Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Custom Firewall Rule and Slowness Observed , Why??

    Firewalling
    4
    8
    1410
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CallFromUSA last edited by

      Ping Test with selective Firewall Rules. See Attachement.

      -Latitude-3330 ~ $ ping 37.59.118.37
      PING 37.59.118.37 (37.59.118.37) 56(84) bytes of data.
      64 bytes from 37.59.118.37: icmp_seq=5 ttl=49 time=624 ms
      64 bytes from 37.59.118.37: icmp_seq=11 ttl=49 time=783 ms
      64 bytes from 37.59.118.37: icmp_seq=27 ttl=49 time=793 ms
      64 bytes from 37.59.118.37: icmp_seq=31 ttl=49 time=501 ms
      64 bytes from 37.59.118.37: icmp_seq=49 ttl=49 time=386 ms
      ^C
      –- 37.59.118.37 ping statistics ---
      57 packets transmitted, 5 received, 91% packet loss, time 56406ms
      rtt min/avg/max/mdev = 286.942/437.864/793.624/191.248 ms

      Ping Test with Any to Any Rule on Firewall:

      -Latitude-3330 ~ $ ping 37.59.118.37
      PING 37.59.118.37 (37.59.118.37) 56(84) bytes of data.
      64 bytes from 37.59.118.37: icmp_seq=1 ttl=49 time=281 ms
      64 bytes from 37.59.118.37: icmp_seq=2 ttl=49 time=279 ms
      64 bytes from 37.59.118.37: icmp_seq=3 ttl=49 time=275 ms
      64 bytes from 37.59.118.37: icmp_seq=4 ttl=49 time=278 ms

      Why is there slowness in my rule whiile that of the Any-to-any rule shows no slowness ( web surfing is very good)? How can I go about optimizing this?


      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Your rules are borked.  You don't need ANY of them with the exception of the Anti-Lockout rule at the top, and the Default Allow LAN to Any rule at the bottom.  Everything else you have added is unnecessary and likely confusing you.  While it may have no impact on your actual problem, you should get your rules straight before you start troubleshooting.

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66 last edited by

          91% loss and high enough pings to go around the Earth a few times? Are you sure you don't have some circular route or something? Try doing a trace route.

          1 Reply Last reply Reply Quote 0
          • C
            CallFromUSA last edited by

            Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms. However when I deactivate it although I am still getting connection I observe those packet loss. Also I didn't quite understand the "invert match" option beside the src and dst address. I did a trial and error where I deactivated it and had connectivity issues while when it was activated it worked like a charm.

            Can you please give me some advice and more information on the inverse match? Thanks.


            1 Reply Last reply Reply Quote 0
            • C
              CallFromUSA last edited by

              @KOM:

              Your rules are borked.  You don't need ANY of them with the exception of the Anti-Lockout rule at the top, and the Default Allow LAN to Any rule at the bottom.  Everything else you have added is unnecessary and likely confusing you.  While it may have no impact on your actual problem, you should get your rules straight before you start troubleshooting.

              If I keep the default rule of Allow LAN to Any Rule, isn't that some sort of security hole? I thought that I would disactivate that rule then have my own rules do what I want them to do.

              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                If I keep the default rule of Allow LAN to Any Rule, isn't that some sort of security hole?

                Not so much.  If you lock down LAN to that degree, you will face an endless series of user issues trying to run software that uses the Internet.  You can certainly do that if you want to, but it's not recommended and that's why it's the default.  If you're running an Internet Cafe then it might be more important to lock down LAN, but if this is for home or your company network then it's not as important.  The real question is, do you trust your users or not?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  @CallFromUSA:

                  Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms.

                  The WAN rules have absolutely no impact on traffic from your LAN. Your connection looks awful indeed, but there is something introducing variability that has nothing to do with what firewall rules you're messing with.

                  1 Reply Last reply Reply Quote 0
                  • C
                    CallFromUSA last edited by

                    @cmb:

                    @CallFromUSA:

                    Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms.

                    The WAN rules have absolutely no impact on traffic from your LAN. Your connection looks awful indeed, but there is something introducing variability that has nothing to do with what firewall rules you're messing with.

                    Oh Hey thanks guys I think I see the advantages of the any LAN rule, do you have any advice on how to make better rules I am still new to security.

                    Sorry for these newbie questions I am still new to security.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post