ccr1009-8G-1S-1S+PC with CapsMan+VLAN = High CPU usage

RouterOS Wireless Networking
1

Hello,

I noticed a strange load.

@CCR] > tool profile cpu=all
NAME CPU USAGE
networking 0 0%
management 0 0%
unclassified 0 37.5%
cpu0 37.5%

Starting configuration make from wiki example : CAPsMAN_with_VLANs

The goal is make about 30 Virtual SSIDs with its own VLANs.
I noticed that the processor is constantly total loaded about 10%, in tool-profiles one CPU are loaded 100% with unclassified service…

What i found - issue is number of used VLANs, if i try to use 10 VLANs, i’v got 38% cpu usage.. when i added 30VLANs, i’v got 100%.
Is this okay ?



Secondly, what I did not like, the router is constantly sending packages in VLAN interfaces, Tx 1 p/s…
What is understood - in VLANs router sending DHCP pakects, but why ??
Attached screens shoots


main config :

/caps-man channel
add band=5ghz-n/ac name=5GHz skip-dfs-channels=no
add band=2ghz-g/n name=24GHz skip-dfs-channels=no
/caps-man datapath
add local-forwarding=yes name=datapath-guest601 vlan-id=601 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest602 vlan-id=602 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest600 vlan-id=600 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest603 vlan-id=603 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest604 vlan-id=604 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest605 vlan-id=605 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest606 vlan-id=606 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest607 vlan-id=607 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest608 vlan-id=608 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest609 vlan-id=609 vlan-mode=use-tag
add local-forwarding=yes name=datapath-guest610 vlan-id=610 vlan-mode=use-tag
/interface bridge
add name=bridge
/interface vlan
add interface=ether7 name=vlan600 vlan-id=600
add interface=ether7 name=vlan601 vlan-id=601
add interface=ether7 name=vlan602 vlan-id=602
add interface=ether7 name=vlan603 vlan-id=603
add interface=ether7 name=vlan604 vlan-id=604
add interface=ether7 name=vlan605 vlan-id=605
add interface=ether7 name=vlan606 vlan-id=606
add interface=ether7 name=vlan607 vlan-id=607
add interface=ether7 name=vlan608 vlan-id=608
add interface=ether7 name=vlan609 vlan-id=609
add interface=ether7 name=vlan610 vlan-id=610
/caps-man rates
add name=rate_guest600 
add name=rate_guest601  
add name=rate_guest602  
add name=rate_guest603  
add name=rate_guest604
add name=rate_guest605  
add name=rate_guest606  
add name=rate_guest607  
add name=rate_guest608  
add name=rate_guest609  
add name=rate_guest610  
/caps-man configuration
add  datapath=datapath-guest602 distance=indoors mode=ap \
    name=cfg_5ghz_Guest602 rates=rate_guest602 ssid=Guest602
add  datapath=datapath-guest603 distance=indoors mode=ap \
    name=cfg_5ghz_Guest603 rates=rate_guest603 ssid=Guest603
add  datapath=datapath-guest604 distance=indoors mode=ap \
    name=cfg_5ghz_Guest604 rates=rate_guest604 ssid=Guest604
add  datapath=datapath-guest605 distance=indoors mode=ap \
    name=cfg_5ghz_Guest605 rates=rate_guest605 ssid=Guest605
add  datapath=datapath-guest606 distance=indoors mode=ap \
    name=cfg_5ghz_Guest606 rates=rate_guest606 ssid=Guest606
add  datapath=datapath-guest607 distance=indoors mode=ap \
    name=cfg_5ghz_Guest607 rates=rate_guest607 ssid=Guest607
add  datapath=datapath-guest608 distance=indoors mode=ap \
    name=cfg_5ghz_Guest608 rates=rate_guest608 ssid=Guest608
add  datapath=datapath-guest609 distance=indoors mode=ap \
    name=cfg_5ghz_Guest609 rates=rate_guest609 ssid=Guest609
add  datapath=datapath-guest610 distance=indoors mode=ap \
    name=cfg_5ghz_Guest610 rates=rate_guest610 ssid=Guest610
add  datapath=datapath-guest602 distance=indoors mode=ap \
    name=cfg_24ghz_Guest602 rates=rate_guest602 ssid=Guest602
add  datapath=datapath-guest603 distance=indoors mode=ap \
    name=cfg_24ghz_Guest603 rates=rate_guest603 ssid=Guest603
add  datapath=datapath-guest604 distance=indoors mode=ap \
    name=cfg_24ghz_Guest604 rates=rate_guest604 ssid=Guest604
add  datapath=datapath-guest605 distance=indoors mode=ap \
    name=cfg_24ghz_Guest605 rates=rate_guest605 ssid=Guest605
add  datapath=datapath-guest606 distance=indoors mode=ap \
    name=cfg_24ghz_Guest606 rates=rate_guest606 ssid=Guest606
add  datapath=datapath-guest607 distance=indoors mode=ap \
    name=cfg_24ghz_Guest607 rates=rate_guest607 ssid=Guest607
add  datapath=datapath-guest608 distance=indoors mode=ap \
    name=cfg_24ghz_Guest608 rates=rate_guest608 ssid=Guest608
add  datapath=datapath-guest609 distance=indoors mode=ap \
    name=cfg_24ghz_Guest609 rates=rate_guest609 ssid=Guest609
add  datapath=datapath-guest610 distance=indoors mode=ap \
    name=cfg_24ghz_Guest610 rates=rate_guest610 ssid=Guest610

add channel=5GHz  datapath=datapath-guest600 distance=\
    indoors mode=ap name=cfg_5ghz_Guest600 rates=rate_guest600 security=\
    security_guest600 ssid="for Guests"
add channel=24GHz  datapath=datapath-guest600 distance=\
    indoors mode=ap name=cfg_24ghz_Guest600 rates=rate_guest600 security=\
    security_guest600 ssid="for Guests"
	
add  datapath=datapath-guest601 distance=indoors mode=ap \
    name=cfg_5ghz_Guest601 rates=rate_guest601 security=security_guest601 \
    ssid=Work
add  datapath=datapath-guest601 distance=indoors mode=ap \
    name=cfg_24ghz_Guest601 rates=rate_guest601 security=\
    security_guest601 ssid=Work
	
/caps-man security
add name=security_guest600
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security_guest601
add name=security_guest602
add name=security_guest603
add name=security_guest604
add name=security_guest605
add name=security_guest606
add name=security_guest607
add name=security_guest608
add name=security_guest609
add name=security_guest610

/interface ethernet switch
set 0 name=switch
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.6.0.1 html-directory=simple http-cookie-lifetime=19h \
    login-by=cookie,http-chap,trial name=hsprof trial-uptime-reset=18h
/ip pool
add name=dhcp ranges=10.100.200.102-10.100.200.250
add name=dhcp_guest601 ranges=10.6.1.2-10.6.1.202
add name=dhcp_guest602 ranges=10.6.2.2-10.6.2.202
add name=dhcp_guest603 ranges=10.6.3.2-10.6.3.202
add name=dhcp_guest604 ranges=10.6.4.2-10.6.4.202
add name=dhcp_guest605 ranges=10.6.5.2-10.6.5.202
add name=dhcp_guest606 ranges=10.6.6.2-10.6.6.202
add name=dhcp_guest607 ranges=10.6.7.2-10.6.7.202
add name=dhcp_guest608 ranges=10.6.8.2-10.6.8.202
add name=dhcp_guest609 ranges=10.6.9.2-10.6.9.202
add name=dhcp_guest610 ranges=10.6.10.2-10.6.10.202
add name=dhcp_guest600 ranges=10.6.0.2-10.6.0.252
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=4d3h10m name=\
    dhcp
add address-pool=dhcp_guest601 disabled=no interface=vlan601 lease-time=\
    4d3h10m name=dhcp-guest601
add address-pool=dhcp_guest602 disabled=no interface=vlan602 lease-time=\
    4d3h10m name=dhcp-guest602
add address-pool=dhcp_guest603 disabled=no interface=vlan603 lease-time=\
    4d3h10m name=dhcp-guest603
add address-pool=dhcp_guest604 disabled=no interface=vlan604 lease-time=\
    4d3h10m name=dhcp-guest604
add address-pool=dhcp_guest605 disabled=no interface=vlan605 lease-time=\
    4d3h10m name=dhcp-guest605
add address-pool=dhcp_guest606 disabled=no interface=vlan606 lease-time=\
    4d3h10m name=dhcp-guest606
add address-pool=dhcp_guest607 disabled=no interface=vlan607 lease-time=\
    4d3h10m name=dhcp-guest607
add address-pool=dhcp_guest608 disabled=no interface=vlan608 lease-time=\
    4d3h10m name=dhcp-guest608
add address-pool=dhcp_guest609 disabled=no interface=vlan609 lease-time=\
    4d3h10m name=dhcp-guest609
add address-pool=dhcp_guest610 disabled=no interface=vlan610 lease-time=\
    4d3h10m name=dhcp-guest610
add address-pool=dhcp_guest600 disabled=no interface=vlan600 lease-time=\
    4d3h10m name=dhcp-guest600
/ip hotspot
add address-pool=dhcp_guest600 disabled=no interface=vlan600 name=hotspot1 \
    profile=hsprof
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    cfg_5ghz_Guest600 slave-configurations=cfg_5ghz_Guest601
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg_24ghz_Guest600 slave-configurations=cfg_24ghz_Guest601
/interface bridge port
add bridge=bridge hw=yes interface=ether5
add bridge=bridge hw=yes interface=ether6
add bridge=bridge hw=yes interface=ether7
add bridge=bridge hw=yes interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=vlan600 list=LAN
add interface=vlan601 list=LAN
add interface=vlan602 list=LAN
add interface=vlan603 list=LAN
add interface=vlan604 list=LAN
add interface=vlan605 list=LAN
add interface=vlan606 list=LAN
add interface=vlan607 list=LAN
add interface=vlan609 list=LAN
add interface=vlan610 list=LAN
/ip address
add address=10.100.200.254/24 interface=bridge network=10.100.200.0
add address=10.6.1.1/24 interface=vlan601 network=10.6.1.0
add address=10.6.2.1/24 interface=vlan602 network=10.6.2.0
add address=10.6.3.1/24 interface=vlan603 network=10.6.3.0
add address=10.6.4.1/24 interface=vlan604 network=10.6.4.0
add address=10.6.5.1/24 interface=vlan605 network=10.6.5.0
add address=10.6.6.1/24 interface=vlan606 network=10.6.6.0
add address=10.6.7.1/24 interface=vlan607 network=10.6.7.0
add address=10.6.8.1/24 interface=vlan608 network=10.6.8.0
add address=10.6.9.1/24 interface=vlan609 network=10.6.9.0
add address=10.6.10.1/24 interface=vlan610 network=10.6.10.0
add address=10.6.0.1/24 comment="hotspot network" interface=vlan600 network=\
    10.6.0.0
add address=11.22.33.44/24 interface=ether1 network=11.22.33.0
/ip dhcp-server network
add address=10.6.0.0/24 dns-server=10.6.0.1 gateway=10.6.0.1 netmask=24
add address=10.6.1.0/24 dns-server=10.6.1.1 gateway=10.6.1.1 netmask=24
add address=10.6.2.0/24 dns-server=10.6.2.1 gateway=10.6.2.1 netmask=24
add address=10.6.3.0/24 dns-server=10.6.3.1 gateway=10.6.3.1 netmask=24
add address=10.6.4.0/24 dns-server=10.6.4.1 gateway=10.6.4.1 netmask=24
add address=10.6.5.0/24 dns-server=10.6.5.1 gateway=10.6.5.1 netmask=24
add address=10.6.6.0/24 dns-server=10.6.6.1 gateway=10.6.6.1 netmask=24
add address=10.6.7.0/24 dns-server=10.6.7.1 gateway=10.6.7.1 netmask=24
add address=10.6.8.0/24 dns-server=10.6.8.1 gateway=10.6.8.1 netmask=24
add address=10.6.9.0/24 dns-server=10.6.9.1 gateway=10.6.9.1 netmask=24
add address=10.6.10.0/24 dns-server=10.6.10.1 gateway=10.6.10.1 netmask=24
add address=10.100.200.0/24 dns-server=10.100.200.254 gateway=10.100.200.254 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept remote management" \
    dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="DROP defconf: all from WAN" \
    in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=passthrough chain=unused-hs-chain comment=\
    "hotspot rules here START" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.6.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=8292 in-interface=\
    ether1 protocol=tcp to-addresses=10.100.200.1 to-ports=8291

sniff.png
tx.png
dhcp.png
cpu38.png

2

If you are using the latest RouterOS and firmware please contact the support@mikrotik.com attached the supout.rif file from the router generated during or after issue. Otherwise, upgrade RouterOS and firmware.

3

Allready contacted, ticket ID : 2018112922005721
s/f are latest.

I want to figure out that this is not a configuration issue


Or maybe some suggestion other users can give for try.




@CCR] /system routerboard> print
routerboard: yes
model: CCR1009-8G-1S-1S+
serial-number: xxxxxxxxxxx
firmware-type: tilegx
factory-firmware: 3.21
current-firmware: 6.43.4
upgrade-firmware: 6.43.4


4

Latest news :

Step by steb trying recreate VLANs, and it seems it is not VLAN issue,
Readded 20VLANs, and monitoring CPU usage, there is no changes.

So make second step :
Assigned IP addreses to VLAN’s - and vualia - CPU usage CPU load increased

p.s.: trying retest on HEX, same config without connected CAP (At this moment i dont have free CAP) - CPU does not have heavy load..

5

found answer - detect-internet making some flood, so when I disable detect internet - CPU load are dropped to normal state : 1%

/interface detect-internet> print
detect-interface-list: none
lan-interface-list: none
wan-interface-list: none
internet-interface-list: none
detect internet.png