very slow RB1100AHx2

DobroFenix · April 1, 2012, 4:24pm

30mbit
50k pps
cpu load 80+%!

Where from queuing 21.7%?
Where from firewall 25.7%?

[dobrofenix@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ddos protect
chain=forward action=jump jump-target=detect-ddos connection-state=new

1 chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s

2 chain=detect-ddos action=add-dst-to-address-list address-list=ddosed
address-list-timeout=5m

3 chain=detect-ddos action=add-src-to-address-list address-list=ddoser
address-list-timeout=10m

4 chain=forward action=drop connection-state=new src-address-list=ddoser
dst-address-list=ddosed

5 ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn
connection-state=new protocol=tcp

6 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new
protocol=tcp limit=100,5

7 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new
protocol=tcp

8 ;;; limit
chain=input action=add-src-to-address-list protocol=tcp
address-list=blocked-addr address-list-timeout=1d connection-limit=25,32

9 chain=input action=tarpit protocol=tcp src-address-list=blocked-addr
connection-limit=5,32

10 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2d

11 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

12 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp address-list=port scanners address-list-timeout=2w

13 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp address-list=port scanners address-list-timeout=2d

14 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

15 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w

16 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

17 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

18 ;;; Drop 80 DoS attack
chain=virus action=drop protocol=tcp src-address-list=spammer
connection-limit=4,32 limit=4,5

19 ;;; Drop 80 DoS attack
chain=virus action=add-src-to-address-list protocol=tcp
src-address-list=!smtpOK address-list=spammer address-list-timeout=2d
connection-limit=5,32 limit=5,5

20 chain=forward action=drop protocol=udp src-address=80.252.18.136

21 chain=forward action=drop protocol=udp src-address=85.113.37.46

22 chain=forward action=drop src-address=80.252.18.3

23 chain=forward action=drop protocol=udp dst-port=27001

24 chain=forward action=accept

[dobrofenix@MikroTik] > queue simple print det
Flags: X - disabled, I - invalid, D - dynamic

tomaskir · April 6, 2012, 6:50pm

What ROS version and what Firmware version?

DobroFenix · April 9, 2012, 9:27am

5.14

system routerboard print
routerboard: yes
model: 1100AHx2
serial-number: 319E0147BFB1
current-firmware: 2.39
upgrade-firmware: 2.39

hkd · April 12, 2012, 1:40pm

any update of the case ??

I plan to buy the RB1100AHx2, this post make me hesitate to buy…

gafriedman · April 16, 2012, 9:53pm

We just placed 3 RB1100AHx2,s running 5.14 on our fiber based core LAN (with 10/100/1000 media converters in front of each) and then to a 4th x2 running 5.14 as the core router on a gigabit Metro Optical Ethernet circuit (200mbps active). COre router to an x2 at the other end of the MOE get’s 199mbps. Any of the 3 x2 thru the core to the other side also 199mbps.

The 3 x2 are doing simple masquerade of 10.0.0.0/8 to the public IP on the default route. 450gs through out our network CANNOT do a UDP bandwidth test to the core x2. Result is zero. Existing Aastra 6730; VOIP phones will not place outgoing calls through the x2’s doing NAT. Grandstream ATAs will not register on ports 500/5061. Change ports to 5012 and they register.

Further, customer speed tests to the distant side of the MOE yield terribly slow results.

We replaced one x2 with a 450g running 5.14 and everything that was broken is fixed. We are now going to replace the other two x2’s that are natting with 450Gs running 5.14 to see what happens…

Is ANYBODY else having issues with the x2’s at 5.14???

JJCinAZ · April 17, 2012, 6:13am

Working fine here. I have six deployed so far.