Community discussions

MikroTik App
 
dconnrt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jul 28, 2008 10:53 pm

100% CPU usage used by 1) Firewall and 2) Queues - best fix?

Mon Mar 19, 2012 10:37 pm

Hi all,

We are regularly seeing our RB800 hitting 100% CPU load at peak times and I'd like to see what the best choice would be to fix this.

CPU is mainly being used by "firewall" and to a lesser extent "Queuing" (as shown by the Tools -> Profile tool).

We don't do any Queuing and we have no firewall rules but we do handle perhaps 100 PPPoE user sessions (remote radius server) on a handful of "ether" ports. I am guessing that the "firewall" usage must be the firewall packet mangle rules that PPPoE puts in and that Queuing must be sometime similar (interface queues for each PPPoE interface or something?) - although I don't see any queuing entries at all.

This router only does OSPF routing and PPPoE server.

So to find the best for for this problem: Is is possible/easy to offload the PPPoE into a separate router? Or is the best choice multiple routers for PPPoE on the different interfaces? Or is there any easy performance tweaks that can be done ?

thanks V much,

Derek
 
VARELA
newbie
Posts: 49
Joined: Mon Jan 14, 2008 12:39 pm

Re: 100% CPU usage used by 1) Firewall and 2) Queues - best

Tue Mar 20, 2012 11:57 am

Try to disable change-tcp-mss (encryption, compression) in ppp profile.
 
dconnrt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Mon Jul 28, 2008 10:53 pm

Re: 100% CPU usage used by 1) Firewall and 2) Queues - best

Tue Mar 20, 2012 1:11 pm

Try to disable change-tcp-mss (encryption, compression) in ppp profile.
That's an interesting one all right (change-tcp-mss). I have that enabled normally and I can see the rules having an effect in the IP -> Firewall -> Manage list.

When I disable it I do get lower CPU usage but also lower total throughput. What worries me here is that the customer routers (TP Link WiFi routers) might have their MTU to big and packets may be fragmenting unless I have change-tcp-mss switched on. I'd rather buy a more power router, or more routers, than have my overall network speed and efficiency go down.

So, to summarise, I'm afraid to leave "change-tcp-mss" switched off.

BTW I do have all the other encryption, compression options turned off because they should like they'd load the routerboard

Derek
 
oeyre
Member Candidate
Member Candidate
Posts: 137
Joined: Wed May 27, 2009 12:48 pm

Re: 100% CPU usage used by 1) Firewall and 2) Queues - best

Wed Mar 21, 2012 12:30 am

What worries me here is that the customer routers (TP Link WiFi routers) might have their MTU to big and packets may be fragmenting unless I have change-tcp-mss switched on.
That isnt your fault nor is it your problem unless there is something on your network that stops users from getting 1492 byte MTU.

Telling users the PPPoE MTU is just as essential as telling them their login credentials, if they can't figure it out then too bad ask the router vendor.

Who is online

Users browsing this forum: 4l4R1, bashay8, Bing [Bot], dervomsee, kub1x, tdw and 79 guests