Forum Guru
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: firewall slow down forwarding packets

Tue May 04, 2010 4:28 am

something to do with established accepting packets as part of a connection that might be closed. you'll notice that they stay in the connection tracking table even after they aren't valid anymore.
actually, AFAIR, just presence in ConnTrack table doesn't mean 'established'. if, according to conntrack table, connection is already closed, then data frames should be considered invalid, for example
To me it seemed after this post discussion starts drifting a bit off topic.
First of all, abcwarbot sets up firewall to protect his router. Meaning the rules discussed later in this topic are to be on the input chain. Since this has normally spoken not a lot of traffic and certainly not traffic from client to internet and vice versa I don't see it slowing down traffic flow ´through´ the router.
I have the invalid/esthablished etc rules only on the input chain and they get so little traffic its hardly worth looking at..

When we are talking rules on the forward chain for traffic passing through router things are different. How is now the story with "invalid"? If the router is not processing (QoS, shaping, virus filter) the traffic flow then all traffic can be just passed through. I have several routers doing so and they have no filter or mangle rules whatsoever on the forward chain. All router does do is routing. Some traffic that could be "invalid" might as well be passed through as well. Probably faster then filter all traffic just to catch some invalid packages....

So why filter invalid, established etc in forward? It slows down the traffic flow but doesn't protect router. Protection is done in input. At best these forward rules protect next router or device. But let that router or device handle its own protection! This way cpu power is balanced over the network?

Apart of that, indeed the filter rules, or mangle rules, are best located such that the rules getting the bulk of traffic are placed first. BUT, there is always a "but".
I use L7 filter for Skype and some P2P. Since these filters are having long signature keys, special Skype, I basically want as little traffic as possible to run through this filters. So I try to filter out as much as other traffic out of the process before package stream hits the L7 filters.

Also, packages that I want to pass router as fast as possible, like ping, dns, etc. I put high in the filters. The earlier they leave the process the earlier they are forwarded by the router to the interface.
And, the good reader now understands that although Skype L7 filter (we are talking mangle here) is placed low because I want other traffic filtered away first, the fact it is ´real live´ traffic means it should also be as fast as possible and thus leaving filter process as fast as possible. So this would mean placing it high in the sequence. That is then in contrast to my first conclusion.

In other words, it is very much depending on what you want and what traffic is passing and processed by router.

When it comes to speed of traffic several other factors come in play too. Maybe off topic here but don't forget about these! Some examples:
How is routing, or bridging take place in network? Low utilised network is fast in bridge mode while high utilised benefits more from routing.
How much traffic is carried by network while it will be dropped somewhere anyway? Better drop it at source then 4 nodes away. Special on wireless links important!
QoS. On congested links and routers if all traffic passes un-orderly latency for speed demanding packaged goes up only because low speed demand package have same order in passing. Put a Ferrari in a traffic jam and he is nothing faster then the horse and wagon beside him!
And last, but not least. Fast routers handle traffic faster then low rated ones. Ferrari has only benefit on the highway. Put him on sand track and again he is nothing faster then horse and wagon....

Still a very interesting discussion though, I just wanted to add some other intake as well.

Who is online

Users browsing this forum: Guntis and 123 guests