CCR - QoS/mange rules 100% CPU

nuskope · Wed Dec 04, 2013 7:40 am

Hi all.

We have several CCR's in production now, and have been quite happy with their performance in handling large amounts of PPPOE connections and routed traffic.
In our early years, we have some very details QoS rules that we ran to keep bandwidth usage under control, however as time went on we ended up turning the rules off to save CPU power and just bought more bandwidth.

We are now passing at peak 600Mbps/200Mbps though our 'firewall' router and onto our border router (both CCR's)

We have a LNS at every main tower site now, ranging in models depending on the amount of connections at each site, but most have been upgraded to CCR's now.

Here is my problem, When I enable my 200 mangle rules on my firewall router (all it normally does is firewall our network and act as a router for a bunch of IP ranges) [normal CPU load is 1-3%]. the entire thing locks up and dies... 100% CPU load and I am unable to winbox into it even locally plugged into a management interface. We need to physically isolate it from our network disable the mangle rules and then reconnect it. - this is BAD.
note: This is with JUST the mangle rules enabled, the Queue tree is still disabled at this time

The very same rules I have on a LNS (CCR) with 120 PPPOE tails, and it works fine. there is a big difference in traffic though.

Out of my 200 Mangle rules I have 130 Layer 7 rules. (could this be my issue)
Some of the rules are for IP lists with maybe 20-30 IP ranges
the remaining rules are ports.

The setup I use, we mark a connection and have each category in its own chain, we then mark the packets and jump to the next chain:

Example p2p marks:

add action=mark-connection chain=p2p comment="ALL p2p" disabled=yes new-connection-mark=p2pC p2p=all-p2p
add action=mark-connection chain=p2p comment="P2P - Layer7" disabled=yes layer7-protocol=P2P-bittorrent new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=torrent-wwws new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=torrent-dns new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-kugoo new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-jabber new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-ares new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol="P2P-bittorrent II" new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol="P2P-bittorrent III" new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-100bao new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-applejuice new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-audiogalaxy new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-directconnect new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-fasttrack new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-freenet new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-gnucleuslan new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-imesh new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-gnutella new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-goboogy new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-hotline new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-mute new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-napster new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-openft new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-poco new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-soribada new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-tesla new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-thecircle new-connection-mark=p2pC
add action=mark-connection chain=p2p disabled=yes layer7-protocol=P2P-xunlei new-connection-mark=p2pC
add action=mark-packet chain=p2p comment="p2p Download > Flow" connection-mark=p2pC disabled=yes in-interface="GbE6 - Internet comes from here" new-packet-mark=p2pFlow-download passthrough=no
add action=mark-packet chain=p2p comment="p2p Upload > Flow" connection-mark=p2pC disabled=yes new-packet-mark=p2pFlow-upload passthrough=no
add action=jump chain=prerouting comment=p2p disabled=yes jump-target=p2p

So while my CCR may be pushing around 250k pps across all interfaces with a total throughput of about 600/200 Mbit should a CCR be able to handle and mark packets for QoS?. what can I do to solve this issue as QoS would be nice to have again, save me having to buy more transit.

Note:
I have also tried to enable the rules on a router with only 200Mbit of traffic and the same crash occurs

Thanks.

morf · Thu Dec 12, 2013 8:45 am

I have a similar problem.
[Ticket#2013121166000685]

derr12 · Thu Dec 12, 2013 9:10 pm

That is a TON of layer 7 rules to process. You might want to try avoiding using layer 7 at that massive scale on that hardware as it is hugely cpu hungry. you might want to try cerating a QOS tag for other traffic that is easy to identify, dns, voip, http and e-mail and such. give them a higher priority in your queue tree. Tag everything else as "other". It's not as precise, but as long as the important stuff is given priority...

Here is what i do with a CCR as a transparent shaper that seems to have a minimal affect on cpu load, tho im not handleing as much bandwidth as you are;

/ip firewall mangle
add action=mark-packet chain=forward comment="DNS Uploads" dst-port=53 new-packet-mark=p1_up passthrough=no protocol=tcp \
    src-address-list=public
add action=mark-packet chain=forward comment="DNS Downloads" dst-address-list=public new-packet-mark=p1_down passthrough=no \
    protocol=tcp src-port=53
add action=mark-packet chain=forward comment="DNS Uploads" dst-port=53 new-packet-mark=p1_up passthrough=no protocol=udp \
    src-address-list=public
add action=mark-packet chain=forward comment="DNS Downloads" dst-address-list=public new-packet-mark=p1_down passthrough=no \
    protocol=udp src-port=53
add action=mark-connection chain=forward comment="VOIP Connection mark SIP" dscp=26 layer7-protocol=sip new-connection-mark=VOIP26 \
    protocol=udp
add action=mark-connection chain=forward comment="VOIP Connection mark RTP" dscp=46 layer7-protocol=RTP-accurate \
    new-connection-mark=VOIP46
add action=mark-packet chain=forward comment="SIP Uploads" connection-mark=VOIP26 new-packet-mark=p2_up passthrough=no \
    src-address-list=public
add action=mark-packet chain=forward comment="SIP Downloads" connection-mark=VOIP26 dst-address-list=public new-packet-mark=p2_down \
    passthrough=no
add action=mark-packet chain=forward comment="RTP Uploads" connection-mark=VOIP46 new-packet-mark=p2_up passthrough=no \
    src-address-list=public
add action=mark-packet chain=forward comment="RTP Downloads" connection-mark=VOIP46 dst-address-list=public new-packet-mark=p2_down \
    passthrough=no
add action=mark-connection chain=forward comment="HTTP Download conn mark" dst-address-list=public new-connection-mark=http_down \
    protocol=tcp src-port=80,443,8080,81
add action=mark-connection chain=forward comment="HTTP upload conn mark" dst-port=80,443,8080,81 new-connection-mark=http_up \
    protocol=tcp src-address-list=public
add action=mark-packet chain=forward comment=HTTP-Download connection-mark=http_down new-packet-mark=p3_down passthrough=no
add action=mark-packet chain=forward comment=HTTP-Upload connection-mark=http_up new-packet-mark=p3_up passthrough=no
add action=mark-connection chain=forward comment="Mark p2p with connection-mark" new-connection-mark=p2p_con p2p=all-p2p
add action=mark-connection chain=forward comment="E-mail Connection" dst-port=25,110,143,465,585,587,993,995 new-connection-mark=\
    Email protocol=tcp
add action=mark-packet chain=forward comment="E-mail Upload" connection-mark=Email new-packet-mark=p3_up passthrough=no \
    src-address-list=public
add action=mark-packet chain=forward comment="E-mail Downloads" connection-mark=Email dst-address-list=public new-packet-mark=\
    p3_down passthrough=no
add action=mark-connection chain=forward comment="Xbox + PS3 Download tcp" new-connection-mark=xbox+ps3_down protocol=tcp src-port=\
    3074,5223,3074
add action=mark-connection chain=forward comment="Xbox + ps3 download UDP" dst-address-list=public new-connection-mark=\
    xbox+ps3_down protocol=udp src-port=88,3074,3478,3479,3658
add action=mark-connection chain=forward comment="Xbox+ps3 Up TCP" dst-port=3074,5223,3074 new-connection-mark=xbox+ps3_Up \
    protocol=tcp
add action=mark-connection chain=forward comment="Xbox + PS3 up UDP" dst-port=88,3074,3478,3479,3658 new-connection-mark=\
    xbox+ps3_Up protocol=udp
add action=mark-packet chain=forward comment="Xbox+ps3 Download" connection-mark=xbox+ps3_down dst-address-list=public \
    new-packet-mark=p3_down passthrough=no
add action=mark-packet chain=forward comment="Xbox&ps3 Upload" connection-mark=xbox+ps3_Up new-packet-mark=p3_up passthrough=no \
    src-address-list=public
add action=mark-packet chain=forward comment="P2P up" connection-mark=p2p_con new-packet-mark=p5_up passthrough=no \
    src-address-list=public
add action=mark-packet chain=forward comment="p2p Down" connection-mark=p2p_con dst-address-list=public new-packet-mark=p5_down \
    passthrough=no
add action=mark-packet chain=forward comment="Mark all remaining Upload." new-packet-mark=p4_up out-bridge-port=ether1 passthrough=\
    no src-address-list=public
add action=mark-packet chain=forward comment="Mark all remaining Download" dst-address-list=public in-bridge-port=ether1 \
    new-packet-mark=p4_down passthrough=no

/queue tree
add max-limit=11M name=Uploads_Full parent=ether1 priority=1 queue=default
add max-limit=38M name=Downloads_Full parent=ether2 priority=1 queue=default
add limit-at=256k max-limit=38M name=DN_priority1 packet-mark=p1_down parent=Downloads_Full priority=1 queue=downloads_pcq
add limit-at=768k max-limit=38M name=DN_priority2 packet-mark=p2_down parent=Downloads_Full priority=2 queue=downloads_pcq
add limit-at=23M max-limit=37M name=DN_priority3 packet-mark=p3_down parent=Downloads_Full priority=3 queue=downloads_pcq
add limit-at=9M max-limit=37M name=DN_priority4 packet-mark=p4_down parent=Downloads_Full priority=4 queue=downloads_pcq
add limit-at=3M max-limit=37M name=DN_priority5 packet-mark=p5_down parent=Downloads_Full priority=5 queue=downloads_pcq
add limit-at=256k max-limit=11M name=UP_priority1 packet-mark=p1_up parent=Uploads_Full priority=1 queue=uploads_pcq
add limit-at=768k max-limit=11M name=UP_priority2 packet-mark=p2_up parent=Uploads_Full priority=2 queue=uploads_pcq
add limit-at=6M max-limit=10M name=UP_priority3 packet-mark=p3_up parent=Uploads_Full priority=3 queue=uploads_pcq
add limit-at=3M max-limit=10M name=UP_priority4 packet-mark=p4_up parent=Uploads_Full priority=4 queue=uploads_pcq
add limit-at=1M max-limit=10M name=UP_priority5 packet-mark=p5_up parent=Uploads_Full priority=5 queue=uploads_pcq

Asket · Sat Dec 14, 2013 8:04 pm

Really mangle+Queue tree is unusable - CCR dies in 3-5 seconds, rescue only by disabling upstream interface. I've tried using queue tree on CCR-1036-8G-2S+, test failed. Traffic not exceed 200 mbits (for 10G device!), user explains storm, armageddon...

CCR - QoS/mange rules 100% CPU

CCR - QoS/mange rules 100% CPU

Re: CCR - QoS/mange rules 100% CPU

Re: CCR - QoS/mange rules 100% CPU

Re: CCR - QoS/mange rules 100% CPU

Who is online