Hi everyone,
yesterday I realized that the firewall that I used on all devices increase cpu usage which device on heavy traffic on it. I wanted to share the firewall that I put on all devices below may firewall rules wrong. When I disable all rulses in ip firewal filter ,cpu returns to normal.

Code: Select all

/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
/ip service set www port=9090
/snmp set enabled=no
/snmp community set read-access=no write-access=no [find]
/ip smb set allow-guests=no
/ip smb set enabled=no
/ip service disable www-ssl
/ip service disable ftp
/system package disable ipv6
/ip firewall service-port disable [/ip firewall service-port find]
/ip dns set servers=8.8.8.8,8.8.4.4
/ip service disable telnet,ftp,api-ssl
/ip service set ssh port=2223
/ip service set address=10.10.20.20 [/ip service find]
/user set address=10.10.20.20 [/user find]
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict

thanks for all help

when you use firewall
the router have to check every packet,so when you have heavy traffic,the cpu will go up fast .
you can make mark(/ip firewall mangle) the connection then mark the packets,this will reduce you cpu cost .

Slightly wipe the firewall rolls sequence.
The input section always ends with 'drop all'
# drop all other input
add chain = input action = drop comment = "drop everything else"
And the 'forward' chain -
# drop all other forward
add chain = forward action = drop comment = "drop everything else"
You do not have these rules at all.

With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation.
Nobody has asked what model router you have (maybe it has a low powered CPU) and you haven't posted any NAT rules (if you have them) so the below would stop anything NAT'd as well but can be ammended if needed.

Code: Select all

/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"

Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?

/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"

what is the purpose of this router: only natting? or natting + forwarding?

If also forwarding and it's sizeable amount, use no-track in raw to not do conntracking for it... That will save cpu together with FastPath.

* what is the typical connection count through that router?

* do you need/have to protect your inner / forwarded networks?

* the configuration given is complete?

From forwarding point of view, following rules are applicable:

Code: Select all

add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Further, in the configuration as provided, there is no "IP stack optimisation".

There are following options for optimisation:
* enable FastPath, BUT for that firewall rules needs to be empty, see https://wiki.mikrotik.com/wiki/Manual:F ... v4_handler
* disable conn track: lack of connection tracking reduces memory requirements (and sensitivity to DDOS), but it also renders the firewall stateless: no notion of connection and every packet is examined only based on it's ip's and ports/types. The above rules with "connection-state=..." will be unusable.
* enable conn track AND FastTrack (a combination of FastPath and connection tracking, https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack): all connections are tracked, but since "FastTracked packets bypass firewall, connection tracking, ...", connections can be handled in a much more efficient way. There is potential to DDOS the router, but this can be mitigated by "TCP SynCookies". Additional protection can be taken by for example "no-track"-ing UDP.

So from your point of view, 2 options are possible for you: no conn track or FastTrack. I would suggest to look first in the last one:
* fasttrack all of your traffic.
* enable tcp syncookies
* no-track of udp
* tune (=reduce) conn tracking timeouts
20k connections should be doable on 1100Ahx4.

With regards to your current rules, I would suggest to move the "drop Admin Ports" rules to RAW:prerouting chain -> drop at first chance.

/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.

/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.

thank you sebastia,
I disable conn tracking and put rules as below to raw table. it little better then firewall filter. thanks all help

Code: Select all

/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

I turn this arround in RAW, only allow the ports I use and the have a block-all for TCP and UDP.

For specific filtering on allowed ports I group similar rules under a Jump. So when traffic is not for that ports it has to pass only one line.

It is always a good to look if block or accept is more efficient.

The option to favour input over forward sounds good in rules.