Community discussions

MikroTik App
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

NAT performance CCR1009-8G-1S-1S+

Sat Jul 16, 2016 2:09 pm

We are small WISP, and using CCR1009-8G-1S-1S+ for core router where are terminated all users (pptp), and this is point of Queue-ing and NAT-ing.
So, are this RB too weak for traffic of 300 Mbps and more, and have 35.000 connections, because CPU are over 50-60% on this usage, and most of CPU are using by Firelwall (i think NAT-ing) ?

Is there some trick how to cut down CPU usage or buy 1036 board ?
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: NAT performance CCR1009-8G-1S-1S+

Sat Jul 16, 2016 3:03 pm

CPU are over 50-60% on this usage, and most of CPU are using by Firelwall (i think NAT-ing) ?
NAT is mostly handled by connection tracking and is not that expensive at all- the load on CPU that 300Mbps of traffic produces should be hardly noticeable on CCR1009. How many /ip firewall filter rules do you have? Do you have the usual "accept established,related" at the top of your rules? How many mangle rules do you have? Are most of them being processed for each packet?
 
StefanM
newbie
Posts: 49
Joined: Sun Dec 13, 2015 1:49 am

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 9:10 pm

Do you use mange rules that can cause high cpu with that kind of traffic?
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:34 pm

I have only 20 Firewall rules, and yes  accept established,related are on the top...so I try to disable all firewall rules but no change.
I have mangle, but only 2-3 IP address are affected by mangle rule.
On top of Mangle rule are change MSS for PPP, so that is all...
 
kujo
Member Candidate
Member Candidate
Posts: 169
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine
Contact:

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:38 pm

Have you any queue and routing rules ?


Have a good day!
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:42 pm

Have you any queue and routing rules ?
Sure, i have Queue for each customer (connected by pptp), and routing yes, rules no.
But on profile i see that Queuing are not using too much of procesor...
 
kujo
Member Candidate
Member Candidate
Posts: 169
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine
Contact:

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:49 pm

Maybe you can print some stats of your RB?
http://wiki.mikrotik.com/wiki/Manual:System/Resource
Config without ipsec tunnels?


Have a good day!
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:54 pm

Without IPSEC...

     uptime: 1w6d15h35m3s
            version: 6.34.4 (stable)
         build-time: Mar/24/2016 13:13:08
        free-memory: 1650.1MiB
       total-memory: 1956.2MiB
                cpu: tilegx
          cpu-count: 9
      cpu-frequency: 1200MHz
           cpu-load: 63%
     free-hdd-space: 68.8MiB
    total-hdd-space: 128.0MiB
  architecture-name: tile
         board-name: CCR1009-8G-1S-1S+
           platform: MikroTik


 # CPU                                               LOAD         IRQ        DISK
 0 cpu0                                               53%         50%          0%
 1 cpu1                                               64%         58%          0%
 2 cpu2                                               69%         67%          0%
 3 cpu3                                               56%         55%          0%
 4 cpu4                                               54%         52%          0%
 5 cpu5                                               46%         39%          0%
 6 cpu6                                               40%         37%          0%
 7 cpu7                                               57%         56%          0%
 8 cpu8                                               63%         55%          0%
 
kujo
Member Candidate
Member Candidate
Posts: 169
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine
Contact:

NAT performance CCR1009-8G-1S-1S+

Sun Jul 17, 2016 11:58 pm

Why you think it's a NAT trable? 60% good load! You are network monster! Maybe connect second device in active-active mode? Also try update to current!


Have a good day!
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Mon Jul 18, 2016 12:06 am

Why you think it's a NAT trable? 60% good load! You are network monster! Maybe connect second device in active-active mode? Also try update to current!
Why I think that is NAT problem, because as I told before there is not hard firewall, not so much mangle, and only thing is NAT and change MSS on pppoe interface ?
There is a 35000 connections active to mention again so...I wonder that is maybe 1009 too weak for this job ?
Network monster :) , yes I will try to update to current...
 
kujo
Member Candidate
Member Candidate
Posts: 169
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine
Contact:

NAT performance CCR1009-8G-1S-1S+

Mon Jul 18, 2016 12:09 am

Pppoe speed over 100? Try to reduce interface speed to 100mb/s, share interface load, pls


Have a good day!
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Mon Jul 18, 2016 12:14 am

yes, pppoe over 100 Mbps.

Interface load below and +400 PPTP inbound interfaces of customers that are not screen-shoted.
interface.png
You do not have the required permissions to view the files attached to this post.
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Re: NAT performance CCR1009-8G-1S-1S+

Mon Jul 18, 2016 12:19 am

And profile of CPU usage:

NAME                    CPU        USAGE
pptp                    all           1%
firewall-mgmt           all           0%
spi                     all           1%
ethernet                all         1.6%
console                 all           0%
firewall                all          35%
networking              all           9%
radius                  all           0%
winbox                  all           0%
management              all         0.9%
routing                 all           0%
idle                    all          43%
profiling               all         0.6%
queuing                 all           7%
bridging                all         0.5%
unclassified            all         0.2%
 
kujo
Member Candidate
Member Candidate
Posts: 169
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine
Contact:

NAT performance CCR1009-8G-1S-1S+

Mon Jul 18, 2016 12:23 am

Pptp, pppoe, vlan, check your mtu config? How many broadcast traffic?

Have a good day!

Who is online

Users browsing this forum: gechev and 17 guests