CPU @ 100% once file transfers ensue (CRS109-8G-1S-2HnD)

shukaze · September 28, 2018, 7:37am

Hey all,

I’m new here and tried to troubleshoot this, I’ve come down to the CRS as the bottleneck and have concluded either:

I’m doing it wrong, or
It is beyond the router to do it.

I’ve connected directly and via a switch to test direct and switch speeds and they are at 1Gbps as expected, however, then I connect them back to the CRS, SFTP/FTP speeds are ~@30MB/s and SMB speeds are ~@20MB/s.
Here’s my /export hide-sensitive info:

# sep/28/2018 16:58:08 by RouterOS 6.43
# software id = 3PBB-AMM4
#
# model = CRS109-8G-1S-2HnD
# serial number = 500204CA0644
/interface bridge
add admin-mac=4C:5E:0C:9E:06:56 auto-mac=no fast-forward=no name=Router-ports
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=australia default-authentication=no disabled=no \
    distance=indoors frequency=2462 mode=ap-bridge ssid="Jamey's Network 2.4GHz" wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Gateway speed=100Mbps
set [ find default-name=ether2 ] name=eth2 speed=100Mbps
set [ find default-name=ether3 ] name=eth3 speed=100Mbps
set [ find default-name=ether4 ] name=eth4 speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
set [ find default-name=ether6 ] name=eth6 speed=100Mbps
set [ find default-name=ether7 ] name=eth7 speed=100Mbps
set [ find default-name=ether8 ] disabled=yes name=eth8 speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=eth1_Gateway keepalive-timeout=disabled max-mru=1492 max-mtu=1492 \
    name=pppoe-out1 use-peer-dns=yes user=username@isp.com
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=LAN_POOL ranges=192.168.2.10-192.168.2.50
/ip dhcp-server
add address-pool=LAN_POOL authoritative=after-2sec-delay disabled=no interface=Router-ports lease-time=3d name=LAN_DHCP
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=Router-ports interface=eth2
add bridge=Router-ports interface=wlan1
add bridge=Router-ports hw=no interface=eth3
add bridge=Router-ports hw=no interface=eth4
add bridge=Router-ports hw=no interface=eth5
add bridge=Router-ports hw=no interface=eth7
add bridge=Router-ports interface=sfp1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=eth2 list=discover
add interface=eth3 list=discover
add interface=eth4 list=discover
add interface=eth5 list=discover
add interface=eth6 list=discover
add interface=eth7 list=discover
add interface=eth8 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=pppoe-out1 list=discover
add interface=Router-ports list=discover
add interface=eth2 list=mactel
add interface=eth3 list=mactel
add interface=eth2 list=mac-winbox
add interface=eth3 list=mac-winbox
add interface=eth4 list=mactel
add interface=eth4 list=mac-winbox
add interface=eth5 list=mactel
add interface=eth6 list=mactel
add interface=eth5 list=mac-winbox
add interface=eth7 list=mactel
add interface=eth6 list=mac-winbox
add interface=eth8 list=mactel
add interface=eth7 list=mac-winbox
add interface=sfp1 list=mactel
add interface=wlan1 list=mactel
add interface=eth8 list=mac-winbox
add interface=pppoe-out1 list=mactel
add interface=sfp1 list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=pppoe-out1 list=mac-winbox
/interface wireless access-list
add vlan-mode=no-tag
add disabled=yes mac-address=24:00:BA:19:D1:59 vlan-mode=no-tag
/ip address
add address=192.168.5.5/24 interface=eth6 network=192.168.5.0
add address=192.168.2.254/24 interface=Router-ports network=192.168.2.0
add address=192.168.1.254/24 interface=eth1_Gateway network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=eth1_Gateway
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.254
/ip dns
set servers=208.67.222.222,208.67.222.220
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes
add action=accept chain=input comment="default configuration" in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established in-interface=pppoe-out1
add action=add-src-to-address-list address-list=blocked_addresses address-list-timeout=23h59m59s chain=input comment="SLOW DOWN DDOS" \
    connection-limit=100,32 in-interface=pppoe-out1 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=blocked_addresses
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN STEALTH SCAN" \
    in-interface=pppoe-out1 protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN SCAN" in-interface=\
    pppoe-out1 protocol=tcp tcp-flags=fin,syn
add action=drop chain=input comment="DROPPING PORT SCANNERS" src-address-list=port_scanners
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST SCAN" in-interface=\
    pppoe-out1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG SCAN" \
    in-interface=pppoe-out1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL SCAN" in-interface=\
    pppoe-out1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL SCAN" \
    in-interface=pppoe-out1 protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=input
add action=drop chain=input comment="DROP SSH BRUTE FORCE" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=forward comment="FORWARD SSH INTO SITE" disabled=yes dst-address=192.168.2.0/24 dst-port=22 in-interface=\
    pppoe-out1 protocol=tcp
add action=accept chain=input comment="ALLOW REMOTE WINBOX" disabled=yes dst-port=8291 protocol=tcp src-address=122.149.209.216
add action=accept chain=forward comment="ALLOW OUTBOUND LAN TRAFFIC" src-address=192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=udp src-port=53
add action=accept chain=forward comment="ALLOW PING" dst-address=192.168.2.0/24 protocol=icmp
add action=accept chain=forward comment="ALLOW WEB TO LAN" dst-address=192.168.2.0/24 protocol=tcp src-port=80
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=443
add action=accept chain=input comment="Project Zomboid Server" disabled=yes dst-address=192.168.2.0/24 dst-port=16261 in-interface=\
    pppoe-out1 protocol=udp src-address=122.149.209.54 src-port=16261
add action=accept chain=input disabled=yes dst-address=192.168.2.0/24 dst-port=16262 in-interface=pppoe-out1 protocol=tcp src-address=\
    122.149.209.54 src-port=16262
add action=accept chain=input disabled=yes dst-address=192.168.2.0/24 dst-port=16263 in-interface=pppoe-out1 protocol=tcp src-address=\
    122.149.209.54 src-port=16263
add action=accept chain=input disabled=yes dst-address=192.168.2.0/24 dst-port=16264 in-interface=pppoe-out1 protocol=tcp src-address=\
    122.149.209.54 src-port=16264
add action=accept chain=input disabled=yes dst-address=192.168.2.0/24 dst-port=16265 in-interface=pppoe-out1 protocol=tcp src-address=\
    122.149.209.54 src-port=16265
add action=accept chain=input disabled=yes dst-address=192.168.2.0/24 dst-port=16266 in-interface=pppoe-out1 protocol=tcp src-address=\
    122.149.209.54 src-port=16266
add action=accept chain=forward comment="ALLOW MAIL" dst-address=192.168.2.0/24 protocol=tcp src-port=25
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=110
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=143
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=465
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=587
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=993
add action=accept chain=forward dst-address=192.168.2.0/24 protocol=tcp src-port=995
add action=accept chain=forward comment="ALLOW FTP" connection-state=new dst-address=192.168.2.0/24 protocol=tcp src-port=20,21
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=forward comment="ALLOW NTP (TIME SERVER)" disabled=yes dst-address=192.168.2.0/24 protocol=udp src-port=123
add action=log chain=forward comment="LOG WHAT WILL BE DROPPED"
add action=drop chain=forward comment="In the end, DROP ALL PACKETS" connection-nat-state=!dstnat connection-state=new
add action=accept chain=forward connection-state=established,related disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes dst-port=58438 new-connection-mark=P2P_connMarkUDP p2p=all-p2p passthrough=yes \
    protocol=udp src-port=58438
add action=mark-connection chain=prerouting disabled=yes dst-port=58438 new-connection-mark=P2P_connMarkTCP p2p=all-p2p passthrough=yes \
    protocol=tcp src-port=58438
add action=mark-packet chain=prerouting connection-mark=P2P_connMarkTCP disabled=yes new-packet-mark=P2P_markPacket passthrough=no
add action=mark-packet chain=prerouting connection-mark=P2P_connMarkUDP disabled=yes new-packet-mark=P2P_markPacket passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="DEFAULT CONFIGURATION" out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="NAT RULE FOR SSH IN" disabled=yes dst-port=22 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.2.10 to-ports=22
add action=dst-nat chain=dstnat comment="WEB SERVER (FMIS)" disabled=yes dst-address=122.149.209.54 dst-port=80 protocol=tcp \
    to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=443 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat comment="MAIL SERVER (FMIS)" disabled=yes dst-address=122.149.209.54 dst-port=25 protocol=tcp \
    to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=143 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=465 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=587 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=993 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=995 protocol=tcp to-addresses=192.168.2.253
add action=dst-nat chain=dstnat comment="Project Zomboid Server" disabled=yes dst-address=122.149.209.54 dst-port=16261 protocol=udp \
    to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=16262 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=16263 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=16264 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=16265 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=16266 protocol=tcp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment="Steam VAC" disabled=yes dst-address=122.149.209.54 dst-port=8766 protocol=tcp to-addresses=\
    192.168.2.10
add action=dst-nat chain=dstnat comment="Minecraft Server 1 (FreeNAS)" disabled=yes dst-address=122.149.209.216 dst-port=25423 \
    protocol=tcp to-addresses=192.168.2.93
add action=dst-nat chain=dstnat comment="GRAV SERVER" disabled=yes dst-address=122.149.209.216 dst-port=27019 protocol=tcp \
    to-addresses=192.168.2.17
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.216 dst-port=7785 protocol=tcp to-addresses=192.168.2.17
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.216 dst-port=7786 protocol=tcp to-addresses=192.168.2.17
add action=dst-nat chain=dstnat comment=APEX disabled=yes dst-address=122.149.209.54 dst-port=2302 protocol=udp to-addresses=\
    192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=2303 protocol=udp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=2304 protocol=udp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=2305 protocol=udp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment="Chivarly Server" disabled=yes dst-address=122.149.209.54 dst-port=27015 protocol=udp \
    to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=7777 protocol=udp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=7778 protocol=udp to-addresses=192.168.2.10
add action=dst-nat chain=dstnat comment=SOASE-R disabled=yes dst-address=122.149.209.54 dst-port=8000 protocol=tcp to-addresses=\
    192.168.2.10
add action=dst-nat chain=dstnat disabled=yes dst-address=122.149.209.54 dst-port=8000 protocol=udp to-addresses=192.168.2.10
/ip proxy
set max-cache-object-size=4096KiB max-cache-size=none parent-proxy=0.0.0.0 port=8080,443,80
/ip proxy access
add action=deny dst-port=23-25
add dst-port=80
/ip proxy direct
add dst-address=192.168.2.101 dst-host=sp.local dst-port=8080 src-address=0.0.0.0
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=eth1_Gateway
/ip service
set www disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=Router-ports type=internal
add disabled=yes interface=wlan1 type=internal
/lcd
set backlight-timeout=5m default-screen=stats-all time-interval=daily
/lcd pin
set hide-pin-number=yes pin-number=4004
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Sydney
/system leds
set 1 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=202.127.210.37
/system routerboard settings
set boot-device=nand-only silent-boot=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add

Thank you all in advance, I really need a second opinion on this.