RB941 running on high CPU Load - SPI and Management

RouterOS General
1

Good Day,

RB941 is running on high CPU Load which in turn is causing high internet latency
The /system profile shows Management at 40% and SPI at 30% which are causing most of the load.

I have even disabled SNMP and Traffic Flow but that does not seem to help. Kindly advise what could be causing this to happen and how to resolve

Kind Regards,
Cedric

2

30% on SPI may be normal depending on your traffic and on whether you use fasttracking or not. What surprises me is 40% on management.

What is connected at the private (LAN) side of your Mikrotik, what kind of traffic do you expect (live videos, just web pages), and what does ****

export hide-sensitive

show (paste the result here after systematically replacing each eventually present public IP address in the output by a distinctive pattern like my.public.ip.A, my.public.ip.B etc.)?

3

Hi Sindy,

Please find below /export hide-sensitive. There is DVR traffic and web/email users, also port forwarding for RDP and DVR

# apr/12/2018 13:42:50 by RouterOS 6.34.2
# software id = KKWC-VRBM
#
/interface bridge
add admin-mac=my.mac.address auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-32358D \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] comment=LAN name=ether2-LAN
set [ find default-name=ether3 ] master-port=ether2-LAN
set [ find default-name=ether4 ] master-port=ether2-LAN
/ip neighbor discovery
set ether1 discover=no
set ether2-LAN comment=LAN
set bridge comment=defconf
/interface vlan
add interface=ether1 name=my.vlan1 vlan-id=vlan1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] read-access=no
add addresses= my.public.ip.B/32 name=snmp1
/ip address
add address= my.public.ip.A interface=vlan1 network= my.public.network.A 
add address=192.168.16.254/24 interface=ether2-LAN network=192.168.16.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address= my.public.ip.C/26 list=ISP_Provider
add address= my.public.ip.B list=ISP_Provider
/ip firewall filter
add action=drop chain=input dst-port=21-22 in-interface=ether1 protocol=tcp \
    src-address-list=!ISP_Provider
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp \
    src-address-list=!ISP_Provider
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1 src-address-list=!ISP_Provider
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid src-address-list=!ISP_Provider
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 src-address-list=!ISP_Provider
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    rdp0 out-interface=vlan1
add action=dst-nat chain=dstnat comment=RDP dst-port=3389 in-interface=\
    vlan1 log-prefix=rdp1 protocol=tcp to-addresses=192.168.16.2 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-port=3390 in-interface=vlan1 \
    log-prefix=rdp2 protocol=tcp to-addresses=192.168.16.7 to-ports=3389
add action=dst-nat chain=dstnat comment="DVR4 - Port Forwarding " dst-port=\
    74-76 in-interface=vlan1 log-prefix="DVR4 tcp76" protocol=tcp \
    to-addresses=192.168.16.204 to-ports=74-76
add action=dst-nat chain=dstnat dst-port=23-25 in-interface=vlan1 \
    log-prefix=DVR2 protocol=tcp to-addresses=192.168.16.201 to-ports=23-25
add action=dst-nat chain=dstnat dst-port=26-28 in-interface=vlan1 \
    log-prefix=DVR1 protocol=tcp to-addresses=192.168.16.199 to-ports=26-28
add action=dst-nat chain=dstnat dst-port=67-69 in-interface=vlan1 \
    log-prefix=DVR3 protocol=tcp to-addresses=192.168.16.203 to-ports=67-69
add action=dst-nat chain=dstnat dst-port=74-76 in-interface=vlan1 \
    log-prefix="DVR4 udp76" protocol=udp to-addresses=192.168.16.204 \
    to-ports=74-76
add action=dst-nat chain=dstnat dst-port=25 in-interface=vlan1 log-prefix=\
    "DVR2 udp" protocol=udp to-addresses=192.168.16.201 to-ports=23-25
add action=dst-nat chain=dstnat dst-port=69 in-interface=vlan1 protocol=\
    udp to-addresses=192.168.16.203 to-ports=67-69
add action=dst-nat chain=dstnat dst-port=28 in-interface=vlan1 protocol=\
    udp to-addresses=192.168.16.199 to-ports=26-28
/ip route
add distance=1 gateway= my.public.network.A 
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=ether2-LAN
/ip traffic-flow target
add dst-address= my.public.ip.B port=8444 version=5
/snmp
set contact= ISP_Provider enabled=yes location="Site1" \
    trap-community=snmp1 trap-version=2
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=" Site1"
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool sniffer
set filter-interface=ether2-LAN
4

I can see a serious hole in your firewall. The rule

/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 src-address-list=!ISP_Provider

is effective on packets coming through ****

ether1

tagless, but doesn’t affect packets coming via

ether1

tagged with VLAN ID 1 because the IP firewall sees these packets as coming in via interface

vlan1

and doesn’t know that it is physically also

ether1

. The default policy of all firewall chains is

accept

so all packets coming in via

vlan1

are accepted.

I can also see that you haven’t restricted access to http (www) management interface using any other means than the firewall filter.

Together with software version 6.34.1, I would be afraid that your machine has been infected by malware exploiting the vulnerability of http server as described here and that the load could be coming from the activity of this malware. So the first thing to do would be to upgrade to 6.40.7 if you want to avoid 6.41.x for the moment. Then I would check the

/system profile

results again; if the management load is low but SPI load is still high, and if some other “little plastic boxes” exist in your network, I’d check these boxes whether they are not infected as well - you would see traffic departing from them to destinations like tcp/80, tcp/8291 (the Winbox port) using

/tool torch

or

/tool sniffer

.

5

Hi Sindy,

Thanks for the feedback, it has been monitored for the client and it seems that the upgrade to the latest RouterOS have done the work in resolving the issue.
Also have reviewed the firewall restrictions on being set on the WAN traffic vlan.

Kind Regards,
Cedric