Community discussions

MUM Europe 2020
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

degradation of throughput with firewall...

Fri Jan 14, 2011 12:52 pm

Make some tests with ROS -
Hardware - core-i7 (2.8 ghz 4 core), ethernet - 4 port intel 82576
Traffic on ethernet ~ 200 megabits.
CPU load 10-15%

Than i make 500 firewall rule in forward chain for random IP and see degradation of throughput about 2 time !! ) after apply firewall rule traffic on ethernet down from 200 megabits to 40-60 megabits... CPU load was 30-35%
The same things with mangle rule (prerouting or forward)
I try to use address list, but this also has no effect.
This test was repeated on 4 routers with different hardware and all have the same result.
After some test i can say that after 250-300 rules in firewall traffic throughtput slow down.

Maybe firewall still use one core ??? And if its true - when firewall will use multicore ??
Last edited by martini on Sun Feb 27, 2011 2:04 pm, edited 1 time in total.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 1:05 pm

could you give some example of the firewall?\ you had for the test?

Maybe "good practice" firewall will have more decent results, when you filter new packets, and the rest goes to related/established.

Anyway you would be interesting to see what exactly you had there, as i have tested similar and slow down was there but not that big and it was not "good practice" config.
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 1:14 pm

its simple rule
/ip firewall filter add dst-address=x.x.x.x action=accept chain=forward
its rule repeat 300 times with different ip or address list
i try to use interface in and out, and dst-address-list, and dont see any changes
ROS version 5.0rc5
 
zlyZwierz
newbie
Posts: 33
Joined: Tue Jun 19, 2007 2:37 pm
Location: Poland

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 2:30 pm

Maybe try to use address-list :)
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 2:33 pm

2 zlyZwierz - if you read my posts again - you see that i use firewall rule with address-list and without them.
 
zlyZwierz
newbie
Posts: 33
Joined: Tue Jun 19, 2007 2:37 pm
Location: Poland

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 2:48 pm

Yes, but how many entries in forward chain did You got after switching to address-list ?
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 5:59 pm

300 or 500 or 1000 rule, i test how much firewall rules i can use on routeros without degradation of traffic. Maximum 250-300 rules.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 7:51 pm

there are no stateful firewalls out there that handle 200+ rules without degradation. You need more powerful hardware if you truly want that much throughput and that many rules. If you are not using stateful packet inspection just turn off conn-track and you will gain performance.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 8:44 pm

)) i run this experiment in many situation. With disabled conn-track CPU load not drop down (30-35% like with conn-track enabled). So i think that firewall use only one core. Remember ROS version 4.xx, on two core processors had max CPU load was 40-50% (half from two core) and on 4 processors has 25-30%, because all ROS functions use only one core.
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Re: degradation of throughput whith firewall...

Fri Jan 14, 2011 10:51 pm

I don't think that X86 and X64 architecture are well designed for routing. Multicore does work quite well with big amount of Data in memory, because each core do have a quite big quantity of cache memory today (level 2).
But for routing, most of the time is spent transfering small amount of data from device bus to cores. The PC architecture is not designed to do this efficiently because the device bus is shared between cores.
X86 / X64 bottleneck for routing is the PCI-e bus, even if you choose a dual IOH busses machine and add some GPU boards to speed up routing you will not be able to go beyond 40 Gbps total throughput on X86 / X64 platform. This is very slow compared to dedicated hardware routers able to push more than 1 Terabit/s through 10, 40 or 100 Gbps ports.

If you want to get this speed with X86 hardware, you'll eat 10 times more power than a dedicated hardware router. Where is the benefit ?

Each core does work at about 3 Ghz, but the fastest bus (memory) is running at about 1.3 GHz and must share between 2 or 4 cores...
This explain why low cost Broadcom chips used inside Routerboards can switch packets faster than some fast X86 machines. Unfortunaltely they can do only switching tasks and level 2 filtering. According to some tests i did, The RB450G switch Chip is able to transfer 4 Gbps between 2 Gigabits ports without packet drop. With routing, packets drop bursts can exhibit beginning at 100 Mbps, as soon as the processor unit needs to multitask non routing threads.

Multicore has never been a very attractive technology for low cost softwares and drivers. It needs a serious low level optimisation to work efficiently. This is only doable by Intel staff and a couple of other staff with deep knowledge of the core and X86 hardware structure design. This optimization task is a costly process, and is hardware dependent.

Multicore is the answer from X86 chips manufacturers to the impossibility to go higher than 3.2 Ghz.

But rising the frequency is really more efficient and simpler than adding cores.

Routing at high speed (between 1 and 10 Gbps) without packet drop needs faster processing, or dedicated hardware (FPGAs, ASICs, DSPs).

FPGA and ASIC design can be fully optimized from the ground up to do the routing task. In the end you got simpler, more efficient, more reliable and really faster designs. This is not the case for multicore X86 / X64 architecture.

This explain why you can see hardware routers able to push and route 100 Gbps per port without packet drop, where X86 machines can have problem to push 1 Gbps per port without packet loss.

So if you need speed, buy the hardware designed for it. If you need low cost and medium speed, buy Routerboards and Router OS :=)
Last edited by FIPTech on Sat Jan 15, 2011 9:48 am, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: degradation of throughput whith firewall...

Sat Jan 15, 2011 3:29 am

i think that firewall use only one core
Tools -> Profiler :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Sat Jan 15, 2011 7:00 pm

2 Chupaka - yes, i run profile when testing firewall, most cpu load task - ethernet and firewall
 
User avatar
martini
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: degradation of throughput whith firewall...

Sun Feb 27, 2011 12:02 am

its me again ))
another my test show intresting results :

Core i7 (4 core, 2.8 ghz), 1200-1400 mb total throughtput thrue router interfaces (4 eth on i82576, 1 eth per 1 core), cpu load 25-35% - than i create 600 filter rules.. and traffic decrease to 50-150 mb and cpu load still 30-45% (per core cpu load - 30-50% IRQ).
Then i disabling rules one by one to see what number of rules cant decrease the traffic - on this router its 100-150 rules (more than 150 rules cause degradation of throughput)
Intresting thing..

Than i run the same test on AMD Phenom 1090T (6 core, 3.2 ghz), 600-900 mb total throughtput thrue router interfaces (4 eth on i82576, 1 eth per 1 core), cpu load 4-9% - than i create 600 filter rules.. and traffic decrease to 50-150 mb but cpu load show 95-100% (per core cpu load 95-100% IRQ)
Then i disabling rules one by one to see what number of rules cant decrease the traffic - on this router its 300-350 rules (more than 350 rules cause degradation of throughput)

Question to mikrotik - why this happens ?? why AMD show normal CPU load and Intel show abnormal ? why the firewall picks up so many resources ?
 
jober
Long time Member
Long time Member
Posts: 692
Joined: Fri May 28, 2004 12:16 pm
Location: Louisiana,USA

Re: degradation of throughput with firewall...

Mon Apr 04, 2011 9:55 pm

What model ethernet and mother boards are you guys using?

Who is online

Users browsing this forum: Baidu [Spider] and 69 guests