Community discussions

MikroTik App
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

High CPU on RB1100AH

Thu Jul 07, 2011 12:22 pm

Hi,

We have recently installed a RB1100AH as a new core router is is running the following:
ver 5.5
8 ethers are active
1 EOIP tunnel
OSPF on 3 other interfaces(roting table aroung 1800 routes0
BGP to our BGP router( only recieving 200 routes)
1 METArouter that has 3 ethers assigned to it for our servers
43 filter rules
19 nats
1 Mangle
there is a average of 40-60meg traffic flowing thru the router, and the CPU idles @ 50-75%, but jumps to 85-100%, and then reboots, it has reboot 6 times this week already since going live in Sunday.

Is is that the router is not strong enough to handle our requirements, or is there something we missing?

here is a extract on tool-> profile
NAME USAGE
ethernet 7.5%
console 0%
eoip 3.5%
firewall 21%
metarouter-net 0%
gre 0%
winbox 0%
management 2%
telnet 0%
idle 53.5%
profiling 1%
queuing 9.5%
routing 0%
unclassified 2%
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: High CPU on RB1100AH

Thu Jul 07, 2011 12:26 pm

looks like you need to optimize your firewall and sort into chains or something, post your rules also please
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Thu Jul 07, 2011 1:10 pm

I attached tthe export of our filters.
You do not have the required permissions to view the files attached to this post.
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Fri Jul 08, 2011 10:35 am

Any help please?
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Fri Jul 08, 2011 11:07 am

If you see the screen shot, between 15 & 20 % is being used for queuing, but we don't have any queue's on our RB.
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: High CPU on RB1100AH

Fri Jul 08, 2011 5:18 pm

First, the input rules.
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_Range
If packets are invalid they should be dropped. Even if they're from trusted IPs.
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40s
That makes no sense - only packets that are to local addresses are even going to make it into the input chain. This rule does nothing. Also, why call it drop if you are going to leave some of them through?
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=drop chain=input comment="Drop Everything Else" disabled=no
Why waste CPU resources detecting port scans if you're just going to drop everything anyway?
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
Why jump somewhere BELOW the rule where you're dropping everything?
Your input rule set can be summarized to be functionally equivalent as below:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=no
Now for the output rules.
/ip firewall filter
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
It makes no sense to police the output chain. Remove all those rules. They don't secure anything for you but have to be processed regardless.
Now let's deal with sub chains before going to forward.
/ip firewall filter
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=no
Nothing uses this ICMP chain. Remove the rules, they're just clutter.
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
So far so good.
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailers
These don't do anything. If they're exceeding 100 connections they also by definition exceeded 30 connections, so they already got caught above - the rules above don't have passthrough on, after all.
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
This is a repeat of the first rule in the subchain, so that does nothing.
add action=return chain=SMTP disabled=no
Your SMTP rule set can be summarized as this:
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=return chain=SMTP disabled=no
And now the forward filters.
Mostly this can be made far more efficient by re-ordering the rules. Stateful permits for established and related traffic is going to catch 99% of the packets, so they should be the first in the set. Since you have a default allow set you also have absolutely no need to have a whole bunch of accept rules. The forward set below is functionally equivalent to what you have right now:
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
So, to sum it all up, here your current rule set:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_Range
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40s
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop Everything Else" disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=accept chain=forward comment="Accept Altrix traffic" disabled=no src-address=10.33.0.0/16
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.22
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.23
add action=accept chain=forward comment="Allow Access to Backup server" disabled=no dst-address=x.x.x.5 src-address-list=Allow_Access_to-Backupserver
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailers
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=return chain=SMTP disabled=no
add action=drop chain=forward comment="Drop SMTP SPAMMER's" disabled=no dst-port=25 protocol=tcp src-address-list=smtp_spammers
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=no
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=yes
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=yes dst-limit=0,5,dst-address/1m40s src-address-list=!Trusted_Range
add action=accept chain=forward comment="Related connections" connection-state=related disabled=yes
add action=drop chain=forward comment="Drop all that is not from unicast" disabled=yes src-address-list=!Trusted_Range src-address-type=!unicast
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
And here what it should be:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=no

add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers

add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
That should significantly improve packet processing in the firewall filters.

You probably also want to optimize your mangle rules.
If you see the screen shot, between 15 & 20 % is being used for queuing, but we don't have any queue's on our RB.
You are probably seeing queuing because of inherent interface queues.
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Sat Jul 09, 2011 11:03 am

thanks for the assistance, I'll put those rules on this evening and give and update once tested.
We only have one mangle that redirects traffic from a small subnet to another RB.
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Mon Jul 11, 2011 12:16 pm

Hi,

We still experiencing the High CPU load, see the screenshot.
You do not have the required permissions to view the files attached to this post.
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Thu Jul 14, 2011 10:40 am

Still not helping, isn't the RB1100Ah supposed to a hi power router?
You do not have the required permissions to view the files attached to this post.
 
Wesley
newbie
Topic Author
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: High CPU on RB1100AH

Mon Jul 18, 2011 9:30 am

I disabled the Meta router now, CPU load dropped from 30-40% down to 5-20%, so clearly RB1100AH is not powerful enough to run a Metarouter to our requirements.
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: High CPU on RB1100AH

Mon Jul 18, 2011 1:28 pm

Well, only creating a Metarouter (but not running it) already doubles CPU usage for any amount of traffic running through.
I suppose, that is because there is an invisible bridge being created, where the physical and virtual ethernet ports are then attached, so there is an additional forwarding decision to be made for each packet running through the router.

It's pretty noticable on RB1000/1100 Routers. I have a RB1000 with about 350 Mbit/s of traffic flowing through. Without Metarouter: ~25-30% CPU. Metarouter created, but not running: ~60-70% CPU. Metarouter running (and pushing like 2-3 Mbit/s of traffic): ~80-95% CPU.

Who is online

Users browsing this forum: sindy and 36 guests