A couple years ago, I tried to create a zone-based firewall with over 10 zones for our home network. Needless to say, the trial-and-error approach was quite painful given: (a) there were a lot of "error" cases where I managed to lock myself out and needed to reboot to last-known-good configuration; and (b) it took so long to commit and/or load the configuration at boot that I got tired of hearing the family's "Is the Internet down?" questions with every trial. Rather than continue the fight, I flattened my network a lot and settled on a three-zone configuration that has been working OK.
I am now re-designing our network to accommodate some recent hardware acquisitions and plan for some topology changes I am going to implement in our new house. The more I looked at what I needed/wanted to do with the network, the more I realized that the three-zone configuration was no longer going to cut it.
After re-reading a majority of the posts regarding zone-based firewalls, and not seeing any improvements in the performance, I decided to look into the issue to see what could be done. What I discovered was that the majority of the time taken to commit/load the zone-based firewall configuration was not spent in actual execution of commands, but instead was time spent by the Perl interpreter loading unnecessary dependencies.
After removing unnecessary "use" directives, and converting the necessary ones to load dynamically only when needed (via the "require" directive), I was able to shrink the commit time of my three-zone configuration down from 44 seconds to 21 seconds under firmware version 1.10.8. Things take a bit longer under firmware 2.0.0, but I was still able to shrink that time down from 58 seconds to 32 seconds.
After copying the attached archive to your EdgeRouter, extract it as follows:
tar xzf zone_perf_enhancement_201902120014.tar.gz
Read the included README file for additional information. You can execute the supplied shell script to apply the modifications as follows:
All original files will be backed up with an "_YYYYMMDDhhmm" extension
Please respond to this thread with any questions, comments, or issues you may have.
Hopefully others will find these modifications as useful as I have, and UBNT will be able to merge these changes into a future firmware release so everyone can reap the benefits.