Hi,
We have recently installed a RB1100AH as a new core router is is running the following:
ver 5.5
8 ethers are active
1 EOIP tunnel
OSPF on 3 other interfaces(roting table aroung 1800 routes0
BGP to our BGP router( only recieving 200 routes)
1 METArouter that has 3 ethers assigned to it for our servers
43 filter rules
19 nats
1 Mangle
there is a average of 40-60meg traffic flowing thru the router, and the CPU idles @ 50-75%, but jumps to 85-100%, and then reboots, it has reboot 6 times this week already since going live in Sunday.
Is is that the router is not strong enough to handle our requirements, or is there something we missing?
here is a extract on tool-> profile
NAME USAGE
ethernet 7.5%
console 0%
eoip 3.5%
firewall 21%
metarouter-net 0%
gre 0%
winbox 0%
management 2%
telnet 0%
idle 53.5%
profiling 1%
queuing 9.5%
routing 0%
unclassified 2%
Re: High CPU on RB1100AH
looks like you need to optimize your firewall and sort into chains or something, post your rules also please
Re: High CPU on RB1100AH
I attached tthe export of our filters.
You do not have the required permissions to view the files attached to this post.
Re: High CPU on RB1100AH
If you see the screen shot, between 15 & 20 % is being used for queuing, but we don't have any queue's on our RB.
You do not have the required permissions to view the files attached to this post.
Re: High CPU on RB1100AH
First, the input rules.
If packets are invalid they should be dropped. Even if they're from trusted IPs.
That makes no sense - only packets that are to local addresses are even going to make it into the input chain. This rule does nothing. Also, why call it drop if you are going to leave some of them through?
Why waste CPU resources detecting port scans if you're just going to drop everything anyway?
Why jump somewhere BELOW the rule where you're dropping everything?
Your input rule set can be summarized to be functionally equivalent as below:
Now for the output rules.
It makes no sense to police the output chain. Remove all those rules. They don't secure anything for you but have to be processed regardless.
Now let's deal with sub chains before going to forward.
Nothing uses this ICMP chain. Remove the rules, they're just clutter.
So far so good.
These don't do anything. If they're exceeding 100 connections they also by definition exceeded 30 connections, so they already got caught above - the rules above don't have passthrough on, after all.
This is a repeat of the first rule in the subchain, so that does nothing.
Your SMTP rule set can be summarized as this:
And now the forward filters.
Mostly this can be made far more efficient by re-ordering the rules. Stateful permits for established and related traffic is going to catch 99% of the packets, so they should be the first in the set. Since you have a default allow set you also have absolutely no need to have a whole bunch of accept rules. The forward set below is functionally equivalent to what you have right now:
So, to sum it all up, here your current rule set:
And here what it should be:
That should significantly improve packet processing in the firewall filters.
You probably also want to optimize your mangle rules.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=noCode: Select all
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_RangeCode: Select all
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_RangeCode: Select all
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40sCode: Select all
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=drop chain=input comment="Drop Everything Else" disabled=noCode: Select all
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmpYour input rule set can be summarized to be functionally equivalent as below:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=noCode: Select all
/ip firewall filter
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=noNow let's deal with sub chains before going to forward.
Code: Select all
/ip firewall filter
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=noCode: Select all
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailersCode: Select all
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailersCode: Select all
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammersCode: Select all
add action=return chain=SMTP disabled=noCode: Select all
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=return chain=SMTP disabled=noMostly this can be made far more efficient by re-ordering the rules. Stateful permits for established and related traffic is going to catch 99% of the packets, so they should be the first in the set. Since you have a default allow set you also have absolutely no need to have a whole bunch of accept rules. The forward set below is functionally equivalent to what you have right now:
Code: Select all
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yesCode: Select all
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_Range
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40s
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop Everything Else" disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=accept chain=forward comment="Accept Altrix traffic" disabled=no src-address=10.33.0.0/16
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.22
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.23
add action=accept chain=forward comment="Allow Access to Backup server" disabled=no dst-address=x.x.x.5 src-address-list=Allow_Access_to-Backupserver
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailers
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=return chain=SMTP disabled=no
add action=drop chain=forward comment="Drop SMTP SPAMMER's" disabled=no dst-port=25 protocol=tcp src-address-list=smtp_spammers
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=no
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=yes
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=yes dst-limit=0,5,dst-address/1m40s src-address-list=!Trusted_Range
add action=accept chain=forward comment="Related connections" connection-state=related disabled=yes
add action=drop chain=forward comment="Drop all that is not from unicast" disabled=yes src-address-list=!Trusted_Range src-address-type=!unicast
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=no
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
You probably also want to optimize your mangle rules.
You are probably seeing queuing because of inherent interface queues.If you see the screen shot, between 15 & 20 % is being used for queuing, but we don't have any queue's on our RB.
Re: High CPU on RB1100AH
thanks for the assistance, I'll put those rules on this evening and give and update once tested.
We only have one mangle that redirects traffic from a small subnet to another RB.
We only have one mangle that redirects traffic from a small subnet to another RB.
Re: High CPU on RB1100AH
Hi,
We still experiencing the High CPU load, see the screenshot.
We still experiencing the High CPU load, see the screenshot.
You do not have the required permissions to view the files attached to this post.
Re: High CPU on RB1100AH
Still not helping, isn't the RB1100Ah supposed to a hi power router?
You do not have the required permissions to view the files attached to this post.
Re: High CPU on RB1100AH
I disabled the Meta router now, CPU load dropped from 30-40% down to 5-20%, so clearly RB1100AH is not powerful enough to run a Metarouter to our requirements.
Re: High CPU on RB1100AH
Well, only creating a Metarouter (but not running it) already doubles CPU usage for any amount of traffic running through.
I suppose, that is because there is an invisible bridge being created, where the physical and virtual ethernet ports are then attached, so there is an additional forwarding decision to be made for each packet running through the router.
It's pretty noticable on RB1000/1100 Routers. I have a RB1000 with about 350 Mbit/s of traffic flowing through. Without Metarouter: ~25-30% CPU. Metarouter created, but not running: ~60-70% CPU. Metarouter running (and pushing like 2-3 Mbit/s of traffic): ~80-95% CPU.
I suppose, that is because there is an invisible bridge being created, where the physical and virtual ethernet ports are then attached, so there is an additional forwarding decision to be made for each packet running through the router.
It's pretty noticable on RB1000/1100 Routers. I have a RB1000 with about 350 Mbit/s of traffic flowing through. Without Metarouter: ~25-30% CPU. Metarouter created, but not running: ~60-70% CPU. Metarouter running (and pushing like 2-3 Mbit/s of traffic): ~80-95% CPU.