2011UiAS-2HnD strange high CPU usage

iowa · Wed May 04, 2016 1:04 am

I bought 2011UiAS-2HnD and decided to run some tests before I set it like "main" router in my network.

internet----->2011UiAS-2HnD----->ubiquiti nanostation------->3 airgrid antennas (I have 300/50 mbits and want to share with my friends) I have Cisco modem 3208.

So I created very simple rules, e.g.:

[admin@MikroTik] > export
# may/03/2016 23:27:12 by RouterOS 6.35.1
# software id = 2NAW-V5ZU
#
/ip pool
add name=pool1 ranges=192.168.5.1-192.168.5.55
add name=pool2 ranges=192.168.6.1-192.168.6.55
add name=pool3 ranges=192.168.7.1-192.168.7.55
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
add address-pool=pool2 disabled=no interface=ether3 name=server2
add address-pool=pool3 disabled=no interface=ether4 name=server3
/system logging action
set 0 memory-lines=100
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
add address=192.168.6.1/24 interface=ether3 network=192.168.6.0
add address=192.168.7.1/24 interface=ether4 network=192.168.7.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.88.0/24 list=support
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.7.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Belgrade
/tool graphing interface
add
/tool graphing queue
add allow-address=192.168.88.0/24
/tool graphing resource
add
[admin@MikroTik] >

While I am doing tests, net connection is used only by me, I connected IPTV, wifi router tp link archer C7, QNAP NAS with internet access, laptop, desktop machine, phone and tablet.

Today I noticed very high cpu usage between 16h and 18h:

I didnt saw nothing special in logs:

As you all see, I disabled ssh, ftp, telnet and www-ssl. From the begining I disabled these packages, too:
1.Hotspot;
2.IPV6;
3.Wireless-cm2;
4.Wireless-fp.

I am aware that I didnt put any of firewall rules, but RB uptime is almost 2 days, with www and winbox enabled. I cant see anything from logs during high CPU usage.

Firmware and OS are the latest stable builds. Is this some bug or? Any help would be much appreciated.

Regards

iowa · Wed May 04, 2016 1:07 am

I am sorry for double post but I cant edit previous one:

Second image:

http://postimg.org/image/7pfqqt5gh/full/

Wed May 04, 2016 9:12 am

On the actual picture you are showing zero load. Anyway where are the firewall rules? You were probably part of ddns attack in those high cpu utilisation moments. In addition you can make only one masquerade rule and you can utilise the fasttrack to speed up packets processing if you will not be using queues.

quackyo · Wed May 04, 2016 2:23 pm

100% (or almost) CPU is easy to reach with a RB2011 with just torrent traffic @50-80mbit for example... Or any other high bandwith service that uses a lot of connections.

If you add fast track firewall-rules it should be a lot better.

iowa · Fri May 06, 2016 12:39 am

100% (or almost) CPU is easy to reach with a RB2011 with just torrent traffic @50-80mbit for example... Or any other high bandwith service that uses a lot of connections.

If you add fast track firewall-rules it should be a lot better.

Didnt use internet at all in time when CPU was at 100%.

On the actual picture you are showing zero load. Anyway where are the firewall rules? You were probably part of ddns attack in those high cpu utilisation moments. In addition you can make only one masquerade rule and you can utilise the fasttrack to speed up packets processing if you will not be using queues.

Masquerade rules are just for testing purposes.

However, I added fastrack rules and fw rules from pcunite's post: http://forum.mikrotik.com/viewtopic.php?t=76314#p384530

Now it works like a charm. Thanks for your help.

Fri May 06, 2016 9:05 am

When there is no traffic the fasttrack doesn't make any effect.

iowa · Sat May 21, 2016 12:41 am

Again the same problem, but with (I think) better configuration

[admin@MikroTik] > export
# may/20/2016 23:21:29 by RouterOS 6.35.2

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 12 default-vlan-id=0
/ip pool
add name=pool1 ranges=192.168.5.1-192.168.5.250
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/system logging action
set 0 memory-lines=100
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.5.0/24 list=Support
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=all-ethernet
add chain=input comment="Allow connections that originated from LAN" connection-state=established
add chain=input comment="Allow connections that originated from LAN" connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=all-ethernet
add chain=forward comment="Allow connections that originated from LAN" connection-state=established
add chain=forward comment="Allow connections that originated from LAN" connection-state=related
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.5.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Belgrade
/tool graphing interface
add allow-address=192.168.5.0/24
/tool graphing queue
add allow-address=192.168.5.0/24
/tool graphing resource
add allow-address=192.168.5.0/24
[admin@MikroTik] >

These cpu peaks are really very strange to me, because this test and internet is used only by me. I have only Cisco modem epc 3208 connected to ether1, on ether2 is my PC, on ether3 is my IPTV box. Pc is used for regular surfing or online gaming without any torrents or similar software.

At this moment, while I am typing this, CPU is at 28%, IPTV is off, on PC is opened only firefox with two tabs, this forums and graphing page.

I am wondering what I am doing wrong? As I wrote on the first post in this topic, I want to share my internet with two friends for torrents, online gaming, file sharing, local game server maybe, etc. If this RB act like this while is used only by me, than what can I escpect with +2 users?

Any ideas?

Sat May 21, 2016 8:16 am

Common problem like always. You are part of dns amplification attack. You need to really drop everything what is comming from wan interface unless you need it positively to pass. Can't read well your firewall rules on tapatalk client on mobile, but make sure you have unconditional drop on input chain with the exclusions before.

jebz · Sat May 21, 2016 2:10 pm

Again the same problem, but with (I think) better configuration
Code: Select all
[admin@MikroTik] > export
# may/20/2016 23:21:29 by RouterOS 6.35.2

add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=all-ethernet

[admin@MikroTik] > 
I am wondering what I am doing wrong?

Any ideas?

You allow everything in. As someone said you also have the potential for your router to be used as a DNS attack source.

iowa · Sat May 21, 2016 11:07 pm

jarda, jebz,

Thanks for your answers, I was thinking that simple rules from this post should be enough --- http://forum.mikrotik.com/viewtopic.php?t=76314#p384530

Now I added two more input rules, so now its:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=all-ethernet
add chain=input comment="Allow connections that originated from LAN" connection-state=established
add chain=input comment="Allow connections that originated from LAN" connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=all-ethernet
add chain=forward comment="Allow connections that originated from LAN" connection-state=established
add chain=forward comment="Allow connections that originated from LAN" connection-state=related
add action=drop chain=forward

Is this ok or I have to add more of fw rules?

Sun May 22, 2016 1:01 pm

Is the ether1 the only outer interface you have? See the profiler to know what is eating cpu. If it is dns, switch it temporarily off to see the effect. Are the rules counting? Do you have connection tracking on?

In input chain :
1 accept established and related.
2 drop invalid.
3 accept icmp .
4 accept from lan.
5 drop all.

This should ensure you will be fine regardless whatever wans you have.

iowa · Mon May 23, 2016 11:07 am

Is the ether1 the only outer interface you have? See the profiler to know what is eating cpu. If it is dns, switch it temporarily off to see the effect. Are the rules counting? Do you have connection tracking on?

In input chain :
1 accept established and related.
2 drop invalid.
3 accept icmp .
4 accept from lan.
5 drop all.

This should ensure you will be fine regardless whatever wans you have.

Yes, ether1 is only WAN interface, when I switch off dns, everything was fine, my connection tracking is set on auto. I blocked 53 tcp/udp on ether1 and chenge the input chain as you wrote. For now its working good. Thanks.

Mon May 23, 2016 5:30 pm

Congratulations. Always think about the firewall rules order and logic. It can either help you or make you mad if set improperly.

Zorro · Thu May 26, 2016 7:11 am

sidenote: just not forget to make Backup of you gear config BEFORE you do important changes and periodically(1/2 dayly or weekly atleast) in both binary and text forms !!
if you on CCR/PPC then personally i would also suggest writing script that do auto-backup on external storage(USB stick or SD card)in scheduler.

iowa · Fri Jun 03, 2016 5:43 pm

Congratulations. Always think about the firewall rules order and logic. It can either help you or make you mad if set improperly.

I was wondering, is there any ebook/pdf/site that describes firewall basics regarding the fw rules/chain logic?

Personally, I dont like firewall templates shown on some sites about securing the routerboard.

sidenote: just not forget to make Backup of you gear config BEFORE you do important changes and periodically(1/2 dayly or weekly atleast) in both binary and text forms !!
if you on CCR/PPC then personally i would also suggest writing script that do auto-backup on external storage(USB stick or SD card)in scheduler.

Sure Zorro, I set backup every day.

2011UiAS-2HnD strange high CPU usage

2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re:

Re: 2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re: 2011UiAS-2HnD strange high CPU usage

Re:

Who is online