Page 1 of 1

firewall is pushing the cpu

Posted: Fri Dec 07, 2018 8:49 am
by amt
Hi everyone,
yesterday I realized that the firewall that I used on all devices increase cpu usage which device on heavy traffic on it. I wanted to share the firewall that I put on all devices below may firewall rules wrong. When I disable all rulses in ip firewal filter ,cpu returns to normal.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
/ip service set www port=9090
/snmp set enabled=no
/snmp community set read-access=no write-access=no [find]
/ip smb set allow-guests=no
/ip smb set enabled=no
/ip service disable www-ssl
/ip service disable ftp
/system package disable ipv6
/ip firewall service-port disable [/ip firewall service-port find]
/ip dns set servers=8.8.8.8,8.8.4.4
/ip service disable telnet,ftp,api-ssl
/ip service set ssh port=2223
/ip service set address=10.10.20.20 [/ip service find]
/user set address=10.10.20.20 [/user find]
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
thanks for all help

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 11:21 am
by shiyiqiang08
Hi everyone,
yesterday I realized that the firewall that I used on all devices increase cpu usage which device on heavy traffic on it. I wanted to share the firewall that I put on all devices below may firewall rules wrong. When I disable all rulses in ip firewal filter ,cpu returns to normal.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
/ip service set www port=9090
/snmp set enabled=no
/snmp community set read-access=no write-access=no [find]
/ip smb set allow-guests=no
/ip smb set enabled=no
/ip service disable www-ssl
/ip service disable ftp
/system package disable ipv6
/ip firewall service-port disable [/ip firewall service-port find]
/ip dns set servers=8.8.8.8,8.8.4.4
/ip service disable telnet,ftp,api-ssl
/ip service set ssh port=2223
/ip service set address=10.10.20.20 [/ip service find]
/user set address=10.10.20.20 [/user find]
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
thanks for all help
when you use firewall
the router have to check every packet,so when you have heavy traffic,the cpu will go up fast .
you can make mark(/ip firewall mangle) the connection then mark the packets,this will reduce you cpu cost .

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 11:24 am
by shiyiqiang08

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 11:48 am
by Steveocee
With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation.
Nobody has asked what model router you have (maybe it has a low powered CPU) and you haven't posted any NAT rules (if you have them) so the below would stop anything NAT'd as well but can be ammended if needed.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 12:02 pm
by argusb
Also look into Fasttrack https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack this can improve performance dramatically.

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 12:11 pm
by amt
when you use firewall
the router have to check every packet,so when you have heavy traffic,the cpu will go up fast .
you can make mark(/ip firewall mangle) the connection then mark the packets,this will reduce you cpu cost .
thanks for your answer... you mean I will create mangle that mark the port's for admin and add filter rule this mark
am I true at here ?

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 12:13 pm
by amt
Slightly wipe the firewall rolls sequence.
The input section always ends with 'drop all'
# drop all other input
add chain = input action = drop comment = "drop everything else"
And the 'forward' chain -
# drop all other forward
add chain = forward action = drop comment = "drop everything else"
You do not have these rules at all.
thanks for your answer but I did not clearly understand what you mean ? should I delete all rules and add this ones ? how I will give access to only admin

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 12:20 pm
by amt
With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation.
Nobody has asked what model router you have (maybe it has a low powered CPU) and you haven't posted any NAT rules (if you have them) so the below would stop anything NAT'd as well but can be ammended if needed.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
thanks for your answer... I add this rules all devices(powerbox,SXT,OmniTik,CCR etc.) but last night I saw RB1100Ahx4 high cpu when I check from tools profile I saw that firewall use much cpu and when I check from system recourses I saw that one cpu at %60, when I disable ip firewall filter rules %60 usage decrease to %3-5 and totally usage also decrease from %35-40 to %10-15 ... Traffic on RB1100Ahx4 nearly 700MB .
sorry for my English :)

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 1:31 pm
by Steveocee
Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?

Re: firewall is pushing the cpu

Posted: Fri Dec 07, 2018 1:38 pm
by amt
Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?
Yes Im sure, when disable firewall filter rules CPU usage subside...

also I tried to add your firewall rules that suggest to me as below but traffic down from 300 to 200 :) this device sit in front of the pppoe_server
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"

Re: firewall is pushing the cpu

Posted: Tue Dec 11, 2018 2:30 pm
by amt
any other suggestion ?

Re: firewall is pushing the cpu

Posted: Tue Dec 11, 2018 2:41 pm
by pe1chl
You cannot run an ISP using RB750Gr1 routers. Some people forget that.
Only the higher-performance devices like CCR or newer RB models (1100, 3011, 4011) have enough CPU performance
to do firewalling at high speed.

Re: firewall is pushing the cpu

Posted: Tue Dec 11, 2018 3:47 pm
by sebastia
what is the purpose of this router: only natting? or natting + forwarding?

If also forwarding and it's sizeable amount, use no-track in raw to not do conntracking for it... That will save cpu together with FastPath.

Re: firewall is pushing the cpu

Posted: Tue Dec 11, 2018 4:19 pm
by amt
what is the purpose of this router: only natting? or natting + forwarding?

If also forwarding and it's sizeable amount, use no-track in raw to not do conntracking for it... That will save cpu together with FastPath.
Hi sebastia, thanks for your answer.
Just fowarding traffic to other routers. I already disable connection tracking and test, it gives a little more performance but not so good. what about firewall rules that I used. are they seems ok with your opinion ?

and using no-track in raw is not same with disable connection tracking ?

Thanks

Re: firewall is pushing the cpu

Posted: Tue Dec 11, 2018 9:19 pm
by sebastia
Some questions:
* what is the typical connection count through that router?
* do you need/have to protect your inner / forwarded networks?
* the configuration given is complete?

Re: firewall is pushing the cpu

Posted: Wed Dec 12, 2018 3:55 pm
by amt
* what is the typical connection count through that router?
while connection tracking disabled;
ip firewall connection print count-only :: 2801

while connection tracking enabled;
ip firewall connection print count-only:: 20458

* do you need/have to protect your inner / forwarded networks?
yes I need to protect all device all time :=)
* the configuration given is complete?
for firewall yes.

Re: firewall is pushing the cpu

Posted: Wed Dec 12, 2018 9:08 pm
by sebastia
From forwarding point of view, following rules are applicable:
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Further, in the configuration as provided, there is no "IP stack optimisation".

There are following options for optimisation:
* enable FastPath, BUT for that firewall rules needs to be empty, see https://wiki.mikrotik.com/wiki/Manual:F ... v4_handler
* disable conn track: lack of connection tracking reduces memory requirements (and sensitivity to DDOS), but it also renders the firewall stateless: no notion of connection and every packet is examined only based on it's ip's and ports/types. The above rules with "connection-state=..." will be unusable.
* enable conn track AND FastTrack (a combination of FastPath and connection tracking, https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack): all connections are tracked, but since "FastTracked packets bypass firewall, connection tracking, ...", connections can be handled in a much more efficient way. There is potential to DDOS the router, but this can be mitigated by "TCP SynCookies". Additional protection can be taken by for example "no-track"-ing UDP.

So from your point of view, 2 options are possible for you: no conn track or FastTrack. I would suggest to look first in the last one:
* fasttrack all of your traffic.
* enable tcp syncookies
* no-track of udp
* tune (=reduce) conn tracking timeouts
20k connections should be doable on 1100Ahx4.

With regards to your current rules, I would suggest to move the "drop Admin Ports" rules to RAW:prerouting chain -> drop at first chance.

Re: firewall is pushing the cpu

Posted: Thu Dec 13, 2018 10:59 am
by amt
From forwarding point of view, following rules are applicable:
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Further, in the configuration as provided, there is no "IP stack optimisation".

There are following options for optimisation:
* enable FastPath, BUT for that firewall rules needs to be empty, see https://wiki.mikrotik.com/wiki/Manual:F ... v4_handler
* disable conn track: lack of connection tracking reduces memory requirements (and sensitivity to DDOS), but it also renders the firewall stateless: no notion of connection and every packet is examined only based on it's ip's and ports/types. The above rules with "connection-state=..." will be unusable.
* enable conn track AND FastTrack (a combination of FastPath and connection tracking, https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack): all connections are tracked, but since "FastTracked packets bypass firewall, connection tracking, ...", connections can be handled in a much more efficient way. There is potential to DDOS the router, but this can be mitigated by "TCP SynCookies". Additional protection can be taken by for example "no-track"-ing UDP.

So from your point of view, 2 options are possible for you: no conn track or FastTrack. I would suggest to look first in the last one:
* fasttrack all of your traffic.
* enable tcp syncookies
* no-track of udp
* tune (=reduce) conn tracking timeouts
20k connections should be doable on 1100Ahx4.

With regards to your current rules, I would suggest to move the "drop Admin Ports" rules to RAW:prerouting chain -> drop at first chance.
hi sebastia,
thank you verymuch for your answer and help.
can you explain little more for "tune (=reduce) conn tracking timeouts"
now Im going to remove all rules in ip firewall filter and set conn track to disable. after this I will put rules to raw table as below;
/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
when I put rules to raw table fasthpath disabled again but I think RB1100Ahx4 can handle this traffic.

Re: firewall is pushing the cpu

Posted: Thu Dec 13, 2018 12:29 pm
by sebastia
"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.

Re: firewall is pushing the cpu

Posted: Sat Dec 15, 2018 8:11 am
by amt
"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.
thank you sebastia,
I disable conn tracking and put rules as below to raw table. it little better then firewall filter. thanks all help
/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Re: firewall is pushing the cpu

Posted: Sat Dec 15, 2018 6:00 pm
by pe1chl
There is little point in doing that firewalling "everywhere", especially when you also have high-bandwidth customer traffic.
In that case it is better to keep the "forward" firewall empty and put those rules only in the "input" firewall where you will
have far less traffic and so there will be less CPU load.

Re: firewall is pushing the cpu

Posted: Sun Dec 16, 2018 1:51 pm
by msatter
"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.
thank you sebastia,
I disable conn tracking and put rules as below to raw table. it little better then firewall filter. thanks all help
/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
I turn this arround in RAW, only allow the ports I use and the have a block-all for TCP and UDP.

For specific filtering on allowed ports I group similar rules under a Jump. So when traffic is not for that ports it has to pass only one line.

It is always a good to look if block or accept is more efficient.

The option to favour input over forward sounds good in rules.

Re: firewall is pushing the cpu

Posted: Sun Dec 16, 2018 7:03 pm
by amt

I turn this arround in RAW, only allow the ports I use and the have a block-all for TCP and UDP.

For specific filtering on allowed ports I group similar rules under a Jump. So when traffic is not for that ports it has to pass only one line.

It is always a good to look if block or accept is more efficient.

The option to favour input over forward sounds good in rules.
Hi msatter,
can you share your rules to get experience, Im not good in firewall and I would like to get knowledge and experience from experts in forum.
if you share your rules or your suggestion i will be satisfied.
when i disable conn track raw table put rules dnymically that /ip firewall connection tracking set enabled=no and I put my rules over them, I thought the logic was like this; first check ports then no track others.

Thanks for your suggest.

Re: firewall is pushing the cpu

Posted: Mon Dec 17, 2018 2:04 pm
by msatter
My firewall more made for domestic use and the tips from the last posting members where more appropiate for you. I can't go without connection tracking and I go do some tuning for myself.