Of what impact the size of fw3 generated Iptables rulleset has on performance.
Especially on slower devices 600mhz mips etc...
for firewall/route at gigabit speeds between vlans and out to wan.
Having fw3 generated rulleset from say a router with 5 vlans/zones and some
extra (port forwards) and (trafic rulles) is huge if comparing to same functionaly
replicated on a standard linux with manual iptable rulles.
(yes i understand that most are empty/useless, and do not get walked down during decision time)
But still some do, and for posterity's sake , worth investigating/tweaking to get most out of devices.
Would in such situation make more sense to not use Zones firewall section in luci ,
and just move everything to Traffic rulles as not to generate such a huge iptables ruleset ?
(and yes fully manually written iptables can work, but would skip updates from network
interface name changes, or a subnet move , etc...)
anyone have any thoughts on what kind of speedup might be expected in shrinking
generated iptables rulleset 5-10 fold for routers with more then just lan and wan
(but 3-4-5 or more vlans/zones)
Or any other ideas , tweaks , to squeeze the most out of devices ....
(like disabling accounting on nf_conntrack when not used for nlbwmon or something)
You realize that there's only one way to find out?
A few things to consider though:
there are no 'useless' rules enabled by default, while there might be circumstances where not all might be needed - to determine that isn't exactly easy
consistency between different devices is more important than to tweak the last iota of performance out of ancient devices, the user really wants to be able to rely on the rule set without having to audit it once over for a new device
a device that struggles with the default rule set won't become a runner just because you drop a few rules, none of the default rules would be that heavy on its own, nor are they that many to begin with
modern (fast) internet connections need correspondingly fast router hardware, your decade-old router designed when 35-50 MBit/s was king won't do >>300 MBit/s in either way, even if you'd drop all firewalling
the modern web is complex, while some things might got easier over the last decade (active ftp no longer being that important), others got more complex (VoIP/ SIP, video conferencing, online gaming, etc.), even with cloud based services being popular quite a lot of these services need some handholding from the firewall.
iptables (and fw3) is on the way out, 22.03.x comes with nftables (fw4) by default
Yes, you can get a basic masquerading setup with a handful of handcrafted rules, but those will cause problems for anything but the most basic usage - read the fw3/ fw4 configuration files, they're annotated (at least by default, rewriting them after changes can drop the comments, as they're 'useless' whitespace to the parser), none of the rules exists without reasons. Defining zones by itself doesn't really add that much overhead, the rules to apply on those zones make a difference - and those are there for a reason.
I was not nagging about FW3 nor complaining about anything.
( sorry if it came across that way)
nor was i asking for changes to openwrt.
I was asking about a use case when having a more complicated setup with
more then a basic lan/wan zones and intervlan routing and firewall functionality
was desired .
Would it make more sense to move all things out of the zones section in to
traffic section to keep the fw3 generated rulleset to a manageable size
so that someone can still use old devices (that have no other uses)
And ps: the outdated device can do full gigabit or very close to it without firewalling
with just routing between vlans ... and alsmost halves when firewalling trough zones section
enabled between vlans. which says there can be room for improvement .
( for those of us with something more then the basic settup, which is what this question was about)
How can 600MHz (single core?) work with 1Gbit of data and have the system workload on top of that? Even if the CPU use both flanks on the clock cycle it is still only theoretically processes max 1,2Gbit/s of data.
Compared to Gbit routers that pretty much have like 1,4GHz multi core CPU. But even a single core can then theoretically process 2,8Gbit/s multiplied by numbers of CPU cores.
Only loading LuCi on this device myst be very slow if you use internet at the same time?
If it drop that much with zones or fw3 enabled. How much routing processing is this and how much switching in the switch is it when you don't use the firewall and move between half and full speed?
If you desperately tries to cut of functions that you need from OpenWRT (which is slim fit to begin with) to get a usable speed, that pretty much say you need a bigger engine.
my mistake ea4500 and e4200 are 1200MHz ( i was mistaken here)
But damn if luci is slow for you on 600MHz , I have wrt54GS (8/32) that runs
openwrt 19 custom compiled with luci and is usable , for very special setups
like an AP for old devices that will not connect to newer APs ( minimal or no firewall)
Even wrt54g (4/16) openwrt 19 no luci on that one , but works
PS: hope nobody in the third world asks for help here
you guys might tell him to burn the village down ,sell the young ones
so that they can buy a new router
The third world have a lot of Gbit equipment already, for free and often EU and US financed. Where do you all the western world old infrastructure network stuff end up?
But they get a lot of new stuff also.
So I am not really concerned about them, the upgrade problem always seems to be with western world population that can’t afford Gbit equipment.
Your opinion of "usable" must be different than mine. I also own a WRT54GS...but I wouldn't describe it as "usable" with LuCI. In fact, I have to run OpenWrt without LuCI to even make it slightly usable.
No, not possible (I've tried correction, it's a 100 Mbps router, I've tried that, 100 Mbps on the switch maybe, not WAN-to-LAN).
I have a setup with 7+ zones...it behaves the same as with 2.
