Hi @Matva 

Thanks for posting in our business forum.

The more granular your rule is, the greater the burden on the CPU.

Would the x86 server or a firewall be suitable for such a job?

You know, each rule is a set of CIDRs, and your router gotta locate more resources for it.

Hi @Matva 

Thanks for posting in our business forum.

Matva wrote

  @Clive_A 

 

Hi. I understand. Right now I am using the maximum number of location groups, blocking pretty much the entire world except for a few regions, with the CPU idling around 3% and the memory around 16%. So it seems there's still plenty of room to spare.

 

 

 

But I understand this isn´t particularly high on the features list ;) Combining some geolocation groups works for me.

Yes, I know that you may see a low usage in that.

But when it is triggered, that may not be the case. And the system is reserved for some redundancy.

As we used to have the switch that experienced the ACL limit. It hits the limit and will not be able to break it. And the explanation from the team is the hardware limit.

I can submit this as an optimization. But no guarantee this is ever gonna be implemented. It depends on the dev evaluation.

 Wouldnt a better way of optimising this be to allow a !location_group, like we can on the 5.15 adapted firmwares with !network and !ip_group ?

Then you only have to have the regions you want to allow in the list, and its easier for the CPU to compare against that and drop everything else rather than parse a massive list of CIDRs ?

Currently i employ a location group WAN in block, with every single entry enabled apart form the UK, thats 249 individual rules it has to parse for every incoming connection attempt.  It works, but what i suggest seems like a decent way to optimise this.