We are small WISP, and using CCR1009-8G-1S-1S+ for core router where are terminated all users (pptp), and this is point of Queue-ing and NAT-ing.
So, are this RB too weak for traffic of 300 Mbps and more, and have 35.000 connections, because CPU are over 50-60% on this usage, and most of CPU are using by Firelwall (i think NAT-ing) ?
Is there some trick how to cut down CPU usage or buy 1036 board ?
NAT is mostly handled by connection tracking and is not that expensive at all- the load on CPU that 300Mbps of traffic produces should be hardly noticeable on CCR1009. How many /ip firewall filter rules do you have? Do you have the usual “accept established,related” at the top of your rules? How many mangle rules do you have? Are most of them being processed for each packet?
Do you use mange rules that can cause high cpu with that kind of traffic?
I have only 20 Firewall rules, and yes accept established,related are on the top…so I try to disable all firewall rules but no change.
I have mangle, but only 2-3 IP address are affected by mangle rule.
On top of Mangle rule are change MSS for PPP, so that is all…
Have you any queue and routing rules ?
Have a good day!
Sure, i have Queue for each customer (connected by pptp), and routing yes, rules no.
But on profile i see that Queuing are not using too much of procesor…
Maybe you can print some stats of your RB?
http://wiki.mikrotik.com/wiki/Manual:System/Resource
Config without ipsec tunnels?
Have a good day!
Without IPSEC…
uptime: 1w6d15h35m3s
version: 6.34.4 (stable)
build-time: Mar/24/2016 13:13:08
free-memory: 1650.1MiB
total-memory: 1956.2MiB
cpu: tilegx
cpu-count: 9
cpu-frequency: 1200MHz
cpu-load: 63%
free-hdd-space: 68.8MiB
total-hdd-space: 128.0MiB
architecture-name: tile
board-name: CCR1009-8G-1S-1S+
platform: MikroTik
\
0 cpu0 53% 50% 0%
1 cpu1 64% 58% 0%
2 cpu2 69% 67% 0%
3 cpu3 56% 55% 0%
4 cpu4 54% 52% 0%
5 cpu5 46% 39% 0%
6 cpu6 40% 37% 0%
7 cpu7 57% 56% 0%
8 cpu8 63% 55% 0%
Why you think it’s a NAT trable? 60% good load! You are network monster! Maybe connect second device in active-active mode? Also try update to current!
Have a good day!
Why I think that is NAT problem, because as I told before there is not hard firewall, not so much mangle, and only thing is NAT and change MSS on pppoe interface ?
There is a 35000 connections active to mention again so…I wonder that is maybe 1009 too weak for this job ?
Network monster 
, yes I will try to update to current…
Pppoe speed over 100? Try to reduce interface speed to 100mb/s, share interface load, pls
Have a good day!
yes, pppoe over 100 Mbps.
Interface load below and +400 PPTP inbound interfaces of customers that are not screen-shoted.
And profile of CPU usage:
NAME CPU USAGE
pptp all 1%
firewall-mgmt all 0%
spi all 1%
ethernet all 1.6%
console all 0%
firewall all 35%
networking all 9%
radius all 0%
winbox all 0%
management all 0.9%
routing all 0%
idle all 43%
profiling all 0.6%
queuing all 7%
bridging all 0.5%
unclassified all 0.2%
Pptp, pppoe, vlan, check your mtu config? How many broadcast traffic?
Have a good day!