Device limitations when using ipset

I have a small server (SMTP, POP3, web, DNS, etc) behind Netgear R6220 with OpenWRT.

I'd like to do centralized firewall with blocking hostile and botnet-infected IPs globally on it, because setting it up on every VM is not optimal.

I've configured fail2ban on that box and VMs for particular services to use blocklist.de and other services like that to identify malicious IPs that tried to connect to my systems. I've created long-term (8 hrs) SSHD jails in fail2ban instances. I have almost 5,000 IP addresses in some of them, obviously in ipset-based jail, because using plain iptables for that would jam the host.

Given the limited resources of router such as https://openwrt.org/toh/netgear/netgear_r6220, is it feasible to use such ipset jail (that I'd manually create on my manual iptables firewall, I'm not using built-in firewall) to block that many addresses, like 5-6K?

Thank you!

I don't know how powerfull the Mediatek Chip is but his 800 MHz looking to me it can handle this easy. A list with 6000 entries is IMO nothing. I would expect over 100k like some aggregated ablock lists easy achive.
There is a package called BanIP available (based on ipset) and there is a support thread for it: banIP support thread

Ask the ppl. there or read it. I think that the limiting factor here is the RAM and not the CPU. But that is just a guess.

2 Likes