Community discussions

 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

firewall is pushing the cpu

Fri Dec 07, 2018 8:49 am

Hi everyone,
yesterday I realized that the firewall that I used on all devices increase cpu usage which device on heavy traffic on it. I wanted to share the firewall that I put on all devices below may firewall rules wrong. When I disable all rulses in ip firewal filter ,cpu returns to normal.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
/ip service set www port=9090
/snmp set enabled=no
/snmp community set read-access=no write-access=no [find]
/ip smb set allow-guests=no
/ip smb set enabled=no
/ip service disable www-ssl
/ip service disable ftp
/system package disable ipv6
/ip firewall service-port disable [/ip firewall service-port find]
/ip dns set servers=8.8.8.8,8.8.4.4
/ip service disable telnet,ftp,api-ssl
/ip service set ssh port=2223
/ip service set address=10.10.20.20 [/ip service find]
/user set address=10.10.20.20 [/user find]
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
thanks for all help
 
shiyiqiang08
newbie
Posts: 28
Joined: Wed Dec 05, 2018 7:35 am

Re: firewall is pushing the cpu

Fri Dec 07, 2018 11:21 am

Hi everyone,
yesterday I realized that the firewall that I used on all devices increase cpu usage which device on heavy traffic on it. I wanted to share the firewall that I put on all devices below may firewall rules wrong. When I disable all rulses in ip firewal filter ,cpu returns to normal.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=input comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
/ip service set www port=9090
/snmp set enabled=no
/snmp community set read-access=no write-access=no [find]
/ip smb set allow-guests=no
/ip smb set enabled=no
/ip service disable www-ssl
/ip service disable ftp
/system package disable ipv6
/ip firewall service-port disable [/ip firewall service-port find]
/ip dns set servers=8.8.8.8,8.8.4.4
/ip service disable telnet,ftp,api-ssl
/ip service set ssh port=2223
/ip service set address=10.10.20.20 [/ip service find]
/user set address=10.10.20.20 [/user find]
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
thanks for all help
when you use firewall
the router have to check every packet,so when you have heavy traffic,the cpu will go up fast .
you can make mark(/ip firewall mangle) the connection then mark the packets,this will reduce you cpu cost .
 
shiyiqiang08
newbie
Posts: 28
Joined: Wed Dec 05, 2018 7:35 am

Re: firewall is pushing the cpu

Fri Dec 07, 2018 11:24 am

 
Companion
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Mar 15, 2017 2:37 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 11:44 am

Slightly wipe the firewall rolls sequence.
The input section always ends with 'drop all'
# drop all other input
add chain = input action = drop comment = "drop everything else"
And the 'forward' chain -
# drop all other forward
add chain = forward action = drop comment = "drop everything else"
You do not have these rules at all.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 902
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: firewall is pushing the cpu

Fri Dec 07, 2018 11:48 am

With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation.
Nobody has asked what model router you have (maybe it has a low powered CPU) and you haven't posted any NAT rules (if you have them) so the below would stop anything NAT'd as well but can be ammended if needed.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
argusb
just joined
Posts: 10
Joined: Thu Jun 21, 2018 3:29 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 12:02 pm

Also look into Fasttrack https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack this can improve performance dramatically.
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 12:11 pm

when you use firewall
the router have to check every packet,so when you have heavy traffic,the cpu will go up fast .
you can make mark(/ip firewall mangle) the connection then mark the packets,this will reduce you cpu cost .
thanks for your answer... you mean I will create mangle that mark the port's for admin and add filter rule this mark
am I true at here ?
Last edited by amt on Fri Dec 07, 2018 12:30 pm, edited 1 time in total.
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 12:13 pm

Slightly wipe the firewall rolls sequence.
The input section always ends with 'drop all'
# drop all other input
add chain = input action = drop comment = "drop everything else"
And the 'forward' chain -
# drop all other forward
add chain = forward action = drop comment = "drop everything else"
You do not have these rules at all.
thanks for your answer but I did not clearly understand what you mean ? should I delete all rules and add this ones ? how I will give access to only admin
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 12:20 pm

With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation.
Nobody has asked what model router you have (maybe it has a low powered CPU) and you haven't posted any NAT rules (if you have them) so the below would stop anything NAT'd as well but can be ammended if needed.
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
thanks for your answer... I add this rules all devices(powerbox,SXT,OmniTik,CCR etc.) but last night I saw RB1100Ahx4 high cpu when I check from tools profile I saw that firewall use much cpu and when I check from system recourses I saw that one cpu at %60, when I disable ip firewall filter rules %60 usage decrease to %3-5 and totally usage also decrease from %35-40 to %10-15 ... Traffic on RB1100Ahx4 nearly 700MB .
sorry for my English :)
 
Companion
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Mar 15, 2017 2:37 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 12:23 pm

No, you do not need to delete. You just need to fix it. As an example, you can view the firewall here - open the winbox, type demo2.mt.lv and no password.
Last edited by Companion on Fri Dec 07, 2018 12:28 pm, edited 1 time in total.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 902
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: firewall is pushing the cpu

Fri Dec 07, 2018 1:31 pm

Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Fri Dec 07, 2018 1:38 pm

Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?
Yes Im sure, when disable firewall filter rules CPU usage subside...

also I tried to add your firewall rules that suggest to me as below but traffic down from 300 to 200 :) this device sit in front of the pppoe_server
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Tue Dec 11, 2018 2:30 pm

any other suggestion ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 4868
Joined: Mon Jun 08, 2015 12:09 pm

Re: firewall is pushing the cpu

Tue Dec 11, 2018 2:41 pm

You cannot run an ISP using RB750Gr1 routers. Some people forget that.
Only the higher-performance devices like CCR or newer RB models (1100, 3011, 4011) have enough CPU performance
to do firewalling at high speed.
 
sebastia
Long time Member
Long time Member
Posts: 672
Joined: Tue Oct 12, 2010 3:23 am

Re: firewall is pushing the cpu

Tue Dec 11, 2018 3:47 pm

what is the purpose of this router: only natting? or natting + forwarding?

If also forwarding and it's sizeable amount, use no-track in raw to not do conntracking for it... That will save cpu together with FastPath.
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Tue Dec 11, 2018 4:19 pm

what is the purpose of this router: only natting? or natting + forwarding?

If also forwarding and it's sizeable amount, use no-track in raw to not do conntracking for it... That will save cpu together with FastPath.
Hi sebastia, thanks for your answer.
Just fowarding traffic to other routers. I already disable connection tracking and test, it gives a little more performance but not so good. what about firewall rules that I used. are they seems ok with your opinion ?

and using no-track in raw is not same with disable connection tracking ?

Thanks
 
sebastia
Long time Member
Long time Member
Posts: 672
Joined: Tue Oct 12, 2010 3:23 am

Re: firewall is pushing the cpu

Tue Dec 11, 2018 9:19 pm

Some questions:
* what is the typical connection count through that router?
* do you need/have to protect your inner / forwarded networks?
* the configuration given is complete?
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Wed Dec 12, 2018 3:55 pm

* what is the typical connection count through that router?
while connection tracking disabled;
ip firewall connection print count-only :: 2801

while connection tracking enabled;
ip firewall connection print count-only:: 20458

* do you need/have to protect your inner / forwarded networks?
yes I need to protect all device all time :=)
* the configuration given is complete?
for firewall yes.
 
sebastia
Long time Member
Long time Member
Posts: 672
Joined: Tue Oct 12, 2010 3:23 am

Re: firewall is pushing the cpu

Wed Dec 12, 2018 9:08 pm

From forwarding point of view, following rules are applicable:
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Further, in the configuration as provided, there is no "IP stack optimisation".

There are following options for optimisation:
* enable FastPath, BUT for that firewall rules needs to be empty, see https://wiki.mikrotik.com/wiki/Manual:F ... v4_handler
* disable conn track: lack of connection tracking reduces memory requirements (and sensitivity to DDOS), but it also renders the firewall stateless: no notion of connection and every packet is examined only based on it's ip's and ports/types. The above rules with "connection-state=..." will be unusable.
* enable conn track AND FastTrack (a combination of FastPath and connection tracking, https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack): all connections are tracked, but since "FastTracked packets bypass firewall, connection tracking, ...", connections can be handled in a much more efficient way. There is potential to DDOS the router, but this can be mitigated by "TCP SynCookies". Additional protection can be taken by for example "no-track"-ing UDP.

So from your point of view, 2 options are possible for you: no conn track or FastTrack. I would suggest to look first in the last one:
* fasttrack all of your traffic.
* enable tcp syncookies
* no-track of udp
* tune (=reduce) conn tracking timeouts
20k connections should be doable on 1100Ahx4.

With regards to your current rules, I would suggest to move the "drop Admin Ports" rules to RAW:prerouting chain -> drop at first chance.
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Thu Dec 13, 2018 10:59 am

From forwarding point of view, following rules are applicable:
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=secureadmin
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=forward comment="drop Admin Ports" dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp

Further, in the configuration as provided, there is no "IP stack optimisation".

There are following options for optimisation:
* enable FastPath, BUT for that firewall rules needs to be empty, see https://wiki.mikrotik.com/wiki/Manual:F ... v4_handler
* disable conn track: lack of connection tracking reduces memory requirements (and sensitivity to DDOS), but it also renders the firewall stateless: no notion of connection and every packet is examined only based on it's ip's and ports/types. The above rules with "connection-state=..." will be unusable.
* enable conn track AND FastTrack (a combination of FastPath and connection tracking, https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack): all connections are tracked, but since "FastTracked packets bypass firewall, connection tracking, ...", connections can be handled in a much more efficient way. There is potential to DDOS the router, but this can be mitigated by "TCP SynCookies". Additional protection can be taken by for example "no-track"-ing UDP.

So from your point of view, 2 options are possible for you: no conn track or FastTrack. I would suggest to look first in the last one:
* fasttrack all of your traffic.
* enable tcp syncookies
* no-track of udp
* tune (=reduce) conn tracking timeouts
20k connections should be doable on 1100Ahx4.

With regards to your current rules, I would suggest to move the "drop Admin Ports" rules to RAW:prerouting chain -> drop at first chance.
hi sebastia,
thank you verymuch for your answer and help.
can you explain little more for "tune (=reduce) conn tracking timeouts"
now Im going to remove all rules in ip firewall filter and set conn track to disable. after this I will put rules to raw table as below;
/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
when I put rules to raw table fasthpath disabled again but I think RB1100Ahx4 can handle this traffic.
 
sebastia
Long time Member
Long time Member
Posts: 672
Joined: Tue Oct 12, 2010 3:23 am

Re: firewall is pushing the cpu

Thu Dec 13, 2018 12:29 pm

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.
 
User avatar
amt
Member
Member
Topic Author
Posts: 468
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall is pushing the cpu

Sat Dec 15, 2018 8:11 am

"tune (=reduce) conn tracking timeouts" is only relevant if you want to do connection tracking. Do you?
If yes: you could reduce the timeout timing, so that connections are cleaned up sooner. Ex: "TCP established timeout" /ip firewall connection tracking settings
Further make sure FastTrack rule is present for all forward traffic.
thank you sebastia,
I disable conn tracking and put rules as below to raw table. it little better then firewall filter. thanks all help
/ip firewall raw
add action=accept chain=prerouting src-address-list=secureadmin
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=tcp
add action=drop chain=prerouting dst-port=22,2200,23,8290,8291,9090,8728,8729,135,139,445 protocol=udp
 
pe1chl
Forum Guru
Forum Guru
Posts: 4868
Joined: Mon Jun 08, 2015 12:09 pm

Re: firewall is pushing the cpu

Sat Dec 15, 2018 6:00 pm

There is little point in doing that firewalling "everywhere", especially when you also have high-bandwidth customer traffic.
In that case it is better to keep the "forward" firewall empty and put those rules only in the "input" firewall where you will
have far less traffic and so there will be less CPU load.

Who is online

Users browsing this forum: che, webbsolution and 67 guests