Hi guys,

I have an RB3011 installed in a colo which typically pushes about 250mbps traffic. I've noticed the CPU usage seems to hover around 65-75% while pushing that traffic, is this normal?

I did a /system profiler to see where most of the CPU time is being spent and it is in 'firewall' and 'networking.' Thing is I don't have any filter rules and just a 8 NAT rules. The majority of the traffic is not hitting the NAT rules. Anything I can do to reduce CPU usage?

Hi.

Usually enabling fast path will be enough to solve this.

You can check here what you should do in your router.

https://mum.mikrotik.com//presentations ... 654925.pdf

Regards.

Thanks for the reply, I've tried to enable Fastpath using these directions: https://wiki.mikrotik.com/wiki/Manual:Fast_Path however, when I go into /ip settings print I can see that 'ipv4 fastpath' is set to 0. Aside from disabling connection tracking and removing firewall rules, etc is there anything else special that needs to be done to enable Fastpath?

Did you follow the instructions in PDF to allow this?, if packets are 0 you don't have no packets or no rules that match with this condition.

In the PDF, the only settings changes I see are: /ip settings set allow-fast-path=yes and /interface bridge settings set allow-fast-path=yes both of which are enabled. I see in the PDF connection tracking is set to 'auto' where I have mine set to 'off.' Does it need to be set for auto?

I have also verified that /ip firewall mangle, /ip firewall address-list, /ip firewall filter, ip firewall nat are all empty.

All Interface ques are either 'hardware-only-que' or 'no-que' (in the case of L2TP Interfaces)

I can confirm that IPv4 fastPath Packets are 0.

I do have a couple of IPSec rules on this box (although most of the traffic is NOT hitting the IPSec rules) and IPv6 is enabled (and a few IPv6 addresses configured) could either of these settings be breaking FastPath?

You must have your connection tracking in auto or yes, in order fast path works
Did you check in tool profile which process was consuming your % CPU?
Remember fast path feature is for only TCP/UDP packets at this moment.

Hi gustavomam,

In my original post I mentioned that most CPU time is being taken up by the 'firewall' and 'networking' processes. After disabling connection tracking, I noticed the amount of CPU time spent in 'firewall' has dropped significantly. I am still noticing a lot of time being spent in 'networking' however. I'm assuming the issue is that I have a significant (around 10) number of VPN interfaces, and the 3011 is examining each interface while it decides where to send a packet. Note that the vast majority of my traffic is between just 2 Ethernet interfaces, so if I could avoid lookups on the VPN interfaces I suspect it would help significantly, is this something FastPath is supposed to help with?

I have now switched connection tracking to 'auto' but I am still not seeing any packets using FastPath When I set connection tracking to 'yes' the CPU usage jumps significantly (and the firewall process starts to consume 15-20% CPU time).

Thanks again for all your help guys!

i think the solution can be fats-track (Not fast-path)

https://wiki.mikrotik.com/index.php?tit ... edirect=no

You dont even need to follow the wiki, simply make 1 blanket rule to fasttrack everything.
Make a new rule for the forwarding chain, set the connection state to established and action fasttrack and enable connection tracking.

Not all traffic needs to be NATed hence why you see few traffic hitting it. Disabling connection tracking to try to use fast path will simply stop internet for anything that uses the NAT. Not sure if you're just providing internet or doing some specific forwarding but fast path does not work with NAT, only layer 2 and 3 routing.

Thanks for all the suggestions guys, I suspect I've managed to squeeze as much performance as I'm going to get.

Interestingly, after I enabled connection tracking and created a firewall forward rule to fastrack all established connections, CPU usage actually went UP (from 45-50% to 55-60%) but I do see that 'IPv4 FastTrack' is now showing as active when I look at IP Settings.

As I no longer have need for NAT (managed to re-structure the network so NAT has been moved to a different device) I'll probably just leave tracking disabled as that seems to show the best CPU usage.

Cheers