Hello
I have 100% CPU usage almost always
This is my router:
routerboard: yes
model: 751U-2HnD
serial-number: 46ED02E1EDC3
firmware-type: ar7240
factory-firmware: 3.02
current-firmware: 3.02
upgrade-firmware: 6.46.2

Router resources are:
uptime: 32m8s
version: 6.46.2 (stable)
build-time: Jan/14/2020 07:17:12
free-memory: 6.9MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 400MHz
cpu-load: 100%
free-hdd-space: 108.8MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 593
write-sect-total: 104568
bad-blocks: 0%
architecture-name: mipsbe
board-name: RB751U-2HnD
platform: MikroTik

Profiler attached
I expected firewall to be the resource eater but it isnt
DNS is quite high
Also www interface, but when using Winbox is even worse


Anything can be done to improve?
Thanks in advance

..

See the logs if you see something weird/suspect.

Regards.

Check if you have the dns port exposed to the internet or maybe you have something inside your network doing lots of dns requests.
if not, create a firewall rule on input chain, udp port 53, source interface (your wan) action deny

you are also running a 3y old rOS version, update to the latest v6 and dont forget to update the firmware, as you are still running the original from the factory.

there is also suspect with your storage, something is doing a lot of read/write to your flash.

Check if you have the dns port exposed to the internet or maybe you have something inside your network doing lots of dns requests.
if not, create a firewall rule on input chain, udp port 53, source interface (your wan) action deny

you are also running a 3y old rOS version, update to the latest v6 and dont forget to update the firmware, as you are still running the original from the factory.

there is also suspect with your storage, something is doing a lot of read/write to your flash.

I am using the firewall rules from Reference Manual:

/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"

Follwoing your suggestion to check for DNS, the rule that allows UDP from everywhere seems suspicious.
Should I allow only UDP from inside?
Also I don't like ICMP from outside. In my opinion that only makes easier an attacker to find my router

Thank you

Default rules (which is a bit better then your current rule set):
And for the forward chain:
Don't remove ICMP, it is used for more than ping.
Update your RouterOS, it is outdated (and upgrade firmware as well):
https://wiki.mikrotik.com/wiki/Manual:U ... g_RouterOS

Don't just replace your current config, it might not work out-of-the-box.

Default rules (which is a bit better then your current rule set):

Code: Select all

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

And for the forward chain:

Code: Select all

add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Don't remove ICMP, it is used for more than ping.
Update your RouterOS, it is outdated (and upgrade firmware as well):
https://wiki.mikrotik.com/wiki/Manual:U ... g_RouterOS

Don't just replace your current config, it might not work out-of-the-box.

1) I have upgraded to the latest version
2) I have disabled DNS requests from WAN
Now it is working fantastic!
Thank you for your advise.