Community discussions

MikroTik App
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

One simple queue consume all cpu

Sat Sep 09, 2017 11:32 am

# sep/09/2017 11:23:09 by RouterOS 6.40.3
# model = RouterBOARD 962UiGS-5HacT2HnT

/queue simple
add dst=10.10.0.2/32 name=box queue=ethernet-default/ethernet-default \
total-queue=ethernet-default
add max-limit=85M/85M name=out queue=ethernet-default/ethernet-default \
target=wan total-queue=ethernet-default

trying to upload file by scp

scp -v -P 707 testfile root@10.10.0.2:/mnt/

if first queue is disabled, speed is about 108Mb/s, but if I enable it, upload down to 30Mb/s
Image
I tried to reset configuration without any success... If I created one more IP-based queue, sometimes SCP died at stalled state.

Please, give me any advice :( I can't use queue feature at all...
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Sat Sep 09, 2017 7:46 pm

May be I select uncorrect way, but I need to limit all traffic at one interface, except one IP behind it.

It's no firewall rules...
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Sun Sep 10, 2017 10:56 am

Can you advise what speed you would like to limit you lan ips to and what your total bandwidth available is. I presume the address in your first rule is th one you would like to be unlimited.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Sun Sep 10, 2017 3:00 pm

Yes, first address must be unlimited. All devices connected with 1Gb link, but speed limited not by rules, but CPU of device. And very limited :( Suppose I can change some settings or rule, but nowadays , I don't know what can I do. I tried to replace first queue with fasttrack rule, but without any success, moreover, it's lower speed to 15Mb/s...
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Sun Sep 10, 2017 10:45 pm

I believe if you apply simple queue or firewall rules fast track is disabled. Based on what you had in the begining you can try these rules. Depending on what you trying to do.
add dst=0.0.0.0/0 name=unlimited priority=1/1 queue=pcq-upload-default/pcq-download-default target=10.10.0.2/32
add dst=0.0.0.0/0 name=unlimited max-limit=85M/85 priority=1/1 queue=pcq-upload-default/pcq-download-default target=10.10.0.0/24
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Mon Sep 11, 2017 8:17 pm

As I said before, even one queue slow down SCP very much. So, when I disabled all my rules and add only your

add dst=0.0.0.0/0 name=unlimited priority=1/1 queue=pcq-upload-default/pcq-download-default target=10.10.0.2/32

speed decreased to 30Mb/s again. I compare your and my queue, when I change queue type to pfifo and increase queue size to 500000, speed increased to 70Mb/s, but CPU loaded at 100%... Only one SCP thread... If I decreased queue size to 20000 and below, speed decreased too... I confused very much...
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Tue Sep 12, 2017 9:23 am

A single simple queue should not effect add that load to your device. there is something else in your configuration that is causing this. can you do a export /hide sensitive and block out any information you dont want seen then we can go through config.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Tue Sep 12, 2017 9:04 pm

Tried to clean some schedules and insignificant part of config...
http://storage.olegon.ru/supermag/uploa ... ues.rsc.7z
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Thu Sep 14, 2017 10:51 pm

Excuse me, dgnevans...
Any ideas?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Mon Sep 18, 2017 5:26 pm

What is this for.
/queue interface
set oops queue=default-big
set wan queue=default-big

I do not see any default-big queues in your queue-types and I have not seen these as a default on any of my routers. suggest you restore these back only-hardware-queue and test.
second thing
/queue simple
add dst=10.10.0.2/32 name=box priority=1/1 queue=default/default total-queue=\
default
add max-limit=85M/85M name=out queue=default/default target=wan total-queue=\
default

What are you trying to accomplish with these. 10.10.0.2/32 is your gateway. and then you imposing 85M up / down on your wan. I suggest restoring the interface queues to default then removing simple queues. then detail what you would like the queues to do then we can design them to do that accordingly.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Mon Sep 18, 2017 8:27 pm

Sorry, but in config this queue is exists

add kind=pfifo name=default-big pfifo-limit=1000000

I found, that this very big value of packets increasing speed of interface... Speed is about 10% increased, when I increase this value from 100 to 100000.

You confused me, 10.10.0.2 is gateway, but I would like to limit all transit traffic, but unlimit all traffic direct to 10.10.0.2
I suppose, I can do it, because no NAT is active...

Is any explanation of so high CPU load of this single thread traffic with one queue?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Mon Sep 18, 2017 11:07 pm

I have never had to change interface queues to get better performance on an interface.
There is also no need to unlimit all traffic to your first hop gateway. remove that queue.
then limit it to the one queue. make this queue more specific dont put in onto an interface rather limit it by target ip address and destination 0.0.0.0/0
see how that peforms then alter rules from there
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Tue Sep 19, 2017 9:29 am

Very strange, but if I set up only-hardware queue type on both interfaces (oops and wan), removed all queues at all, speed is not more than 60Mb/s. If I set up big pfifo queue on one of interfaces - speed increased to 113Mb/s (twice!). Test file copied from PC, attached to oops, to 10.10.0.2, gateway, attached to wan.
PC - oops-mikrotik-wan - gateway (10.10.0.2)
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Tue Sep 19, 2017 12:23 pm

Sorry, I don't understand how to limit all IPs, except 10.10.0.0/16 and 192.168.10.0/16 in one queue :( Queue wihout exeption list :(
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Tue Sep 19, 2017 12:39 pm

Hi Olegon
So first thing we trying to do is locate which queue is causing the CPU to go high. Is it the Interface queues or is it the simple queues.
To do this I would:
- restore the Interface queues back to default.
- remove all simple queues.
- run tests monitoring cpu usage
Once you have done this and you have identified whether this resolves cpu usage then we start creating simple queues according to what you would like to do.
Are you wanting your devices on the 192.168.x.x network to be limited to anywhere.
Which traffic do you want to be unlimited. Is the unlimited traffic to an individual ip or a group of ip's or a whole subnet.
So as an example
/queue simple
add dst=192.168.10.0/24 name=LAN queue=ethernet-default/ethernet-default target=192.168.10.0/24
add max-limit=20M/20M name="LAN to WAN" queue=pcq-upload-default/pcq-download-default target=192.168.10.0/24
Rule 1 tells us any traffic that passes through the router from the 192.168.10.0/24 to a destination of 192.168.10.0/24 will not be restricted. (this is only really necessary when you using mutiple vlans or subnets on different ports or sub interfaces on the router.)
Rule 2 tells us any traffic that passes through the router from 192.168.10.0/24 to any destination that is not in the rules above will be limited to a total max of 20 mbps up /down.
Once you have listed how you would like your traffic to be controlled we can plan accordingly and guide you on your rules. .
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Tue Sep 19, 2017 1:04 pm

Mikrotik is between two segments of network (192.168 and 10.10), Internet gate is 10.10.0.2 and I need to limit all traffic from 192. to Internet, because provider drop all packets above limit and some overload from 192 can break Internet connections down. But 10.10.0.2 must be unlimited, it's also works as some app/file server.
192.168 - no limit - mikrotik - 10.10.0.2 - limit 85M - Internet

Can you comment issue, that only-hardware-queue slow down speed twice in comparison of pfifo 1000000 (all queues removed)?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Tue Sep 19, 2017 1:47 pm

On my network changing those settings offers no improvement in performance. however having flow control on and changing those settings slows my network down by +- 10%. I would remove flow control from the interfaces.
ok so simple queues are easy then.
/queue simple
add dst=10.10.0.0.0/16 name=LAN queue=ethernet-default/ethernet-default target=192.168.0.0/16
add max-limit=85M/85M name="LAN to WAN" queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Tue Sep 19, 2017 2:30 pm

Scientia potentia est.
I changed flow control from auto to off on both interfaces of mikrotik and than can change interface queue to only-hardware-queue without perfomance degradation.
Speed is about 113Mb/s
But when I add only
add dst=10.10.0.0.0/16 name=LAN queue=ethernet-default/ethernet-default target=192.168.0.0/16
Speed decreased to 80Mb/s :( CPU load is 100%
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Tue Sep 19, 2017 3:22 pm

Have you inherited this config from someone or did you set it up? there are some questions I have.
By the looks of it you have 2 bridges. #1 called bridge #2 called bridge-nik these have multiple interfaces added to them.
#1 Bridge you have 2 ip addresses applied to this interface and 2 dhcp servers running on this bridge. this will cause all kinds of issues. if you need to run 2 ip addresses either statically operate the one subnet or apply different subnets for different interfaces. Can you give an idea of what you are trying to achieve. Part of the issue you have is this router is only capable of so once the CPU reaches 100% your performance will degrade. in order to resolve this you need to simply your config as much as possible. Currently you using 38% cpu just on Networking 10% on ethernet. I have a similar device nat, single bridge, 17 queues, 125 firewall rules and it runs at 9% cpu usage max. as you not doing nat we need to work out where this is going. Starting with the bridges may be the first point.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Wed Sep 20, 2017 7:28 am

Thank you for patience.
It's some example config, modified by me. Two bridges is changed example of guest wifi.
Yesterday, I removed second bridge (bridge-nik), second DHCP-server and tried to removed interfaces from bridge, but when I set up master port, interface included in bridge dynamically.
Which load of CPU on your configuration, when you copy file at maximal speed (suppose 1Gbit?)? When typical load, my configuration loads CPU at 15%, but it's very low traffic. Problem appeared when backup or some big file copied.
Can you show me your configuration of interfaces and bridges? As I read, interfaces, included in bridges, it's traffic handling by CPU, not chip?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Wed Sep 20, 2017 11:27 am

/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=E4:8D:8C:50:80:BD
set [ find default-name=ether2 ] arp=proxy-arp mac-address=E4:8D:8C:50:80:BE
set [ find default-name=ether3 ] mac-address=E4:8D:8C:50:80:BF master-port=ether2
set [ find default-name=ether4 ] mac-address=E4:8D:8C:50:80:C0 master-port=ether2
set [ find default-name=ether5 ] mac-address=E4:8D:8C:50:80:C1 master-port=ether2
/interface vlan
add comment=Management interface=ether1 name=vlan2 vlan-id=2
add comment=WAN2 interface=ether1 name=vlan3232 vlan-id=3232
add comment=WAN1 interface=ether1 name=vlan4090 vlan-id=4090
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.1.51-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=DHCP-LAN
/ppp profile
add dns-server=192.168.1.1 local-address=dhcp name=PPTP-VPN remote-address=dhcp
/queue type
add kind=pcq name=pcq-down-512k pcq-classifier=dst-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-512k pcq-classifier=src-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-2M pcq-classifier=dst-address pcq-rate=2M pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-2M pcq-classifier=src-address pcq-rate=2M pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-64k pcq-classifier=dst-address pcq-rate=512k pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-64k pcq-classifier=src-address pcq-rate=64k pcq-total-limit=4000KiB
add kind=pcq name=pcq-down-3M pcq-classifier=dst-address pcq-rate=3M pcq-total-limit=4000KiB
add kind=pcq name=pcq-up-3M pcq-classifier=src-address pcq-rate=3M pcq-total-limit=4000KiB
/queue simple
add name=South queue=pcq-up-2M/pcq-down-2M target=192.168.1.226/32
add max-limit=5M/5M name=WAN queue=ethernet-default/ethernet-default target=192.168.1.0/24
add name="internet abusers" parent=WAN queue=pcq-up-64k/pcq-down-64k target=192.168.1.69/32
add name="Manager1 " parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.78/32,192.168.1.51/32
add name="IT Admin" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.53/32,192.168.1.54/32
add name=Manager2 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.60/32,192.168.1.76/32
add name=Manager3 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.243/32,192.168.1.58/32,192.168.1.239/32
add name=Manager4 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.56/32
add name="IT Tech" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.75/32
add name=Radios parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.65/32,192.168.1.50/32
add name="Manager6" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.165/32
add name=Manager7 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.81/32,192.168.1.82/32
add name=Manager8 parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.248/32
add name="South Reception" parent=WAN queue=pcq-up-2M/pcq-down-2M target=192.168.1.244/32
add name="Manager9" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.71/32 total-queue=default
add name="Swipe Machine" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.232/32
add name="Reception Bookings" parent=WAN queue=pcq-up-3M/pcq-down-3M target=192.168.1.86/32 total-queue=default
add name="LAN - internet" parent=WAN queue=pcq-up-512k/pcq-down-512k target=192.168.1.0/24
/ip settings
set allow-fast-path=no route-cache=no
/interface pptp-server server
set default-profile=PPTP-VPN enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=x.x.x.x/30 interface=vlan4090 network=x.x.x.x
add address=172.17.0.254/24 interface=vlan2 network=172.17.0.0
add address=y.y.y.y/30 interface=vlan3232 network=y.y.y.y
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.56 always-broadcast=yes client-id=1:30:10:b3:82:a7:fd mac-address=30:10:B3:82:A7:FD server=DHCP-LAN
add address=192.168.1.69 always-broadcast=yes client-id=1:bc:ae:c5:35:e:82 mac-address=BC:AE:C5:35:0E:82 server=DHCP-LAN
add address=192.168.1.64 always-broadcast=yes client-id=1:bc:ae:c5:35:e:7a mac-address=BC:AE:C5:35:0E:7A server=DHCP-LAN
add address=192.168.1.78 always-broadcast=yes client-id=1:48:45:20:6b:30:eb mac-address=48:45:20:6B:30:EB server=DHCP-LAN
add address=192.168.1.81 always-broadcast=yes client-id=1:a4:d1:8c:61:5:36 mac-address=A4:D1:8C:61:05:36 server=DHCP-LAN
add address=192.168.1.82 always-broadcast=yes client-id=1:40:33:1a:b4:8f:36 mac-address=40:33:1A:B4:8F:36 server=DHCP-LAN
add address=192.168.1.51 always-broadcast=yes client-id=1:ec:1f:72:3d:68:77 mac-address=EC:1F:72:3D:68:77 server=DHCP-LAN
add address=192.168.1.79 always-broadcast=yes client-id=1:60:6c:66:b5:ad:10 mac-address=60:6C:66:B5:AD:10 server=DHCP-LAN
add address=192.168.1.75 always-broadcast=yes client-id=1:8:ed:b9:6a:57:40 mac-address=08:ED:B9:6A:57:40 server=DHCP-LAN
add address=192.168.1.72 client-id=1:a0:2b:b8:26:61:a3 mac-address=A0:2B:B8:26:61:A3 server=DHCP-LAN
add address=192.168.1.70 client-id=1:a8:fa:d8:3d:dd:70 mac-address=A8:FA:D8:3D:DD:70 server=DHCP-LAN
add address=192.168.1.71 always-broadcast=yes client-id=1:28:e3:47:ed:b2:23 mac-address=28:E3:47:ED:B2:23 server=DHCP-LAN
add address=192.168.1.54 always-broadcast=yes client-id=1:f0:25:b7:f1:d7:fa mac-address=F0:25:B7:F1:D7:FA server=DHCP-LAN
add address=192.168.1.53 always-broadcast=yes client-id=1:5c:ac:4c:98:e5:38 mac-address=5C:AC:4C:98:E5:38 server=DHCP-LAN
add address=192.168.1.63 always-broadcast=yes client-id=1:68:a3:c4:93:b7:c mac-address=68:A3:C4:93:B7:0C server=DHCP-LAN
add address=192.168.1.165 always-broadcast=yes client-id=1:70:5a:f:48:4d:3b mac-address=70:5A:0F:48:4D:3B server=DHCP-LAN
add address=192.168.1.52 always-broadcast=yes client-id=1:70:70:d:5:d:cc mac-address=70:70:0D:05:0D:CC server=DHCP-LAN
add address=192.168.1.90 always-broadcast=yes client-id=1:6c:40:8:aa:13:5c mac-address=6C:40:08:AA:13:5C server=DHCP-LAN
add address=192.168.1.65 client-id=1:d0:27:88:df:57:4e mac-address=D0:27:88:DF:57:4E server=DHCP-LAN
add address=192.168.1.76 always-broadcast=yes client-id=1:80:7a:bf:3b:f2:fc mac-address=80:7A:BF:3B:F2:FC server=DHCP-LAN
add address=192.168.1.60 always-broadcast=yes client-id=1:ac:2b:6e:cf:47:61 mac-address=AC:2B:6E:CF:47:61 server=DHCP-LAN
add address=192.168.1.66 client-id=1:54:27:1e:52:5e:ae mac-address=54:27:1E:52:5E:AE server=DHCP-LAN
add address=192.168.1.58 always-broadcast=yes client-id=1:d0:c5:f3:d7:5:b5 mac-address=D0:C5:F3:D7:05:B5 server=DHCP-LAN
add address=192.168.1.243 client-id=1:a4:d1:8c:c2:7f:e8 mac-address=A4:D1:8C:C2:7F:E8 server=DHCP-LAN
add address=192.168.1.239 always-broadcast=yes client-id=1:34:a3:95:35:1a:7d mac-address=34:A3:95:35:1A:7D server=DHCP-LAN
add address=192.168.1.86 always-broadcast=yes client-id=1:98:54:1b:83:c7:d7 mac-address=98:54:1B:83:C7:D7 server=DHCP-LAN
add address=192.168.1.226 always-broadcast=yes client-id=1:c4:17:fe:c0:ec:2 mac-address=C4:17:FE:C0:EC:02 server=DHCP-LAN
add address=192.168.1.248 always-broadcast=yes client-id=1:0:12:17:49:d4:ed mac-address=00:12:17:49:D4:ED server=DHCP-LAN
add address=192.168.1.244 always-broadcast=yes client-id=1:98:54:1b:80:56:5b mac-address=98:54:1B:80:56:5B server=DHCP-LAN
add address=192.168.1.232 always-broadcast=yes client-id=1:f0:92:1c:4d:87:5c mac-address=F0:92:1C:4D:87:5C server=DHCP-LAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB max-udp-packet-size=512 servers=5.11.11.11,5.11.11.5
/ip firewall filter
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=tarpit chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=ether2
add action=accept chain=input comment="Allow Established Connections" connection-state=established
add action=accept chain=input comment="Allow connections that originated from LAN" connection-state=related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment=SSH dst-port=22 protocol=tcp
add action=accept chain=input comment=ISAKMP dst-port=500 protocol=tcp
add action=accept chain=input comment=PPTP-VPN dst-port=1723 protocol=tcp
add action=accept chain=input comment="The Dude" dst-port=2210 protocol=tcp
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=accept chain=input comment=PPTP-VPN protocol=gre
add action=accept chain=input comment=PPTP-VPN protocol=ipsec-esp
add action=accept chain=input comment=OSPF dst-address=224.0.0.5
add action=accept chain=input dst-address=224.0.0.18 protocol=ipsec-ah
add action=accept chain=input comment=OSPF log=yes protocol=ospf
add action=accept chain=input comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=return chain=input comment="UDP Return Unreachable" connection-state="" protocol=udp
add action=drop chain=input comment="Drop Traffic from anywhere"
add action=accept chain=forward comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment=ICMP protocol=icmp
add action=accept chain=forward comment="Allow all dstnat traffic" connection-nat-state=dstnat
add action=accept chain=forward comment=FTP-DATA dst-address=0.0.0.0/0 dst-port=20 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=FTP-DATA dst-address=192.168.1.0/24 protocol=udp src-port=20
add action=accept chain=forward comment=FTP-CONTROL dst-address=0.0.0.0/0 dst-port=21 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SSH dst-address=0.0.0.0/0 dst-port=22 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Telnet dst-address=0.0.0.0/0 dst-port=23 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SMTP dst-port=25 protocol=tcp src-address=172.17.2.126
add action=accept chain=forward comment=DNS dst-address=0.0.0.0/0 dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=DNS dst-address=0.0.0.0/0 dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=DNS dst-address=192.168.1.0/24 protocol=udp src-port=53
add action=accept chain=forward comment=HTTP dst-address=0.0.0.0/0 dst-port=80 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="RADIO EXPORT CODEPLUG DATABASE" dst-address=0.0.0.0/0 dst-port=81 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=POP3 dst-address=0.0.0.0/0 dst-port=110 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NTP dst-address=0.0.0.0/0 dst-port=123 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=NTP dst-address=192.168.1.0/24 protocol=udp src-port=123
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=0.0.0.0/0 dst-port=135 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=0.0.0.0/0 dst-port=135 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Microsoft RPC Locator Service" dst-address=192.168.1.0/24 protocol=udp src-port=135
add action=accept chain=forward comment=Netbios dst-address=0.0.0.0/0 dst-port=139 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Netbios dst-address=0.0.0.0/0 dst-port=139 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Netbios dst-address=192.168.1.0/24 protocol=udp src-port=139
add action=accept chain=forward comment=IMAP dst-address=0.0.0.0/0 dst-port=143 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTPS dst-address=0.0.0.0/0 dst-port=443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Incoming Outlook Anywhere" dst-address=192.168.1.0/24 dst-port=443 protocol=tcp
add action=accept chain=forward comment=HTTPS dst-address=0.0.0.0/0 dst-port=443 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTPS dst-address=192.168.1.0/24 protocol=udp src-port=443
add action=accept chain=forward comment=SMTPS dst-address=0.0.0.0/0 dst-port=465 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=0.0.0.0/0 dst-port=500 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=0.0.0.0/0 dst-port=500 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=ISAKMP dst-address=192.168.1.0/24 protocol=udp src-port=500
add action=accept chain=forward comment=SMTP dst-address=0.0.0.0/0 dst-port=587 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="ZIMRA FTP" dst-address=0.0.0.0/0 dst-port=800 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=IMAPS dst-address=0.0.0.0/0 dst-port=993 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=POP3S dst-address=0.0.0.0/0 dst-port=995 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=PPTP-VPN dst-address=0.0.0.0/0 dst-port=1723 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="ExSolar Smart Energy Monitor Data" dst-address=0.0.0.0/0 dst-port=2010 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="ExSolar Smart Energy Monitor Data" dst-address=192.168.1.0/24 protocol=udp src-port=2010
add action=accept chain=forward comment="Quintum Remtoe Tenor Manager" dst-address=65.88.254.134 dst-port=2300 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Quintum Remtoe Tenor Manager" dst-address=192.168.1.0/24 protocol=udp src-address=65.88.254.134 src-port=2300
add action=accept chain=forward comment=SMTP dst-address=0.0.0.0/0 dst-port=2525 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=UPNP dst-address=0.0.0.0/0 dst-port=2869 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=BlackBerry dst-address=0.0.0.0/0 dst-port=3101 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Active Directory" dst-address=0.0.0.0/0 dst-port=3268 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Incoming Active Directory" dst-address=192.168.1.0/24 dst-port=3268 protocol=tcp
add action=accept chain=forward comment="Allow Remote Desktop out" dst-address=0.0.0.0/0 dst-port=3389 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber,whatsapp dst-address=0.0.0.0/0 dst-port=3478 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber,whatsapp dst-address=192.168.1.0/24 protocol=udp src-port=3478
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=3478-3497 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=3478-3497
add action=accept chain=forward comment=Viber,whatsapp dst-address=0.0.0.0/0 dst-port=4244 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 Crashplan" dst-address=0.0.0.0/0 dst-port=4282 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=0.0.0.0/0 dst-port=4500 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=0.0.0.0/0 dst-port=4500 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=NON500-ISAKMP dst-address=192.168.1.0/24 protocol=udp src-port=4500
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5060 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5060 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=192.168.1.0/24 dst-port=5060 protocol=udp
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5061 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5070 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=0.0.0.0/0 dst-port=5070 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=SIP dst-address=192.168.1.0/24 dst-port=5070 protocol=udp
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5222 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5223 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5228 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=0.0.0.0/0 dst-port=5242 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=0.0.0.0/0 dst-port=5243 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=192.168.1.0/24 protocol=udp src-port=5243
add action=accept chain=forward comment="Web Portal" dst-address=0.0.0.0/0 dst-port=5742 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="solar webportal" dst-address=0.0.0.0/0 dst-port=7777 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Alternate SMTP" dst-address=0.0.0.0/0 dst-port=8025 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=HTTP dst-address=0.0.0.0/0 dst-port=8080 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 Service Desk Portal" dst-address=0.0.0.0/0 dst-port=8086 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Winbox dst-address=0.0.0.0/0 dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Winbox dst-address=192.168.1.0/24 protocol=tcp src-port=8291
add action=accept chain=forward comment=SSL dst-address=0.0.0.0/0 dst-port=8443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=0.0.0.0/0 dst-port=9785 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Viber dst-address=192.168.1.0/24 protocol=udp src-port=9785
add action=accept chain=forward comment="VPN " dst-address=0.0.0.0/0 dst-port=10000 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN " dst-address=0.0.0.0/0 dst-port=10000 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN " dst-address=192.168.1.0/24 protocol=udp src-port=10000
add action=accept chain=forward comment="Dandemutande SMTP" dst-address=0.0.0.0/0 dst-port=10025 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=16384-16387 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=16384-16387
add action=accept chain=forward comment=Facetime dst-address=0.0.0.0/0 dst-port=16393-16402 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Facetime dst-address=192.168.1.0/24 protocol=udp src-port=16393-16402
add action=accept chain=forward comment="FNB Banking App" dst-address=0.0.0.0/0 dst-port=36400 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-port=45395 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=Whatsapp dst-address=192.168.1.0/24 protocol=udp src-port=45395
add action=accept chain=forward comment=PPTP-VPN protocol=gre
add action=accept chain=forward comment="WAN1 VOIP" dst-address=77.246.50.80 src-address=192.168.1.0/24
add action=accept chain=forward comment="WAN1 VOIP" dst-address=192.168.1.0/24 src-address=77.246.50.80
add action=accept chain=forward comment="TCP Established" connection-state=established protocol=tcp
add action=accept chain=forward comment="Allow connections originating from Lan" connection-state=related protocol=tcp
add action=log chain=forward log=yes
add action=accept chain=forward comment="Drop everything not accepted"
add action=accept chain=output comment="Allow Established from router" connection-state=established
add action=accept chain=output comment="Allow related from router" connection-state=related
add action=accept chain=output comment="LAN Traffic" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=output comment="Drop invalid from router" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=" pfw WAN1, out WAN1" connection-mark=WAN1_pfw in-interface=vlan4090 new-routing-mark=WAN1_traffic \
    passthrough=no
add action=mark-routing chain=prerouting comment=" pfw WAN2, out WAN2" connection-mark=WAN2_pfw in-interface=vlan3232 new-routing-mark=WAN2_traffic \
    passthrough=no
add action=mark-connection chain=input comment=" in WAN1,out WAN1" in-interface=vlan4090 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment=" in WAN2,out WAN2" in-interface=vlan3232 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=forward comment=" pfw WAN1, out WAN1" connection-state=new in-interface=vlan4090 new-connection-mark=WAN1_pfw \
    passthrough=yes
add action=mark-connection chain=forward comment=" pfw WAN2, out WAN2" connection-state=new in-interface=vlan3232 new-connection-mark=WAN2_pfw \
    passthrough=yes
add action=mark-routing chain=output comment=" in WAN1,out WAN1" connection-mark=WAN1_conn new-routing-mark=WAN1_traffic passthrough=no
add action=mark-routing chain=output comment=" in WAN2,out WAN2" connection-mark=WAN2_conn new-routing-mark=WAN2_traffic passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment="WAN1 Src Nat" dst-address=0.0.0.0/0 out-interface=vlan4090 src-address=192.168.1.0/24 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="WAN2 Src Nat" dst-address=0.0.0.0/0 out-interface=vlan3232 src-address=192.168.1.0/24 to-addresses=y.y.y.y
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.1.0/24
/ip route
add check-gateway=ping comment="in_WAN1;;out_WAN1" distance=1 gateway=x.x.x.225 routing-mark=WAN1_traffic
add check-gateway=ping comment="in_WAN2; out_WAN2" distance=1 gateway=y.y.y.69 routing-mark=WAN2_traffic
add check-gateway=ping comment="Primary out_WAN2" distance=1 gateway=y.y.y.69
add check-gateway=ping comment="Secondary out_WAN1" distance=2 gateway=x.x.x.225
/ip route rule
add dst-address=192.168.1.0/24 table=main
add dst-address=y.y.y.y/30 table=main
add dst-address=x.x.x.x/30 table=main
add src-address=y.y.y.y/30 table=WAN2_traffic
add src-address=x.x.x.x/30 table=WAN1_traffic
add routing-mark=WAN2_traffic table=WAN2_traffic
add routing-mark=WAN1_traffic table=WAN1_traffic
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=grant profile=PPTP-VPN service=pptp
/system clock
set time-zone-name=Indian/Mauritius
/system identity
set name=RB750G
/system logging
add topics=pptp
/system ntp client
set enabled=yes server-dns-names=0.africa.pool.ntp.org,1.africa.pool.ntp.org,2.africa.pool.ntp.org,3.africa.pool.ntp.org
/system package update
set channel=bugfix
/system routerboard settings
set init-delay=0s
/tool romon port
add
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Wed Sep 20, 2017 11:42 am

So my understanding is this.
You want to have LAN and WIFI for your emplyees or colleagues and then a guest WiFi for just guests.

I would use Ether1 for the Wan port or the link to the 10.10 network. I would then configure 2 bridges.1 Bridge for LAN and 1 bridge for Guest_Wifi
I would then apply the the ip addresses to the various interfaces (ether1, LAN_BRIDGE, GUEST_WIFI_BRIDGE) You can experiment to see if performance is changed by applying the ip address to the ether 2 interface of LAN_BRIDGE.
I would add ether 2 and Wifi interfaces for your lan users to LAN_Bridge.
I would then set Ether 2 as master interface for ether3-5.
Configure your DHCP accoridingly. and default lan accordingly. YOu will also need to make sure that 10.10. main router has an ip route pointing back from your LAN traffic on this router.
This would be a very simple config. Not many lines.
example which is not exactly same but similar.
/interface bridge
add name="VLAN 10 LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
set [ find default-name=ether2 ] loop-protect=on master-port=ether1
set [ find default-name=ether3 ] loop-protect=on master-port=ether1
set [ find default-name=ether4 ] loop-protect=on master-port=ether1
set [ find default-name=ether5 ] loop-protect=on master-port=ether1
set [ find default-name=sfp1 ] loop-protect=on
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=zimbabwe disabled=no frequency=2462 frequency-mode=superchannel mode=\
    ap-bridge name=HQ-RES-2.4 ssid=HQ-RES tx-power=29 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eCee country=zimbabwe disabled=no frequency=auto frequency-mode=regulatory-domain \
    mode=ap-bridge name=HQ-RES-5 ssid=HQ-RES wps-mode=disabled
/interface wireless nstreme
set HQ-RES-2.4 enable-polling=no
set HQ-RES-5 enable-polling=no
/interface vlan
add interface=sfp1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/routing ospf instance
set [ find default=yes ] router-id=172.17.10.8
/interface bridge port
add bridge="VLAN 10 LAN Bridge" interface=ether1
add bridge="VLAN 10 LAN Bridge" interface=HQ-RES-2.4
add bridge="VLAN 10 LAN Bridge" interface=HQ-RES-5
add bridge="VLAN 10 LAN Bridge" interface=vlan10
/ip settings
set route-cache=no
/ip address
add address=172.17.10.8/24 interface=vlan10 network=172.17.10.0
/ip dns
set cache-size=512KiB servers=172.17.2.123,172.17.2.125
/ip route
add distance=1 gateway=172.17.10.1
/ip smb shares
set [ find default=yes ] directory=/pub
/routing ospf network
add area=backbone network=172.16.0.0/16
/system clock
set time-zone-name=Indian/Mauritius
/system identity
set name=HQ-RES-SW1
/system leds
set 1 interface=HQ-RES-5
/system package update
set channel=bugfix
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Wed Sep 20, 2017 12:09 pm

Excuse me, I can globally change config only on weekend, but can you test maximum speed in your config? In my current configuration, speed decreased from 911Mbit to 620Mbit (tested by iperf3) after one simple queue. Moreover, in 911Mbit CPU load is about 75%, but 620Mbit burn CPU at 100%.
Thank you for your config, I'll mindfully review it later.
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Wed Sep 20, 2017 5:46 pm

I tried running iperf between 2 computers on my network. getting maximum 500 mbits no matter what settings I changed. CPU usage would sit between 70 and 90% without simple queues. This is not an indication of bandwidth as I tried them on the same switch and behing the router. same results. This appears to be an issue with windows and IPERF. So difficult for me to give you an accurate result.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Wed Sep 20, 2017 8:39 pm

Thank you a lot!
My mistake was to add all interfaces to bridge instead of using master port and bridge only it.
Now, speed up to 92Mb/sec with one simple queue, but CPU is about 70%-90% load, so it's problem of queue tuning, not CPU limit.
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Fri Sep 22, 2017 10:39 am

these smaller routers use large amount of CPU for networking and ethernet especially when bridge involved. the rules only account for a few percent. you may need to look at a higher model to get greater throughput. I am using the 1100ah x2 for inter vlan router and works well.
 
olegon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Sat Sep 09, 2017 11:15 am

Re: One simple queue consume all cpu

Fri Sep 22, 2017 10:49 am

I would like some complete solution with Wi-Fi, so selected "hAP ac" as a highest model :(
Can you recommend me any other?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: One simple queue consume all cpu

Mon Sep 25, 2017 11:49 am

As you have said if you looking for an integrated solution then the HAP AC is the highest model. You could use a seperate AP and router. Or the other options you could do the Speed control on your wan router. This is where I do the most then it will take 25% of load off your Hap ac for simple queues. I prefer to control on the WAN routert as this offers the best results.
 
telstra
newbie
Posts: 31
Joined: Sat Jan 29, 2011 3:20 am

Re: One simple queue consume all cpu

Wed Jul 13, 2022 2:05 am

I have ccr1036 2s+ em
..
My information and configuration details..
I am running a small isp in a town area..
My total customers are 2100 only.
And every user has different bandwidth limit from radius server configured as zal pro for assigning internet packages with expiry date..like 10mbps 15mbps 25mbps 35mbps 50mbps and 100mbps..most of them are 10mbps, 15mbps and 25mbps..
I configure firewall nat as cgnat for 2200 clients on /24 pool.
Nat rules will be 7 or 8000 rules for 2200 clients..
My total bandwidth is 2gb per second..
Wan is connected to sfp+ plus port with a fiber dac cable..
Lan also connected to fiber dac cable with vlans cisco nexus 10gbps switch for my distributers areas...
1Ge ethernet port also configured with vlan for another area..
I am getting two issues on mikrotik ccr1036 2s+ em
1- when i tried simple queus with limit of 400mbps on certain destination supposed local ip pool 172.16.0.0/16
Amd destination adress is youtube pool for limit the maximum bandwidth for local users... So when i applied this my ccr cpu goes to 100% and i was shocked but i did not disable that and let them running.. ccr restarted self so i did disable that queu from simple queues...
2- one month ago i request to the isp to upgrade my internet services from 2gbps to 10gbps because at that time i connected the new distributor for providing internet of about 1200 users only..
And i make 2 more ccr 1036 configured same but short cgnat ip pool of about /22 only. And that two ccr's connected after my configured cc1036 ip routing only and vlan through cisco nexus ports
So my main ccr was passing only 4 gbps maximum bandwidth...
And if i use a simple queue for two another ccr band limit only two ip adresses cpu goes to 100percent...
Why mikrotik queues are eating allot of cpus...
With queues its also not passing a bandwidth to 10gbps... Maximum throughput was only 4 or 4.2 gbps of bandwidth without any limit...


Kindly guide me to pass the maximum traffic to 10gbps
And to resolve the simple ques issue on low minimum proccesing..
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3099
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: One simple queue consume all cpu

Wed Jul 13, 2022 2:42 am

i think you need to split that load on separate machines

that ccr1036 is maxed out
 
telstra
newbie
Posts: 31
Joined: Sat Jan 29, 2011 3:20 am

Re: One simple queue consume all cpu

Wed Jul 13, 2022 4:06 am

i think you need to split that load on separate machines

that ccr1036 is maxed out
I tried x86_64bit version on xeon server also... Mikrotik is not passing traffic as much in that also... Mikrotik needs allot of resources for passing the data... More speed need more processors...i heard about netelastic on centos is giving a 20gbps passthrough on same server... I dont know why the mikrotik test result was about ccr1036 2s+em that can pass 26gbps if using every port... So why 10g not passing from sfp+ port?
May be i need to configure cgnatting to core router
And pppoe clients on different ccr...
But when i active simple queues mikrotik goes to 100 percent... How other people are doing this and what is happening to my ccr? I baught 3 ccr in last three months... But failed to pass 10gb internet...
What i am i missing? I dont want to give the fast track enable to my customers because customers will not pay for the higher bandwidth payments... I am very disheartened and so much confused to what to do now..
Cisco nexus as bgp
Then server x86
Then 1 ccr1036 cgnatting
Then 3 ccr for customers..
Still customers are not satisfying from the services
And resources is not enough to run only 21 hundred users... Because of 100% cpu problem.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3099
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: One simple queue consume all cpu

Wed Jul 13, 2022 5:09 am

i think you need to split that load on separate machines

that ccr1036 is maxed out
I dont know why the mikrotik test result was about ccr1036 2s+em that can pass 26gbps if using every port... So why 10g not passing from sfp+ port?
it depends of configuration with a ccr1036 i real world customer scenarios you can pass approximately:
20 gbps in fast-path mode no firewall,no mangle, no queues, no PPPoE
10 gbps in fast-track mode no mangle, no queues, no PPPoE

all depends of the complexity of your configuration, a heavy configuration can easily reduce ccr1036 capacity up to 1.5 gbps, a bad configuration can cripple it to lower than that

In a ISP network some Router Roles/Functions imply concentrate almost all the bandwidth, border-router and core-router easily fall in this category but this roles can be fulfilled in fast-path or even fast-track mode, CG-Nat Works well on fast-track mode

thats why running this Roles/Functions in separate machines is a good idea to achieve fast-path/fast-track mode and pass many gbps without problem and scale that Roles/Functions more easily

once you have this Roles/Functions running on fast-track/fast-path mode on your border, core and CG-Nat routers you have an advantage which is that this tasks these tasks are no longer performed by BRAS/BNG routers offloading some load and complexity from them

but intensive tasks like queues, QoS, PPPoE and more task still need to be realized by BRAS/BNG Role/Function routers

It is often in this role that you most need to design and implement your network to partition fractions of your end users across multiple BRAS/BNG routers, in a way that you can maintain te amount of end-users and traffic on each router within equipment capacity

also consider to offload traffic control onto access-network

For example, in GPON networks, many are no longer controlling bandwidth with the routers, instead they do it with the OLT, freeing up resources in the router BNG/BRAS

a good guide about this:

https://stubarea51.net/2021/11/14/isp-d ... -overview/
https://stubarea51.net/2022/05/02/webin ... functions/
 
telstra
newbie
Posts: 31
Joined: Sat Jan 29, 2011 3:20 am

Re: One simple queue consume all cpu

Wed Jul 13, 2022 3:59 pm

Thanks for the great reply... I hope in new upgrades mikrotik achieve this on single bng router...
Because in these days we like to put the smallest equipment into the rack because of lower consume voltage and ups backup will be good..
Nobody will like to install the big servers like dell and hp servers a rackmount servers...

Many of isp i heard that they are using junipers to achieve 100gbps on single router... But its very expensive i dont know the actual price but its also not available in my country...if its available somewhere in my country i must ask the price and interested to go to juniper..


Mikrotik is fastest in the making configuration
And also fastest to see and rectify the customer issue... But against juniper its failed..
And 7 version is not good as 6.x versions are fixed issues..

Well thanks anyways..
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3099
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: One simple queue consume all cpu

Wed Jul 13, 2022 6:04 pm

don't forget about power consumption and heat, MikroTik is also very competitive in that matter, to power the smallest Juniper Box (which was discontinued recently) you will need the power and space of several Mikrotik's, and talking about money i hope your 2.000 customers generate profit to buy something 10x more expensive than MikroTik and the power and cooling you will require for that

even if you use Juniper the Network Role/Function separation is needed, forget about a single in one box solution to scale properly
 
telstra
newbie
Posts: 31
Joined: Sat Jan 29, 2011 3:20 am

Re: One simple queue consume all cpu

Thu Jul 14, 2022 12:13 am

[flash=][/flash]
No man... Netelastic and juniper is working on single box... And i allready mention about power consumption...

My only request is i need a one box in a mikrotik
..
Because of winbox funtion its very fast to configure any type of router...

And i need one box because i need to put that router on many places to achieve higher and higher bandwidth for the customers in very reliable rates..
And alhumdullillah means thanks of god that i have 2000 customers and i also can manage and can buy multiple ccr's but i need for multiples pop localtions and its very costly... Ups nexus and ccrs and then nexus again redundant fiber connectivity location rent electricity rent.. fiber expenses it will be cost around 10 thousand dollars minimum for one pop...
And if still data not pass so its hurt...
Well i am also like and fan of mikrotik.. just waiting for the bigger router..
Mikrotik has to produce a enterprise level like cisco and juniper or intel xeon server type routers... For huge packets...and for million of users...
Hope next year mikrotik will do..

Who is online

Users browsing this forum: Bing [Bot] and 26 guests