[admin@MTik] > /interface l2tp-client print
Flags: X - disabled; R - running
0 R name="l2tp-out1" max-mtu=1460 max-mru=1500 mrru=disabled connect-to=----- user="----" password="-------" profile=default-encryption keepalive-timeout=86000 use-peer-dns=yes
use-ipsec=no ipsec-secret="" allow-fast-path=yes add-default-route=yes default-route-distance=1 dial-on-demand=yes allow=pap,chap,mschap1,mschap2 random-source-port=no
l2tp-proto-version=l2tpv2 l2tpv3-digest-hash=md5
How much traffic? wieh firewall rules or not
These cpu load occur near at 450 Mbit/s via l2tp client.
/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=drop in-interface=l2tp-out1 log=no log-prefix=""
1 chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
2 chain=input action=drop protocol=tcp src-address-list=!allow-winbox dst-port=8291 log=no log-prefix=""
/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=masquerade out-interface=l2tp-out1 log=no log-prefix=""
With l2tp you can roughly expect the official test results in the 512 bytes / 25 filter rules position. It seems to checks out.
wich interfaces are you using?
/interface> print
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1596 2048 F4:1E:57:63:06:FE
1 RS ether2 ether 1500 1596 2026 F4:1E:57:63:06:FF
2 RS ether3 ether 1500 1596 2026 F4:1E:57:63:07:00
3 RS ether4 ether 1500 1596 2026 F4:1E:57:63:07:01
4 S ether5 ether 1500 1596 2026 F4:1E:57:63:07:02
5 R bridge_lan bridge 1500 1596 F4:1E:57:63:06:FF
6 R l2tp-out1 l2tp-out 1456
7 R lo loopback 65536 00:00:00:00:00:00
/interface/list/member> print
Columns: LIST, INTERFACE
# LIST INTERFACE
0 WAN ether1
1 LAN ether2
2 LAN ether3
3 LAN ether4
4 LAN ether5
Could you post the /interface/l2tp-client/monitor 0 once command’s output?
status: connected
uptime: 1d1h50m30s
encoding:
mtu: 1456
mru: 1500
local-address: ****** - ISP dhcp ip
remote-address: ****** - ISP dhcp ip
Ok, there is no encryption used, based on this.
Do you using profile=default-encryption for any specific reason?
Do you using any special protocol inside L2TP? BCP, MPLS, Compression, etc.?
These options (MPLS, Compression, etc) were disabled in profiles before router testing. BCP not used.
> ppp profile print
Flags: * - default
0 * name="default" bridge-learning=no use-ipv6=no use-mpls=no use-compression=no use-encryption=no only-one=default change-tcp-mss=no use-upnp=no address-list="" on-up="" on-down=""
1 * name="default-encryption" bridge-learning=no use-ipv6=no use-mpls=no use-compression=no use-encryption=no only-one=default change-tcp-mss=no use-upnp=no address-list="" on-up="" on-down=""
What version do you using on this metal? There is something tricky, as in first post in config this is: max-mtu=1460, but monitor shows 1456. Another hint: MTU and MRU should be equal, except there is a very exotic reason to differ.
I see you using firewall, but I can’t see fast-tracking and early allow established-related rules in the forwarding chain.
-
RouterOS version 7.20.1
-
MTU1456 - it’s Actual MTU.
- With FastTrack rule the CPU load is a little bit lower:
you shouldn’t disable accept-established,related rule after fasttrack in firewall filter.
I don’t use 7.20.x yet, I running my routers on 7.19.6 its a mature, well tested version, but I don’t think the actual MTU is 1456 instead of 1460 because of the versions.
Another thing is comes to my mind. What is your L2TP server config?