Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall and queue optimization

Locked
 
ToMikaa87
newbie
Topic Author
Posts: 40
Joined: Mon Apr 25, 2011 8:36 pm

Firewall and queue optimization

Mon Jan 14, 2013 9:56 pm

Dear Community,

I have an RB2011UAS-2HnD router used as my home router. Its setup contains many firewall filter and magle rules, and a queue tree setup. The router is connected to the Internet via PPPoE on e10-wan (ether10). The WAN connection speed is 44Mbit download and 22Mbit upload. There is a NAS connected to one of the Gbit switch ports, its address is 192.168.1.50.
My problem is if the NAS is downloading at full speed (44M) via P2P, the firewall and the queue eats up all CPU resources. This prevents the queue to priorize non-p2p traffic and slows down the router significantly.

Can you please suggest me some optimizations of firewall rules and queue settings?

These are the corresponding configurations:

ros code

/ip firewall filter
add action=drop chain=input in-interface=e10-wan
add action=drop chain=forward comment="drop unknown connections from guest lan" connection-state=new dst-port=\
    !80,443,110,25,143,465,585,993,995 protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input comment="Block blacklisted addresses" in-interface=diginet src-address-list=blacklist
add action=tarpit chain=input comment="DoS Protection #1 - Tarpit conn-limit-blacklist" in-interface=diginet \
    protocol=tcp src-address-list=conn-limit-blacklist
add action=add-src-to-address-list address-list=conn-limit-blacklist address-list-timeout=10h chain=input comment=\
    "DoS Protection #1 - Connection limit" connection-limit=10,32 in-interface=diginet protocol=tcp
add action=jump chain=forward comment="DoS Protection #2 - SYN" connection-state=new in-interface=diginet \
    jump-target=SYN_Protect protocol=tcp tcp-flags=syn
add chain=SYN_Protect connection-state=new in-interface=diginet limit=10,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN_Protect in-interface=diginet protocol=tcp tcp-flags=syn
add action=log chain=input comment="Log port scanning" dst-limit=5/1m,2,dst-address in-interface=diginet \
    log-prefix="PORT SCANNING" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=blacklist chain=input comment="Port scanning protection" \
    in-interface=diginet protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="ICMP Chain - !blacklist" in-interface=diginet jump-target=ICMP protocol=icmp \
    src-address-list=!blacklist
add chain=ICMP comment="ICMP 0:0" icmp-options=0:0 in-interface=diginet limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP 8:0" icmp-options=8:0 in-interface=diginet limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP 11:0" icmp-options=11:0 in-interface=diginet limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP 3:3" icmp-options=3:3 in-interface=diginet limit=5,5 protocol=icmp
add chain=ICMP comment="ICMP 3:4" icmp-options=3:4 in-interface=diginet limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="ICMP drop" icmp-options=0 in-interface=diginet protocol=icmp
add action=log chain=input comment="Log PortAccept" connection-state=new dst-port=\
    1723,44080,44081,45021,45022,46021,46022,46080,46291 in-interface=diginet log-prefix=PA protocol=tcp
add action=jump chain=input comment="Jump to PortAccept" connection-state=new dst-port=\
    1723,44080,44081,45021,45022,46021,46022,46080,46291 in-interface=diginet jump-target=PortAccept protocol=tcp
add action=log chain=PortAccept comment="Log FTP access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=45021 in-interface=diginet log-prefix=FTP protocol=tcp
add action=log chain=PortAccept comment="Log SSH access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=45022 in-interface=diginet log-prefix=FTP protocol=tcp
add action=log chain=PortAccept comment="Log HTTP access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=44080 in-interface=diginet log-prefix=HTTP protocol=tcp
add action=log chain=PortAccept comment="Log HTTPS access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=44081 in-interface=diginet log-prefix=HTTPS protocol=tcp
add action=log chain=PortAccept comment="Log MikroTik PPTP access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address/30s dst-port=1723 in-interface=diginet log-prefix="MikroTik PPTP" protocol=tcp
add action=log chain=PortAccept comment="Log MikroTik FTP access from WAN" connection-state=new dst-limit=\
    5/1m,0,dst-address/30s dst-port=46021 in-interface=diginet log-prefix="MikroTik FTP" protocol=tcp
add action=log chain=PortAccept comment="Log MikroTik SSH access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=46022 in-interface=diginet log-prefix="MikroTik SSH" protocol=tcp
add action=log chain=PortAccept comment="Log HTTP admin access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=46080 in-interface=diginet log-prefix="HTTP Admin" protocol=tcp
add action=log chain=PortAccept comment="Log WinBox access from WAN" connection-state=new dst-limit=\
    5/1m,2,dst-address dst-port=46291 in-interface=diginet log-prefix=WinBox protocol=tcp
add chain=PortAccept comment="Allow PPTP from WAN" connection-state=new dst-port=1723 in-interface=diginet \
    protocol=tcp
add chain=PortAccept comment="Allow MikroTik FTP from WAN" connection-state=new dst-port=46021 in-interface=\
    diginet limit=5,5 protocol=tcp
add chain=PortAccept comment="Allow MikroTik SSH from WAN" connection-state=new dst-port=46022 in-interface=\
    diginet limit=5,5 protocol=tcp
add chain=PortAccept comment="Allow HTTP admin from WAN" connection-state=new dst-port=46080 in-interface=diginet \
    limit=5,5 protocol=tcp
add chain=PortAccept comment="Allow WinBox from WAN" dst-port=46291 in-interface=diginet protocol=tcp
add chain=input comment="torrent dht" dst-port=6881 in-interface=diginet protocol=udp
add action=log chain=PortAccept comment="Blacklist bruteforcers" connection-state=new in-interface=diginet \
    log-prefix="PORT BRUTEFORCE:" protocol=tcp
add action=add-src-to-address-list address-list=blacklist chain=PortAccept comment="Blacklist bruteforcers" \
    connection-state=new in-interface=diginet protocol=tcp
add action=drop chain=input comment="Block unnecessary closed ports" dst-port=0,1 in-interface=diginet protocol=\
    tcp
add action=drop chain=input comment="drop unknown new connections" connection-state=new in-interface=diginet
add action=drop chain=input comment="drop invalid connections" connection-state=invalid in-interface=diginet

ros code

/ip firewall mangle
add action=mark-connection chain=prerouting comment="dns requests" new-connection-mark=dns port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=qos-prio-1 passthrough=no
add action=mark-connection chain=prerouting comment="ftp out" dst-port=21,45021 new-connection-mark=ftp-conn \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=ftp-conn new-packet-mark=qos-prio-2 passthrough=no
add action=mark-connection chain=prerouting comment="nas ftp data" dst-port=45899-45999 in-interface=diginet \
    new-connection-mark=ftp-data-conn protocol=tcp
add action=mark-packet chain=prerouting connection-mark=ftp-data-conn new-packet-mark=qos-prio-6 passthrough=no
add action=mark-packet chain=prerouting comment="winbox in" dst-port=46291 in-interface=diginet new-packet-mark=\
    qos-prio-2 passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="winbox out" new-packet-mark=qos-prio-2 passthrough=no protocol=\
    tcp src-port=46291
add action=mark-packet chain=prerouting comment=icmp new-packet-mark=qos-prio-1 passthrough=no protocol=icmp
add action=mark-connection chain=prerouting comment="ssh in" dst-port=22,45022,46022 in-interface=diginet \
    new-connection-mark=ssh-in protocol=tcp
add action=mark-packet chain=prerouting connection-mark=ssh-in new-packet-mark=qos-prio-2 passthrough=no
add action=mark-connection chain=prerouting comment="ssh out" dst-port=22 new-connection-mark=ssh-out protocol=tcp
add action=mark-packet chain=prerouting connection-mark=ssh-out new-packet-mark=qos-prio-2 passthrough=no
add action=mark-connection chain=prerouting comment="http(s) request" connection-bytes=0-500000 dst-port=80,443 \
    new-connection-mark=http-req-out protocol=tcp
add action=mark-connection chain=prerouting comment="http(s) download" connection-bytes=500000-0 dst-port=80,443 \
    new-connection-mark=http-data-out protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http-req-out new-packet-mark=qos-prio-2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=http-data-out new-packet-mark=qos-prio-6 passthrough=no
add action=mark-connection chain=prerouting comment="input http(s) request" connection-bytes=0-500000 dst-port=\
    44080,44081 in-interface=diginet new-connection-mark=http-req-in protocol=tcp
add action=mark-connection chain=prerouting comment="input http(s) data" connection-bytes=500000-0 dst-port=\
    44080,44081 in-interface=diginet new-connection-mark=http-data-in protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http-req-in new-packet-mark=qos-prio-2 passthrough=no
add action=mark-packet chain=prerouting connection-mark=http-data-in new-packet-mark=qos-prio-6 passthrough=no
add action=mark-connection chain=prerouting comment=openvpn dst-port=1194 new-connection-mark=openvpn-out \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=openvpn-out new-packet-mark=qos-prio-2 passthrough=no
add action=mark-connection chain=prerouting comment="kryng.me rtp" dst-address-list=kryngme-rtp \
    new-connection-mark=kryngme-rtp
add action=mark-packet chain=prerouting connection-mark=kryngme-rtp new-packet-mark=qos-prio-1 passthrough=no
add action=mark-connection chain=prerouting comment=sips dst-port=5061 new-connection-mark=sips-out protocol=tcp
add action=mark-packet chain=prerouting connection-mark=sips-out new-packet-mark=qos-prio-2 passthrough=no
add action=mark-packet chain=prerouting comment="pure acks" new-packet-mark=qos-prio-1 packet-size=0-80 \
    passthrough=no protocol=tcp tcp-flags=ack

ros code

/queue tree
add limit-at=22M max-limit=22M name=out parent=diginet queue=default
add limit-at=22M max-limit=22M name=qos-out-prio-1 packet-mark=qos-prio-1 parent=out priority=1 queue=output
add limit-at=44M max-limit=44M name=in parent=lan-bridge queue=default
add limit-at=44M max-limit=44M name=qos-in-prio-1 packet-mark=qos-prio-1 parent=in priority=1 queue=input
add limit-at=44M max-limit=44M name=qos-in-prio-2 packet-mark=qos-prio-2 parent=in priority=2 queue=input
add limit-at=5M max-limit=44M name=qos-in-prio-7 packet-mark=qos-prio-7 parent=in priority=7 queue=input
add limit-at=22M max-limit=22M name=qos-out-prio-2 packet-mark=qos-prio-2 parent=out priority=2 queue=output
add limit-at=5M max-limit=22M name=qos-out-prio-7 packet-mark=qos-prio-7 parent=out priority=7 queue=output
add limit-at=1M max-limit=43M name=qos-in-prio-8 packet-mark=no-mark parent=in queue=input
add limit-at=1M max-limit=20M name=qos-out-prio-8 packet-mark=no-mark parent=out queue=output
add limit-at=30M max-limit=44M name=qos-in-prio-6 packet-mark=qos-prio-6 parent=in priority=6 queue=input
add limit-at=15M max-limit=22M name=qos-out-prio-6 packet-mark=qos-prio-6 parent=out priority=6 queue=output
add limit-at=44M max-limit=44M name=qos-in-prio-3 packet-mark=qos-prio-3 parent=in priority=3 queue=input
add limit-at=22M max-limit=22M name=qos-out-prio-3 packet-mark=qos-prio-3 parent=out priority=3 queue=output

ros code

/queue type
add kind=pcq name=input pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-limit=300 pcq-rate=44M \
    pcq-src-address6-mask=64 pcq-total-limit=5000
add kind=pcq name=output pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=200 pcq-rate=22M \
    pcq-src-address6-mask=64
PS: sorry for the long post.
Top
 
cp8
newbie
Posts: 26
Joined: Sat Dec 08, 2007 6:46 am

Re: Firewall and queue optimization

Thu Jan 24, 2013 6:22 am

I'm in the same boat. I had a great multihomed home router, two internet connections, queue tree, QoS, the works. It ran great up until the day my ISP gave me more bandwidth than the router's CPU could handle. Averages around 80% CPU load, and will occasionally hit 100% and lockup for a few minutes or until traffic subsides.

I think the Mikrotik routerboards just aren't fast enough to handle more than 30Mbps of torrent traffic. Even if you disable all queues and firewall rules, my stock RB750G with 680MHz CPU can't handle it. It seems the only way to break through the 30Mbit barrier is to turn off connection tracking... but that means you can't use NAT. :(

So after using Mikrotik for 10 years on various devices... I'm thinking of switching to something faster. Something 1ghz? Dual core? Back to an x86 router? Any recommendations?
Top
Locked

Who is online

Users browsing this forum: No registered users and 32 guests
  4. RouterOS
  5. Beginner Basics