Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which is faster?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 420 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott
      last edited by JKnott

      With firewall rules, it is possible to have individual IPv4 & IPv6 rules or a combined rule that does the same thing. Does the single rule provide better performance or separate rules? Is there any difference?

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • awebsterA Offline
        awebster
        last edited by

        TLDR: Single rule.

        pfSense uses pfctl as the actual firewall on the FreeBSD operating system, pfSense's main function is to provide a convenient, user friendly interface to pfctl.
        I had a quick look through the resulting pfctl config generated by the pfSense web GUI.
        When using Aliases as groups of addresses (not ports) your are effectively creating tables in pfctl, consequently one rule that uses aliases is viewed as one rule by pfctl, where as creating individual rules creates individual rules in pfctl.
        Logically more CPU cycles will be used to process multiple rules than to process a single rule containing multiple addresses, as it can use an address lookup table to speed things up significantly.
        The depends on the commonality of the elements, for instance setting the protocol as tcp/udp generates 2 pfctl rules, one for tcp and one for udp.
        Using Source networks ie: LAN net with both ipv4 and ipv6 addresses with an alias generates 2 pfctl rules, one for ipv4 source and one for ipv6 source, but each using the single alias for the destination. Some minuscule performance improvement might be gleaned by creating internal tables for dual stack configured interfaces.
        One item of note though is that when you use port aliases, it actually bursts the alias out into multiple pfctl rules for all the constituent port alias members, so in this instance there would be no performance difference between multiple rules or one rule with a ports alias.

        You can check this out by dropping into a shell and having a look around. Be sure to have some identifiable descriptions in your rules in order to help locate them using the CLI tools and grepping for the descriptions.

        Be careful, you can bork the firewall pretty easily by entering the wrong commands with pfctl, proceed at your own risk...although nothing a reload or reboot wouldn't fix.
        The tables will show up in the rulebase as <table_name>

        • Dump the rulebase: pfctl -sr
        • Dump the list of tables: pfctl -sTables
        • Dump a specitic table: pfctl -t table_name -T show

        –A.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @awebster
          last edited by

          @awebster said in Which is faster?:

          Logically more CPU cycles will be used to process multiple rules than to process a single rule containing multiple addresses, as it can use an address lookup table to speed things up significantly.

          That's what I suspected.

          tnx

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.