MikroTik

Posted: **Sat Aug 29, 2020 4:52 pm**

Hi guys, I have a question. I have a 100 MBPS plan of my ISP. It is unlimited no data cap. The thing is i don't know if this is normal or maybe i am over expecting the processing power of the Hap Ac2 or the problem relies on my configuration. The thing is when performing speed test at ookla's website, the cpu is already at 10-18 percent already and i limited the speed at 80 MBPS at the queue tree.

My Firewall Rules
/ip firewall connection tracking
set tcp-close-timeout=5s tcp-established-timeout=10m
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=5m chain=forward comment="Anti NMAP SCAN" \
    dst-address-list="Mikrotik Gateway" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=5m chain=input dst-address-list=\
    "Mikrotik Gateway" protocol=tcp psd=21,3s,3,1
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=jump chain=input comment="DDOS PROTECTION INPUT" \
    connection-state=new in-interface-list=LAN jump-target=\
    syn-flood-input protocol=tcp tcp-flags=syn
add action=accept chain=syn-flood-input limit=100,50:packet
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1m chain=syn-flood-input
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1m chain=input comment="Add as Port SCAN" \
    dst-port=8291,8728 in-interface-list=LAN protocol=tcp \
    src-address-list=!Support/Admins
add action=accept chain=input comment="Accept Established, Related" \
    connection-state=established,related
add action=accept chain=input comment="Accept LAN to Router" \
    in-interface-list=LAN src-address-list="Masquerade Users"
add action=accept chain=input comment=ICMP protocol=icmp
add action=drop chain=input comment="Drop everything else"
add action=jump chain=forward comment="DDOS PROTECTION FORWARD" \
    connection-state=new in-interface-list=LAN jump-target=\
    syn-flood-forward protocol=tcp tcp-flags=syn
add action=accept chain=syn-flood-forward connection-state="" \
    limit=100,50:packet
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1m chain=syn-flood-forward
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1m chain=forward comment="Add Port SCAN" \
    dst-address-list="PLDT Gateway" dst-port=80,443,23,22 \
    in-interface-list=LAN protocol=tcp src-address-list=\
    !Support/Admins
add action=add-dst-to-address-list address-list="port scanners" \
    address-list-timeout=1m chain=forward dst-address-list=\
    "Access Points" dst-port=80,443,23,22 in-interface-list=LAN \
    protocol=tcp src-address-list=!Support/Admins
add action=reject chain=forward comment="Drop Torrent" \
    dst-address-list="Torrent IP " dst-port=80,443,23,22 \
    in-interface-list=LAN protocol=tcp reject-with=tcp-reset \
    src-address-list=!Support/Admins
add action=accept chain=forward comment=\
    "Accept Established,Related " connection-state=\
    established,related
add action=drop chain=forward comment="Drop Invalid Forward" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted\"\r" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    "PLDT BROWSING"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public\r\
    \nIP\"" in-interface="PLDT BROWSING" src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "\"Drop packets from Inside that do not have Inside\r\
    \nIP" in-interface-list=LAN src-address-list=\
    "!Masquerade Users"
/ip firewall mangle
add action=change-ttl chain=postrouting comment=\
    "Change TTL Anti Hotspot" new-ttl=set:1 out-interface=Hotspot \
    passthrough=yes
add action=fasttrack-connection chain=forward comment=\
    "LOL IP UPLOAD" dst-address-list=LOLIP in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "LOL IP DOWNLOAD" out-interface-list=LAN src-address-list=LOLIP
add action=fasttrack-connection chain=forward comment=\
    "ML IP UPLOAD" dst-address-list=MLIP in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "ML IP DOWNLOAD" out-interface-list=LAN src-address-list=MLIP
add action=fasttrack-connection chain=forward comment="PUBG UPLOAD" \
    dst-address-list="PUBG IP" in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "PUBG DOWNLOAD" out-interface-list=LAN src-address-list=\
    "PUBG IP"
add action=fasttrack-connection chain=forward comment=\
    "ROBLOX UPLOAD" dst-address-list=ROBLOX in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "ROBLOX DOWNLOAD" out-interface-list=LAN src-address-list=\
    ROBLOX
add action=fasttrack-connection chain=forward comment=\
    "CROSSFIRE UPLOAD" dst-address-list=CROSSFIRE \
    in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "CROSSFIRE DOWNLOAD" out-interface-list=LAN src-address-list=\
    CROSSFIRE
add action=fasttrack-connection chain=forward comment=\
    "STEAM UPLOAD" dst-address-list="STEAM IP" in-interface-list=\
    LAN
add action=fasttrack-connection chain=forward comment=\
    "STEAM DOWNLOAD" out-interface-list=LAN src-address-list=\
    "STEAM IP"
add action=fasttrack-connection chain=forward comment="ROS UPLOAD" \
    dst-address-list="RULES OF SURVIVAL" in-interface-list=LAN
add action=fasttrack-connection chain=forward comment=\
    "ROS DOWNLOAD" out-interface-list=LAN src-address-list=\
    "RULES OF SURVIVAL"
add action=fasttrack-connection chain=forward comment=\
    "VALORANT UPLOAD" dst-address-list=VALORANT in-interface-list=\
    LAN
add action=fasttrack-connection chain=forward comment=\
    "VALORANT DOWNLOAD" out-interface-list=LAN src-address-list=\
    VALORANT
add action=mark-connection chain=forward comment=Upload \
    in-interface-list=LAN new-connection-mark=Upload passthrough=\
    yes src-address-list="Masquerade Users"
add action=mark-connection chain=forward comment=Download \
    dst-address-list="Masquerade Users" new-connection-mark=\
    Download out-interface-list=LAN passthrough=yes
add action=add-src-to-address-list address-list="Torrenting " \
    address-list-timeout=30s chain=forward comment="Detect Torent" \
    in-interface-list=LAN layer7-protocol=layer7-bittorrent-exp
add action=mark-packet chain=forward comment=\
    "HTTPS HIGH TRAFFIC UP" connection-bytes=625001-0 \
    connection-mark=Upload dst-port=443 in-interface-list=LAN \
    new-packet-mark="HTTPS HIGH TRAFFIC UP" passthrough=no \
    protocol=tcp
add action=mark-packet chain=forward connection-bytes=625001-0 \
    connection-mark=Upload dst-port=443 in-interface-list=LAN \
    new-packet-mark="HTTPS HIGH TRAFFIC UP" passthrough=no \
    protocol=udp
add action=mark-packet chain=forward comment="HTTPS LOW TRAFFIC UP" \
    connection-mark=Upload dst-port=443 in-interface-list=LAN \
    new-packet-mark="HTTPS LOW TRAFFIC UP" passthrough=no protocol=\
    tcp
add action=mark-packet chain=forward connection-mark=Upload \
    dst-port=443 in-interface-list=LAN new-packet-mark=\
    "HTTPS LOW TRAFFIC UP" passthrough=no protocol=udp
add action=mark-packet chain=forward comment="HTTP HIGH TRAFFIC UP" \
    connection-bytes=625001-0 connection-mark=Upload dst-port=\
    80,8080,81,8081 in-interface-list=LAN new-packet-mark=\
    "HTTP HIGH TRAFFIC UP" passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="HTTP LOW TRAFFIC UP" \
    connection-mark=Upload dst-port=80,8080,81,8081 \
    in-interface-list=LAN new-packet-mark="HTTP LOWTRAFFIC UP" \
    passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=\
    "HTTPS HIGH TRAFFIC DL" connection-bytes=625001-0 \
    connection-mark=Download new-packet-mark=\
    "HTTPS HIGH TRAFFIC DL" out-interface-list=LAN passthrough=no \
    protocol=tcp src-port=443
add action=mark-packet chain=forward connection-bytes=625001-0 \
    connection-mark=Download new-packet-mark=\
    "HTTPS HIGH TRAFFIC DL" out-interface-list=LAN passthrough=no \
    protocol=udp src-port=443
add action=mark-packet chain=forward comment="HTTPS LOW TRAFFIC DL" \
    connection-mark=Download new-packet-mark="HTTPS LOW TRAFFIC DL" \
    out-interface-list=LAN passthrough=no protocol=tcp src-port=443
add action=mark-packet chain=forward connection-mark=Download \
    new-packet-mark="HTTPS LOW TRAFFIC DL" out-interface-list=LAN \
    passthrough=no protocol=udp src-port=443
add action=mark-packet chain=forward comment="HTTP HIGH TRAFFIC DL" \
    connection-bytes=625001-0 connection-mark=Download \
    new-packet-mark="HTTP HIGH TRAFFIC DL" out-interface-list=LAN \
    passthrough=no protocol=tcp src-port=80,8080,81,8081
add action=mark-packet chain=forward comment="HTTP LOW TRAFFIC DL" \
    connection-mark=Download new-packet-mark="HTTP LOW TRAFFIC DL" \
    out-interface-list=LAN passthrough=no protocol=tcp src-port=\
    80,8080,81,8081
add action=mark-packet chain=forward comment="Torrent UP" \
    connection-mark=Upload in-interface-list=LAN new-packet-mark=\
    "Torrent UP" passthrough=no src-address-list="Torrenting "
add action=mark-packet chain=forward comment="Other Traffic UP" \
    connection-mark=Upload in-interface-list=LAN new-packet-mark=\
    "Other Traffic UP" passthrough=no
add action=mark-packet chain=forward comment="Torrent DL" \
    connection-mark=Download dst-address-list="Torrenting " \
    new-packet-mark="Torrent DL" out-interface-list=LAN \
    passthrough=no
add action=mark-packet chain=forward comment="Other Traffic DL" \
    connection-mark=Download new-packet-mark="Other Traffic DL" \
    out-interface-list=LAN passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface="PLDT BROWSING" \
    src-address-list="Masquerade Users"
add action=masquerade chain=srcnat out-interface=Hotspot \
    src-address-list=Support/Admins
/ip firewall raw
add action=drop chain=prerouting comment="Port Scanners and DDOS" \
    src-address-list="port scanners"
add action=drop chain=prerouting comment="Drop Routing" \
    dst-address=192.168.0.0/24 src-address=10.0.0.0/24 \
    src-address-list=""
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
--------------------------------------------------------------------------------------
My queues
/queue tree
add name="Other Games Traffic DL" packet-mark="Other Traffic DL" \
    parent=global priority=1
add name="Other Games Traffic UP" packet-mark="Other Traffic UP" \
    parent=global priority=1
/queue type
set 0 pfifo-limit=20
set 4 kind=none
add kind=pcq name="PCQ-D " pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=25000KiB
add kind=pcq name=PCQ-U pcq-classifier=src-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=25000KiB
/queue tree
add max-limit=80M name="Total Download" parent=global queue=\
    "PCQ-D "
add max-limit=40M name="Total Upload" parent=global queue=PCQ-U
add name="HTTPS HEAVY DL" packet-mark="HTTPS HIGH TRAFFIC DL" \
    parent="Total Download" priority=3 queue="PCQ-D "
add name="HTTPS LITE DL" packet-mark="HTTPS LOW TRAFFIC DL" parent=\
    "Total Download" priority=1 queue="PCQ-D "
add name="HTTP HEAVY DL" packet-mark="HTTP HIGH TRAFFIC DL" parent=\
    "Total Download" priority=7 queue="PCQ-D "
add name="HTTP LITE DL" packet-mark="HTTP LOW TRAFFIC DL" parent=\
    "Total Download" priority=5 queue="PCQ-D "
add max-limit=5M name="TORRENT DL" packet-mark="Torrent DL" parent=\
    "Total Download" queue="PCQ-D "
add name="HTTPS LITE UP" packet-mark="HTTPS LOW TRAFFIC UP" parent=\
    "Total Upload" priority=1 queue=PCQ-U
add name="HTTPS HEAVY UP" packet-mark="HTTPS HIGH TRAFFIC UP" \
    parent="Total Upload" priority=3 queue=PCQ-U
add name="HTTP HEAVY UP" packet-mark="HTTP HIGH TRAFFIC UP" parent=\
    "Total Upload" priority=7 queue=PCQ-U
add name="HTTP LITE UP" packet-mark="HTTP LOWTRAFFIC UP" parent=\
    "Total Upload" priority=5 queue=PCQ-U
add max-limit=5M name="TORRENT UP" packet-mark="Torrent UP" parent=\
    "Total Upload" queue=PCQ-U

Just a basic traffic shaping and qos, marking the common browsing ports, letting other ports to be considered as gaming ports also fasttrack the ip block of game servers and a torrent detector using layer 7 to separate from the other ports and marking the upload and download direction of my own lan network

Edit: Version 6.47.2

Posted: **Sat Aug 29, 2020 7:04 pm**

It's kind of expected for non-fasttracked traffic with queues, and as much mangle rules.

Posted: **Sat Aug 29, 2020 8:01 pm**

It's kind of expected for non-fasttracked traffic with queues, and as much mangle rules.

Thanks for the response. I guess i will reduce my rules even more.

Posted: **Sat Aug 29, 2020 8:37 pm**

That still leaves you 82% of CPU totally unused.

Posted: **Sat Aug 29, 2020 9:17 pm**

That still leaves you 82% of CPU totally unused.

Yeah totally unused. I could feel my Hap Ac2 heating up like an steam water vapor and i am wondering if it has a connection to my cpu usage. Even though our house got aircon, i just placed a fan at the Mikrotik logo at the left side just in case and it cooled down.

Posted: **Sun Aug 30, 2020 6:42 pm**

They say it can get really hot and doesn't matter.

Posted: **Sun Aug 30, 2020 9:54 pm**

That still leaves you 82% of CPU totally unused.

Well, it's a 4-core CPU. A single-threaded load can cause 100% usage on one of these cores and you will only see 25% global CPU usage.

Posted: **Sun Aug 30, 2020 10:30 pm**

That still leaves you 82% of CPU totally unused.
Well, it's a 4-core CPU. A single-threaded load can cause 100% usage on one of these cores and you will only see 25% global CPU usage.

Ookla speedtest nowdays is multi-stream, hence it should scale well on multi-core routers.
I fully agree with @xvo that outcome is to be expected with OP's configuration. Realistic max routing throughput of hAP ac2 is near 1Gbps but that's with setup allowing to fasttrack most of traffic (which OP's setup doesn't). If CPU usage would scale linearly with throughput (I've no idea if it does), then 80Mbps would mean 8% CPU usage ... so load of 10-18% is not so bad after all.

Posted: **Mon Aug 31, 2020 3:49 pm**

Thanks for all the reply guys, really appreciate it. The reason i have so many mangles is that i want my queue tree i mean all of my user reach 80 mbps in 2 interfaces and the router will share them through pcq. The hotspot and the switch.I don't want to set per interface and do 40/40. There is actually 2 ways to do this. do global-global in queue tree based on packet marks interface list or setting wan as upload then global for download no interface list - this causes too much cpu in queues. Now i am trying to get cpu efficiency as much as possible and i just learned now that connection-mark is bidirectional but when i packet mark based on the connection mark even if it captures the upload it captures all traffic in global and what's the point of using connection-mark interface list when you are doing it again on the packet mark?

MikroTik

Hap Ac2 CPU usage during speedtest.

Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.

Re: Hap Ac2 CPU usage during speedtest.