I have MikroTik RB-941. At random times, the processor is 100% loaded. Profile shows that it is mainly console, management and spi. It happens that only one of the services loads the processor up to 100%. There is another 941 and 951 with the same config (with the exception of subnets) they do not observe this. There is nothing in scripts and scheduler. RouterOS 6.42.3.
Config:
Code: Select all
# feb/10/2020 10:33:46 by RouterOS 6.46.3
#
# model = RB941-2nD
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
antenna-gain=0 band=2ghz-b/g/n country=russia default-authentication=no \
default-forwarding=no disabled=no distance=indoors frequency=2442 \
hw-protection-mode=rts-cts hw-retries=15 installation=indoor mode=\
ap-bridge multicast-helper=full ssid=Inet wireless-protocol=802.11 \
wps-mode=disabled
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
/interface wireless nstreme
set wlan1 enable-polling=no
/interface list
add name=Internet
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.23.15-192.168.23.200
add name=dhcp_pool1 ranges=192.168.15.15-192.168.15.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=wlan1 name=dhcp_wlan
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp_lan
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether4 list=Internet
/interface wireless access-list
add allow-signal-out-of-range=3s forwarding=no interface=wlan1 signal-range=\
-83..120 vlan-mode=no-tag
/ip address
add address=192.168.15.1/24 interface=bridge1 network=192.168.15.0
add address=192.168.23.1/24 interface=wlan1 network=192.168.23.0
/ip dhcp-client
add disabled=no interface=ether4
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=193.58.251.251 gateway=192.168.15.1
add address=192.168.23.0/24 dns-server=193.58.251.251 gateway=192.168.23.1
/ip firewall filter
add action=accept chain=forward comment=\
"1.1. Forward and Input Established and Related connections" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=Internet
add action=add-src-to-address-list address-list=ddos-blacklist \
address-list-timeout=1d chain=input comment=\
"1.2. DDoS Protect - Connection Limit" connection-limit=100,32 \
in-interface-list=Internet protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
src-address-list=ddos-blacklist
add action=jump chain=forward comment="1.3. DDoS Protect - SYN Flood" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=Internet \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="1.4. Protected - Ports Scanners" \
src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input in-interface-list=Internet \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="1.5. Protected - WinBox Access" \
src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet log=yes log-prefix="BLACK WINBOX" protocol=tcp \
src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=Internet \
protocol=tcp
add action=accept chain=input comment="1.8. Access Normal Ping" \
in-interface-list=Internet limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="1.9. Drop All Other" in-interface-list=\
Internet
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.15.0/24
add action=masquerade chain=srcnat src-address=192.168.23.0/24
/ip firewall raw
add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=\
Internet protocol=udp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_Right_2
/system ntp client
set server-dns-names=pool.ntp.org
/system watchdog
set ping-start-after-boot=30m watch-address=10.77.50.1
/tool graphing interface
add store-on-disk=no
/tool romon
set enabled=yes id=00:00:00:00:11:02
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=ether4
/tool sniffer
set filter-interface=ether4
