I figured out that when firewall is peaking only one cpu there are flaws in transmission (ver 5.18-5.20) like high ping and low bandwith per user (especially tx, at fiber max 5 mbit/s both rx/tx). I use 4 core xeon 3,2GHz on fairly utilised 200 mbit/s fiber. My customers use about 60 streaming servers (about 2 mbit/s each continuosly) and lots od sip traffic plus about 200 “home” clients often using torrents, I’m using heavily nat to masquerade and forward about 750 public ip addresses and of course route them. When I started to log some of traffic there was problem with conntrack (I got 2GB mem and utilised by mikrotik about 300MB) - in profile was only firewall using 25% of cpu (whole 1 cpu core) and rest of profile was about 2-10% of rest cores used by other services… then started the flaw in communication even in lan between router and pc directly connected - high ping and 5/5 mbit/s max bandwith (when disable/enable interface it helps for a while, as well as rebooting router each day or even twice a day). Now I resigned of logging some traffic, rebooting router each day and for now is ok, but when I add some new clients which generate more traffic I think it would return… My opinion - conntrack is ok, but firewall has to be more multi threaded for multicore systems (maybe iptables divide to cores or play with buckets of conntrack to be utilised by more than one core?)- that would be improving performance on large nat based routers.
I would presume that this will be in v6, since cloud core router has 36 cores and putting fw in one core would be a real bottleneck.
Now I have that: Conntrack is very limited (ver 5.20) as i got 1897.8 MiB total ram and free never been lower than 1850 MiB (conntrack total entries 524288), so conntrack does’nt expand as it should… pity, coz I got my router hammered by a sip forwarding machine when connected, easily fill conntrack and then ping raises and throughput is nearly 4 Mbit/s both rx/tx per ip, I need conntrack to be more flexible- there are lots of resources left, and router is behaving like overloaded.
are you sure it was whole single core? Profiler can show load per CPU - look there