CPU usage is high around 300Mbs

RouterOS General
1

We are running.

CRS510-8XS-2XQ.

Around 300Mbps traffic we see high CPU usage.

Firewall config is as below with fasttrack enabled, am I doning something wrong here and fasttrack is not working fully?

Any guidance will be appreciated.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-nat-state=srcnat connection-state=established,related hw-offload=no
add action=accept chain=input dst-address=10.105.85.0/24 src-address=10.255.11.0/24
add action=accept chain=input dst-address=10.100.85.0/24 src-address=10.255.11.0/24
add action=accept chain=forward dst-address=10.255.11.0/24 src-address=10.100.85.0/24
add action=accept chain=forward dst-address=10.255.11.0/24 src-address=10.105.85.0/24
add action=accept chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward comment="Accept all chains" connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR S\
    UBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=established,related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 \
    protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input comment=\
    "Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=vlan1000
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=vlan1000 src-address-list=InternalSubnet
2

Is it an excerpt from the configuration?
Are you using a switch as a router? If yes, then do not be suprised. It’s a switch with router funcionality for maximum a “moderate” Internet trafic.

3

You can’t route on a CRS. Those are switches, not routers. They don’t have adequate CPUs to route traffic.

4

Are you sure? So why Mikrotik publishes routing results for that model?
“No adequate” does not mean “no possibility”.
https://mikrotik.com/product/crs510_8xs_2xq_in#fndtn-testresults

5

On results it shows

upto 32509, what does that mean?

Routing 25 ip filter rule
(Fasttrack L3HW) 32509.7 394798.1 93984.8 384961.9 288803.4 157109.0

6

It is from configuration, yes.

7

look at this video https://www.youtube.com/watch?v=c2sAA6jMjCY

8

It means that when Fasttrack + L3HW offload is active for 25 rules then the result is.
Look at the Routing table where typical routing speeds are shown. The max value is @420Mb so your 300Mb is getting close to that result. No suprise that CPU starts to get problems.

Once more: switch for (very)fast switching, router for (very)fast routing.

9

You’re using a switch, not a router.

However, you can hw-offload fasttrack connections to achieve the L3HW routing results, you need to change this rule:

add action=fasttrack-connection chain=forward connection-nat-state=srcnat connection-state=established,related hw-offload=no

to

add action=fasttrack-connection chain=forward connection-nat-state=srcnat connection-state=established,related hw-offload=yes

I would also recommend removing the connection-nat-state filter, unless you only want to fasttrack WAN.

However, not all connections/packets can be fasttracked, and those will still hit the CPU.
But with hw-offload you should definitely see much better results.

10

just another case of “using a switch as a router”