I use CCR1009 and I just have around 400 customers.
I see the CPU is going above 35%, which is huge for just that less customers.
I know, people using CCR1009 for 20000 customers even.
I saw Tools > Profile.
And it shows, DNS and QUEQE using more than 15%.
Whats wrong ?
Aren’t the dns requests coming from the outside of the network?
How to know ?
See attached my DNS config page.
I guess I need to switch off ALLOW REMOTE REQUESTS>
See torch of wan port. See firewall connection list. See the firewall filter rules if you are blocking the incoming traffic to port 53 both tcp and udp from the wan.
You’d better to use dns servers of your isp than common Google servers. It will speed up the browsing as they are the closest.
I have my own DNS server hosted in my CO, and it worked well too.
But I got few complaints from customers that youtube doesnt load, and Facebook sometimes.
I thought, its somethign to do with my DNS, so I had removed my DNS IP and placed by Google DNS.
And did it help? Isn’t such issue maybe a MTU problem?
Seen, not sure, what I should be check.
I took the screenshots, so you can check and tell me.
MTU problem ?
It seems you are not finally dropping the input chain. Not sure if you jump back to it, but you should be dropping everything that was not accepted before (rule 21 should be enabled). Filter the torch according your wan ip port 53 to see if there are incoming requests from outside. At least add dropping rules for them in input chain.
I did a torch of WAN port and entered PORT 53 and I see this.
How to stop this ?
Screen Shot 2015-12-16 at 12.10.45 PM.png
I already told you. Read again…
need the terminal paste command, so I can paste and reboot.
Will this do ?
/ip firewall filter
add chain=input action=accept protocol=icmp comment=“default configuration”
add chain=input action=accept connection-state=established in-interface=ether8 comment=“default configuration”
add chain=input action=accept connection-state=related in-interface=ether8 comment=“default configuration”
add chain=input action=drop in-interface=ether8 comment=“default configuration”
The rule 21 was off.
I have switched it on.
Still when In torch wan port for port 53, it shows a lot of active connections.
What to do ?
I added this two :
/ip firewall filter
add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether8 action=drop
But when I torch ether8, I still get many active connections on port 53.
Why is it so ?