/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward
my q was, does it something thats a MUST HAVE this input chain rules to have most of the benefits of the firewall. Is there some updated firewall rules for preventing intrusions?Maybe someone to share their firewall without sensitive data ofcFirst two rules are for input chain, the 3rd, fasttrack is for forward chain and has nothing to do with first 2 rules.
Also not sure I understand your question?
Short answer: yes, it is a must have.my q was, does it something thats a MUST HAVE this input chain rules to have most of the benefits of the firewall. Is there some updated firewall rules for preventing intrusions?Maybe someone to share their firewall without sensitive data ofc
So you think this is the best rules to put it on topShort answer: yes, it is a must have.my q was, does it something thats a MUST HAVE this input chain rules to have most of the benefits of the firewall. Is there some updated firewall rules for preventing intrusions?Maybe someone to share their firewall without sensitive data ofc
Long answer:
Fasttracking means that packets belonging to existing connections bypassSo if fasttracking rule lowers the CPU load significantly, something in the above list is causing the CPU load.
- all the rest of the firewall handling following the connection tracking
- IPsec policy matching
- queues except the interface ones.
Without fasttracking, the action=accept connection-state=established,related,untracked accepts the part of forwarded traffic which would otherwise be accepted due to fasttracking. Only initial packets of forwarded connections will make it past this rule to the subsequent filter ones; these subsequent rules decide which connections will be permitted and which will not.
If connection tracking is active, every single packet is compared to the complete list of existing connections. And if it matches any already existing one, it is labeled with connection-state "established", and the rule you mention accepts it (or fasttracking accepts it instead if enabled).
The connection tracking itself is also quite CPU intensive, and fasttracking makes no sense in input chain. So as in your case, a lot of traffic is probably IPsec one, you could use
chain=prerouting dst-address-type=local protocol=udp dst-port=500,4500 action=notrack
chain=prerouting dst-address-type=local protocol=ipsec-esp action=notrack
chain=output protocol=udp src-port=500,4500 action=notrack
chain=output protocol=ipsec-esp action=notrack
rules in /ip firewall raw to prevent IPsec packets to and from your router itself from being connection-tracked. The same rule in filter will accept them as it matches also on connection-state "untracked", but the amount of CPU spent on those raw rules may be lower than the one otherwise spent by connection-tracking on the same packets. The actual benefit of this depends on the amount of tracked connections in total.
If you eventually don't need to use the router as a firewall for forwarded traffic, you may stop using connection tracking at all and only use rules in input chain to protect the router itself. Connection tracking is common for all traffic (both local and forwarded), so stopping to refer to connection-state and connection-nat-state only in input chain of filter will not help lower the CPU load. But in that case, the order of the rules in the filter is very important - most packets should pass through the least number of rules, so accept rules for the most frequent packets must be at the top of the list (probably ipsec-esp).
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward
add action=notrack chain=prerouting dst-address-type=local dst-port=500,4500 protocol=udp
add action=notrack chain=prerouting dst-address-type=local protocol=ipsec-esp
add action=notrack chain=output protocol=udp src-port=500,4500
add action=notrack chain=output protocol=ipsec-esp
There is no such thing as "the top of filter". There is the top of chain input in filter, and there is the top of chain forward in filter. Packets always only go through one of these rule chains, not both.So you think this is the best rules to put it on top
but then i got problem then with dude just "getting stuff" but nothing happend than, and when disable fasttrackk it came and everything is ok. Dude is a mikrotik which is located on another HQ and been connected via ipsec to this mikrotik where i put these comands.There is no such thing as "the top of filter". There is the top of chain input in filter, and there is the top of chain forward in filter. Packets always only go through one of these rule chains, not both.So you think this is the best rules to put it on top
So the default firewall of the SOHO grade devices is the optimum one:
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
... individual permissive rules if necessary for IPsec and other VPNs and/or for direct remote management via secure protocols...
add action=drop chain=input in-interface-list=WAN
If you don't want to permit access to router management from anywhere in the LAN, add permissive rules for authorized LAN devices where indicated and remove the in-interface-list=WAN from the last rule in input.
Adding the rules I've suggested to raw may reduce the CPU load. You have to try, it depends on your traffic structure whether the difference will be noticeable or not.
In forward, the structure is basically the same, except that the action=fasttrack-connection rule must be followed by action=accept chain=forward connection-state=established,related,untracked because some small amount of packets belonging to fasttracked connections takes the full path through the firewall, and if you use bare IPsec with policy matching, it must be preceded by action=accept chain=forward connection-state=established,related,untracked ipsec-policy=in,ipsec and action=accept chain=forward connection-state=established,related,untracked ipsec-policy=out,ipsec as connections which need to be handled by IPsec policies must not get fasttracked. In special cases, these rules exempting connections from fasttracking have to be more complex (where NAT is necessary in order that the packet matched the IPsec policy, it doesn't match the ipsec-policy=in|out,ipsec while being handled in filter), so you need to use src-address(-list) and dst-address(-list) matching, connection-mark matching etc. there.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=forward dst-address=10.11.0.0/16 src-address=192.168.30.0/24
add action=accept chain=input dst-address=10.11.0.0/16 src-address=192.168.30.0/24
add action=drop chain=forward comment="Drop Inv." connection-state=invalid
add action=accept chain=forward dst-address=10.98.0.0/24 src-address=192.168.2.0/24
add action=accept chain=input in-interface=vrrp_WAN1 protocol=icmp
add action=accept chain=input comment="permit from local ip DNS reuqest udp 53" dst-port=53 protocol=udp src-address-list=local_ip
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=192.168.23.0/24
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=172.16.2.0/24
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=192.168.30.0/24
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp src-address-list=HQ2Addresses
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp src-address-list=HQ1Addresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp src-address-list=HQ1Addresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp src-address-list=HQ2Addresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=HQ2Addresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=HQ1Addresses
add action=drop chain=input comment="Drop Inv." connection-state=invalid
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp reject-with=icmp-network-unreachable src-address-list=!DNS
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp reject-with=icmp-network-unreachable src-address-list=!DNS
add action=accept chain=output comment="OUT PMTUD" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="IN PMTUD" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="IN-Allow ping 1468b up to 5 in sec" limit=5,1:packet packet-size=1468 protocol=icmp
add action=add-src-to-address-list address-list=pingers address-list-timeout=1d chain=input comment="IN-List ICMP which dont match criteria" dst-address-list=!HQ1Addresses in-interface-list=WAN log-prefix=Ping@IN protocol=icmp src-address-list=\
!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services_Phase1 dst-address-list=!HQ1Addresses dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp src-address-list=\
!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services_Phase1-UDP dst-address-list=!HQ1Addresses dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp src-address-list=\
!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services_Phase2 dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services_Phase2-UDP dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services_Phase3 dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp src-address-list=@Services_Phase2
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services_Phase3-UDP dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp src-address-list=@Services_Phase2
add action=drop chain=input comment=IN-Phase3_dropRAW src-address-list=@Services_Phase3
add action=drop chain=input comment="IN-Block Shodan" src-address-list=shodan
add action=drop chain=input comment="IN-Defend from pingers" src-address-list=pingers
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=forward dst-port=161 protocol=udp
add action=accept chain=output dst-port=161 protocol=udI have explained this in the previous post, which you've quoted as a whole (no idea why you do that) but apparently haven't read or understood it.but then i got problem then with dude just "getting stuff" but nothing happend than, and when disable fasttrackk it came and everything is ok.
is this better? i missread the ipsec in and out in forward.I have explained this in the previous post, which you've quoted as a whole (no idea why you do that) but apparently haven't read or understood it.but then i got problem then with dude just "getting stuff" but nothing happend than, and when disable fasttrackk it came and everything is ok.
The connections transported using IPsec must not get fasttracked. As your current action=fasttrack-connection rule matches on all forwarded traffic, it prevents Dude requests from being forwarded to destinations accessible via IPsec, and prevents responses from devices which are accessible without IPsec from being delivered back to the Dude.
You have to prevent traffic which needs to be transported using IPsec from matching that rule, or from even reaching it. I've told you how to do that - by placing rules that accept packets beloging to both directions of that traffic in filter before these packets reach the action=fasttrack-connection rule.
But with the fasttrack rule fasttracking only what it should, the CPU load may not decrease too much, as the difference in CPU load with the fasttracking rule disabled and enabled may be caused by the fact that part of the traffic simply doesn't exist - if the requests don't reach the destination, there are no responses, and if the initial query doesn't succeed, the subsequent ones are not sent at all. So the actual decrease of CPU load depends on the ratio between the traffic transported using IPsec and the traffic which doesn't need IPsec.
Another noteworthy point is that the firewall rules you currently have in filter chain forward effectively do nothing, because the traffic which doesn't match to any of the rules gets accepted. The rules in output chain are the same case - everything the router sends out is sent, but each packet is inspected by two rules.
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec/ip firewall filter
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
how to fix it? just to add drop rule?because the traffic which doesn't match to any of the rules gets accepted
Yes, this is yet another way how to do that. With this setup, a packet transported using IPsec is inspected by 1.5 mangle rule on average (those matching on ipsec-policy=out,ipsec are handled by one, those matching on ipsec-policy=in,ipsec are handled by two). You can reduce that to a single rule for each direction by placing action=accept chain=forward connection-state=!new before them in mangle. It is sufficient to assign the connection-mark to the connection when handling its initial packet, so all subsequent packets of the same connection don't need to be inspected for a match on the ipsec-policy again. So all mid-connection packets will match already on the connection-state=!new.is this better? i missread the ipsec in and out in forward.
first i add mangle to capture ipsec, router is now at 25,30%
Yes. Plus you may want to place an action=log rule before the action=drop one to see what the drop one drops. It will help you notice which "legal" traffic you forgot to permit, and what is the illegal traffic trying to get through your router.how to fix it? just to add drop rule?because the traffic which doesn't match to any of the rules gets accepted
i added that firewall mangle rule before those ipsec.Yes, this is yet another way how to do that. With this setup, a packet transported using IPsec is inspected by 1.5 mangle rule on average (those matching on ipsec-policy=out,ipsec are handled by one, those matching on ipsec-policy=in,ipsec are handled by two). You can reduce that to a single rule for each direction by placing action=accept chain=forward connection-state=!new before them in mangle. It is sufficient to assign the connection-mark to the connection when handling its initial packet, so all subsequent packets of the same connection don't need to be inspected for a match on the ipsec-policy again. So all mid-connection packets will match already on the connection-state=!new.is this better? i missread the ipsec in and out in forward.
first i add mangle to capture ipsec, router is now at 25,30%
Yes. Plus you may want to place an action=log rule before the action=drop one to see what the drop one drops. It will help you notice which "legal" traffic you forgot to permit, and what is the illegal traffic trying to get through your router.how to fix it? just to add drop rule?because the traffic which doesn't match to any of the rules gets accepted
you think about these 3 rules that dont have a drop one? i cant see any other from my post under.Yes
I can't get how a rule in forward chain of mangle should break IPsec transport and control traffic which is handled by chains input and output. Post the export of the mangle.i added that firewall mangle rule before those ipsec.
I got aproblem that tunnels goes down, msg1 sent error and i must disable all that i newly created and restart peer and than tunnels go up.
2020-11-01 14_47_00-Window.pngYes
I was talking about adding the "drop the rest" rule solely to chain forward in filter. If you've added a "drop the rest" rule also to chain output in flter, there's no wonder it has broken the tunnels. A drop in output of filter is only used for very specific purposes. Regarding chain input of filter, I didn't dive deep into what you've set up there.I can't get how a rule in forward chain of mangle should break IPsec transport and control traffic which is handled by chains input and output. Post the export of the mangle.i added that firewall mangle rule before those ipsec.
I got aproblem that tunnels goes down, msg1 sent error and i must disable all that i newly created and restart peer and than tunnels go up.
2020-11-01 14_47_00-Window.pngYes
you think about these 3 rules that dont have a drop one? i cant see any other from my post under.
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=VOIP passthrough=yes \
src-address=VOIP
add action=mark-packet chain=forward dst-address=VOIP new-packet-mark=\
VOIP passthrough=yes
add action=mark-packet chain=prerouting comment=office-subnet dst-address-list=\
!VIDEO new-packet-mark=Marketing passthrough=yes src-address-list=\
ISP2
add action=mark-routing chain=prerouting comment=office-subnet dst-address-list=\
!VIDEO new-routing-mark=Marketing packet-mark=Marketing passthrough=\
yes src-address-list=ISP2
add action=mark-connection chain=prerouting comment=Raspberry connection-mark=\
no-mark disabled=yes new-connection-mark=raspTemp passthrough=yes \
src-address=192.168.50.144
add action=mark-routing chain=prerouting comment=Raspberry connection-mark=\
raspTemp disabled=yes new-routing-mark=raspTemp passthrough=yes \
src-address=192.168.50.144
add action=mark-connection chain=prerouting connection-mark=no-mark dst-port=53 \
layer7-protocol=*4 new-connection-mark=block_connection passthrough=yes \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=block_connection \
new-packet-mark=block_packet
add action=accept chain=forward connection-state=!new disabled=yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=\
yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=\
yes
0 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
1 X ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; @Dongla Server drop Locations
chain=forward action=drop src-address=192.168.50.144
dst-address=10.0.0.0/8 log=no log-prefix=""
3 X chain=forward action=drop protocol=icmp packet-size=200-65535 log=no
log-prefix=""
4 ;;; Drop Inv.
chain=forward action=drop connection-state=invalid
5 ;;; Drop Inv.
chain=input action=drop connection-state=invalid
6 ;;; IN-Phase_dropRAW
chain=input action=drop src-address-list=@Servisi_Phase log=no
log-prefix=""
7 ;;; IN-Block shodan
chain=input action=drop src-address-list=shodan
8 ;;; IN-Defend from pingers
chain=input action=drop src-address-list=pingers log=no log-prefix=""
i cant enable JUST those three in mangle, because here i mangle some subnet and force it to another ISP in routes and also using for VOIP, so i cant disable it.Let's keep the threads (firewall and IPsec) separate.
Here, try to enable only the three mangle rules you've added, but keep those drop ones, which you've eventually added since the point in time when it was working, disabled, and tell me how it works.
I had in mind "out of the rules added by my recommendation, enable only the three added to mangle, not the drop ones in filter". Of course all your pre-existing rules must stay in place.i cant enable JUST those three in mangle, because here i mangle some subnet and force it to another ISP in routes and also using for VOIP, so i cant disable it.
it is how it was earlier, i just added that three in mangle if you think about these rulesI had in mind "out of the rules added by my recommendation, enable only the three added to mangle, not the drop ones in filter". Of course all your pre-existing rules must stay in place.i cant enable JUST those three in mangle, because here i mangle some subnet and force it to another ISP in routes and also using for VOIP, so i cant disable it.
Also, from your print of drop rules, it seemed to me that the drop one in forward in filter was not the very last one in that chain. The rules are matched in sequence, first towards last until first match to a rule providing a final verdict, in the chain chosen depending on packet type: incoming to router itself, i.e. no out-interface used / forwarded from interface to interface / outgoing from router itself, i.e. no in-interface used.
add action=accept chain=forward connection-state=!new disabled=yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=\
yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=\
yes
;;; Drop Inv.
chain=forward action=drop connection-state=invalid
OK, and with these three mangle rules enabled, everything works fine? What about the difference in CPU load when the "accept connection-state=!new" is enabled and when it is disabled, is there any?
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related disabled=\
yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
i added that firewall mangle rule before those ipsec.
I got aproblem that tunnels goes down, msg1 sent error and i must disable all that i newly created and restart peer and than tunnels go up.
with the mangles rules for ipsec or without?That's magic.
First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward. So whatever you do in chain forward cannot cause the IPsec tunnels to get to "msg1 sent" state.
Second, out of the five rules you've listed above, for the two for chain input I can see no way how they could break anything, regardless where exactly you place them.
So enable only the "accept" one of them in chain input, make an export of the complete firewall filter after that, and if that breaks IPsec, post that export. If it doesn't break anything, enable also the "drop invalid" one in chain input, export the filter, and again if it breaks anything, post that export.
yes, they areWith. They are in forward, aren't they?
add action=mark-connection chain=prerouting connection-mark=no-mark dst-port=53 \
layer7-protocol=*4 new-connection-mark=block_connection passthrough=yes \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=block_connection \
new-packet-mark=block_packet
add action=accept chain=forward connection-state=!new disabled=yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=\
yes
add action=mark-connection chain=forward comment="mark ipsec connections" \
disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=\
yes
No, don't enable the fasttrack connection. The steps need to be taken one by one to see where is the issue. So first you enable only the additional mangle rules and the additional rules in input in filter. If that works, we can proceed.but fasttrack connection for that is disabled, should i enable that also?
i enable it. Waiting now, i will edit this post when finds out!No, don't enable the fasttrack connection. The steps need to be taken one by one to see where is the issue. So first you enable only the additional mangle rules and the additional rules in input in filter. If that works, we can proceed.but fasttrack connection for that is disabled, should i enable that also?
i have one bridge with ports and 200Mb+ bandwidth within.Što si htio da rekneš ovom rječenicom: "I notice that one bridge when disable cpu goes regular about 10%."?
yes, in the picture i sent you earlier the subnet 192.168.90.0/24 which "lives" on CCR itselft there is a bridge with that subnet and also a tunnel with 10.10 and 10.11.Are we still talking about the machine where the IPsec tunnels are running? I'm asking because in its configuration export, I've found just an empty bridge with no ports at all.
It is theoretically possible that there is so much traffic towards the devices connected to the switches with only 100 Mbit/s ports that most of that traffic gets dropped due to insufficient bandwidth, and this causes retransmissions at source, so even more traffic.
Yeah, i am seeing that now in the my post. Somehow there is no bridge members.Then why doesn't the picture match the configuration? 192.168.90.0/24 is attached to ether3_HQCAM in that configuration; the bridge exists there but has no member ports and no IP configuration is attached to it. Are you constantly updating the configuration?
i change it now to bridge_VN port.Officially, the 192.168.90.1/24 should be attached to bridgeVN rather than ether3_HQCAM. Practically I have never seen this wrong setup to cause any issues, and even the ROS upgrade script migrating configurations from old "master port" to current "bridge with hardware acceleration" doesn't move the IP configuration from the former master port to the bridge.
But I rarely see CPU loads above 20 %, so it might help something to do it properly.
Looking at half of the total load to be spent on "networking" and just a small bit on "bridging", I suspect (and I may easily be wrong) that this load comes from the processing of the interrupts asserted on arrivals and departures of Ethernet frames. So if it is related to the 100 Mbit/s speed on bridge ports, I expect it to be caused by retransmissions induced by high loss rate as suggested several posts above.
no, that bridge is for video surveillance center. So there is no much l2 traffic in the bridge there. Funny thing is that when i disable that bridge or just pull out cables, cpu level is OK, about 10-20%.You may misunderstand that tx and rx. In the list of interfaces, the bridge is an interface through which the router (L3) part of the software sends data to external devices connected to the physical ports included into the bridge, which is the download direction for those devices.
Or in generic case - download from internet to a device in LAN is seen as Rx on the WAN port and as Tx on the LAN port.
Most speedtests test each direction separately, so it should show almost 0 in upload while doing the download test and almost 0 in download while doing the upload test.
During normal operation, does any significant amount of L2 traffic run between different ports of the bridge, i.e. will the total amount of traffic running through the CCR change siginficantly if you connect one of the switches currently connected directly to the CCR to a free port on the other switch instead?
As you've mentioned video surveillance, two things come to my mind - the cameras may be sending multicast traffic, and/or they may be sending short packets, i.e. relatively low bit rate but high packet rate. The high CPU percentage spent on networking vs. almost none spent on bridging suggests rather the latter (high rate of small packets), but I have no experience with the TILE architecture so it is just an assumption.no, that bridge is for video surveillance center. So there is no much l2 traffic in the bridge there. Funny thing is that when i disable that bridge or just pull out cables, cpu level is OK, about 10-20%.
These two PCs are in the same subnet?But i cant figure out two things. First, why speed tests shows upload 0 (download goes under 100mb). Here are examples from different pcs.
As you've mentioned video surveillance, two things come to my mind - the cameras may be sending multicast traffic, and/or they may be sending short packets, i.e. relatively low bit rate but high packet rate. The high CPU percentage spent on networking vs. almost none spent on bridging suggests rather the latter (high rate of small packets), but I have no experience with the TILE architecture so it is just an assumption.no, that bridge is for video surveillance center. So there is no much l2 traffic in the bridge there. Funny thing is that when i disable that bridge or just pull out cables, cpu level is OK, about 10-20%.
So the next step is to run /interface monitor-traffic etherX,etherY,.., where etherX, etherY, ... is the list of actual member ports of the bridge, to show the current traffic every second, and /interface ethernet print stats where name~"etherX|etherY" which shows the counters just one-time, but the counters are more detailed - by frame size group, and also broadcast and multicast frames are counted separately.
With /interface ethernet print stats sent several times with a fixed time between the attempts, you can get the traffic volumes per second in each size/type group by subtraction and averaging, something like
/interface ethernet print stats file=ether-stats where name~"etherX|etherY" ; /delay 50s ; /interface ethernet print stats file=ether-stats append where name~"etherX|etherY" ; /delay 50s ; /interface ethernet print stats file=ether-stats append where name~"etherX|etherY"
These two PCs are in the same subnet?But i cant figure out two things. First, why speed tests shows upload 0 (download goes under 100mb). Here are examples from different pcs.
As you've mentioned video surveillance, two things come to my mind - the cameras may be sending multicast trafficyeah, its one big office.These two PCs are in the same subnet?
there are too many cameras and i cant say if they properly configured with a bandwitdth in the remote location if thats you asking.Looking at the file, those about 250 Mbit/s sent out via ether3 are sent as 21000 packets/s in 1500-byte packets, hence I assume the cameras send the video using TCP. The ACK traffic in the opposite direction takes some 9000 packets/s in 64-byte frames (which is fine, TCP doesn't necessarily acknowledge every single packet received). So I assume that if you disconnect the switch from the port, this traffic stops being sent as the cameras stop getting the ACK, and hence the CPU load decreases.
What surprises me is that it worked at least somehow while a 100 Mbit/s switch was connected to a port which pushes 250 Mbit/s out when connected to a gigabit peer. Do the cameras adjust the bit rate to the available bandwidth (which they learn from the feedback in the ACK)?
I'd say you should use /interface ethernet monitor-traffic ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 once with and without ether3 connected. The sum of Rx bytes across all ports should be roughly the same like the sum of Tx bytes (it will not be exactly the same, at least due to IPsec encapsulation and decapsulation). So you'll see the total traffic volume the router has to handle while the camera streams are getting through and while they are squelched as the recipient(s) do(es)n't ACK them.
I don't get why you are so fond of images where text is much more useful for post-processing.
So roughly, when the DVR/monitor wall receiving the streams from the cameras is reachable (when the external switch is connected to ether3), the machine routes about 410 Mbit/s of traffic (and decrypts a good deal of it); when the video stream destination is unavailable, the total traffic volume is just 160 Mbit/s, so 2.5 times less.
In packets per second, it is 65 k packets/s when video destination is reachable and 25 k packets/s when it is not, so also about 2.5 times less.
So if everything was proportional, the CPU load should raise from 12 % to some 30 % when you connect the video destination(s). But it obviously isn't, so the question is what is so different about the video traffic that it causes so much extra load. Is the other (non-video) traffic coming IPsec-encrypted as well? Can you show the output of /tool profile in both states?
they are just in terms of ipsec watching cameras. Any other job is standard job as in any office. My first idea was that somewhere is a problem with network loop, but router in the logs tell me nothing in terms of loops.Is the other (non-video) traffic coming IPsec-encrypted as well?
Sorry, I understand every single word but not the answer as a whole. So again - does any other traffic except the one from cameras need IPsec decryption at the CCR?they are just in terms of ipsec watching cameras. Any other job is standard job as in any office.Is the other (non-video) traffic coming IPsec-encrypted as well?
If there was an L2 loop on the switches connected to ether3 and ether4, which are bridged together, the traffic volumes would be about the same on both. A routing loop is a different case, but for it to exist, there would have to exist a physical path from the switch connected to ether3 and something connected via ether1 or ether2. Related to this, I actually am surprised that part of the traffic from the cameras is coming via ether1 although the bulk of it is coming via ether2 - do you have any explanation of this?My first idea was that somewhere is a problem with network loop, but router in the logs tell me nothing in terms of loops.
But my technicians claims that there is no loops. So from router cable from ether3 comes into that office to gigabit switches (1 16port and 3 8 port).
When asking about IPsec above, I had in mind that forwarding of a packet that arrives encrypted is a bit more CPU-intensive than forwarding a packet which doesn't require decryption.I dont have complains about ipsec for now (or support dont tell me :D )
Sorry, I understand every single word but not the answer as a whole. So again - does any other traffic except the one from cameras need IPsec decryption at the CCR?they are just in terms of ipsec watching cameras. Any other job is standard job as in any office.Is the other (non-video) traffic coming IPsec-encrypted as well?
If there was an L2 loop on the switches connected to ether3 and ether4, which are bridged together, the traffic volumes would be about the same on both. A routing loop is a different case, but for it to exist, there would have to exist a physical path from the switch connected to ether3 and something connected via ether1 or ether2. Related to this, I actually am surprised that part of the traffic from the cameras is coming via ether1 although the bulk of it is coming via ether2 - do you have any explanation of this?My first idea was that somewhere is a problem with network loop, but router in the logs tell me nothing in terms of loops.
But my technicians claims that there is no loops. So from router cable from ether3 comes into that office to gigabit switches (1 16port and 3 8 port).
When asking about IPsec above, I had in mind that forwarding of a packet that arrives encrypted is a bit more CPU-intensive than forwarding a packet which doesn't require decryption.I dont have complains about ipsec for now (or support dont tell me :D )
Sorry, I understand every single word but not the answer as a whole. So again - does any other traffic except the one from cameras need IPsec decryption at the CCR?do you have any explanation of this?add action=mark-packet chain=prerouting comment=VN-Subnet dst-address-list=!VIDEO new-packet-mark=Video_Surv passthrough=yes src-address-list=WAN2
add action=mark-routing chain=prerouting comment=VN-Subnet dst-address-list=!VIDEO new-routing-mark=Video_Surv packet-mark=Video_Surv passthrough=yes src-address-list=WAN2
i will do it. Get back with info!So the additional CPU spent on IPsec encryption and decryption per packet does not explain the non-linear growth of the CPU load as the video traffic is added to the mix. At this moment I've got no further ideas.
The product page provides no information regarding IPsec throughput of your CCR1009-8G-1S, but the CPU in it should be the same one like in the newer CCR1009-7G-1C-1S+, and for that one, the IPsec performance is shown and doesn't seem to be a limiting factor for your traffic volume. But there's a more interesting information in the product list, which is the fact that on your model, ether1 to ether4 are connected to a switch chip which is connected to the CPU using a single 1 Gbit/s lane. Since ether5 and ether6 appear to be unused in your configuration, I'd recommend to migrate ether1 configuration and cable to ether5 and ether2 configuration and cable to ether6 and see what happens. At least it won't be worse.
just to have a word from this post, this is a drops nowThat's magic.
First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward. So whatever you do in chain forward cannot cause the IPsec tunnels to get to "msg1 sent" state.
Second, out of the five rules you've listed above, for the two for chain input I can see no way how they could break anything, regardless where exactly you place them.
So enable only the "accept" one of them in chain input, make an export of the complete firewall filter after that, and if that breaks IPsec, post that export. If it doesn't break anything, enable also the "drop invalid" one in chain input, export the filter, and again if it breaks anything, post that export.
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; for test ipsec
chain=input action=drop connection-state=invalid log=no log-prefix=""
1 ;;; Server drop Locations
chain=forward action=drop dst-address=10.0.0.0/8 src-address-list=!ALLOW-LOCATIONS log=no log-prefix=""
2 ;;; Drop Inv.
chain=forward action=drop connection-state=invalid
3 ;;; IN-Phase3_dropRAW
chain=input action=drop src-address-list=@Servisi_Faza3 log=no log-prefix=""
4 ;;; IN-block shodan
chain=input action=drop src-address-list=shodan
5 ;;; IN-Defend from pingers
chain=input action=drop src-address-list=pingeri log=no log-prefix=""
just to have a word from this post, this is a drops now, and seems ok in term of tunnels.That's magic.
First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward. So whatever you do in chain forward cannot cause the IPsec tunnels to get to "msg1 sent" state.
Second, out of the five rules you've listed above, for the two for chain input I can see no way how they could break anything, regardless where exactly you place them.
So enable only the "accept" one of them in chain input, make an export of the complete firewall filter after that, and if that breaks IPsec, post that export. If it doesn't break anything, enable also the "drop invalid" one in chain input, export the filter, and again if it breaks anything, post that export.
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; for test ipsec
chain=input action=drop connection-state=invalid log=no log-prefix=""
1 ;;; Server drop Locations
chain=forward action=drop dst-address=10.0.0.0/8 src-address-list=!ALLOW-LOCATIONS log=no log-prefix=""
2 ;;; Drop Inv.
chain=forward action=drop connection-state=invalid
3 ;;; IN-Phase3_dropRAW
chain=input action=drop src-address-list=@Servisi_Faza3 log=no log-prefix=""
4 ;;; IN-block shodan
chain=input action=drop src-address-list=shodan
5 ;;; IN-Defend from pingers
chain=input action=drop src-address-list=pingeri log=no log-prefix=""
just for info, how you get 410 or 160mbit/s if total traffic is inclued? What you summarize here? ( in first case of 410Mbit i cant get that if i summarize ether1+ether2 tx and rx bits /s)I don't get why you are so fond of images where text is much more useful for post-processing.
So roughly, when the DVR/monitor wall receiving the streams from the cameras is reachable (when the external switch is connected to ether3), the machine routes about 410 Mbit/s of traffic (and decrypts a good deal of it); when the video stream destination is unavailable, the total traffic volume is just 160 Mbit/s, so 2.5 times less.
In packets per second, it is 65 k packets/s when video destination is reachable and 25 k packets/s when it is not, so also about 2.5 times less.
So if everything was proportional, the CPU load should raise from 12 % to some 30 % when you connect the video destination(s). But it obviously isn't, so the question is what is so different about the video traffic that it causes so much extra load. Is the other (non-video) traffic coming IPsec-encrypted as well? Can you show the output of /tool profile in both states?
Assuming that the own traffic of the router (sent by the router itself or received by the router itself) is negligible, almost each packet which comes in through one interface must get out through another one. So the sum of the rx speeds on all interfaces is roughly equal to the sum of tx speeds on all interfaces, and either of them is the total throughput of the router. So in both cases I was summarizing the same direction of flows on all ports, ether1 to ether8. sfp1 was unused in the configuration you've posted and you haven't included it either, so I assume there is no traffic on it.just for info, how you get 410 or 160mbit/s if total traffic is inclued? What you summarize here? ( in first case of 410Mbit i cant get that if i summarize ether1+ether2 tx and rx bits /s)
yeah now i know. Can you a just please more explanation. When you have traffic IN and OUT, OUT is what that port, or server connected to that port on switch,router sends. What is bandwitdth IN? What comes from OUTSIDE to that server, some queries or?Assuming that the own traffic of the router (sent by the router itself or received by the router itself) is negligible, almost each packet which comes in through one interface must get out through another one. So the sum of the rx speeds on all interfaces is roughly equal to the sum of tx speeds on all interfaces, and either of them is the total throughput of the router. So in both cases I was summarizing the same direction of flows on all ports, ether1 to ether8. sfp1 was unused in the configuration you've posted and you haven't included it either, so I assume there is no traffic on it.just for info, how you get 410 or 160mbit/s if total traffic is inclued? What you summarize here? ( in first case of 410Mbit i cant get that if i summarize ether1+ether2 tx and rx bits /s)
# nov/02/2020 13:32:24 by RouterOS 6.47.4
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related \
disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="@Server drop Locations" \
dst-address=10.0.0.0/8 src-address=192.168.50.144
add action=accept chain=forward dst-address=10.11.0.0/16 src-address=\
192.168.30.0/24
add action=accept chain=input dst-address=10.11.0.0/16 src-address=\
192.168.30.0/24
add action=drop chain=forward disabled=yes packet-size=200-65535 protocol=\
icmp
add action=drop chain=forward comment="Drop Inv." connection-state=invalid
add action=accept chain=forward dst-address=10.98.0.0/24 src-address=\
192.168.2.0/24
add action=accept chain=input in-interface=vrrp_WAN1 protocol=icmp
add action=accept chain=input comment=\
"permit from local ip DNS reuqest udp 53" dst-port=53 protocol=udp \
src-address-list=local_ip
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=\
192.168.23.0/24
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=\
172.16.2.0/24
add action=accept chain=forward dst-address=192.168.200.0/24 src-address=\
192.168.30.0/24
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp \
reject-with=icmp-network-unreachable
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp \
reject-with=icmp-network-unreachable
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=HQ2Addresses
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=HQ1Addresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=HQ1Addresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=HQ2Addresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=HQ2Addresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=HQ1Addresses
add action=drop chain=input comment="Drop Inv." connection-state=invalid
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp \
reject-with=icmp-network-unreachable src-address-list=!DNS
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp \
reject-with=icmp-network-unreachable src-address-list=!DNS
add action=accept chain=output comment="OUT-Allow PMTUD" icmp-options=3:4 \
protocol=icmp
add action=accept chain=input comment="IN-Allow PMTUD" icmp-options=3:4 \
protocol=icmp
add action=accept chain=input comment="IN-ProAllow ping 1468b do 5 u sekundi" \
limit=5,1:packet packet-size=1468 protocol=icmp
add action=add-src-to-address-list address-list=pingers address-list-timeout=\
1d chain=input comment="IN-List ICMP which dont match criteria" \
dst-address-list=!HQ1Addresses in-interface-list=WAN log-prefix=Ping@IN \
protocol=icmp src-address-list=!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase1 \
address-list-timeout=30m chain=input comment=IN-Services_Phase1 \
dst-address-list=!HQ1Addresses dst-port=21,22,23,69,80,443,5060,8080 \
in-interface-list=WAN protocol=tcp src-address-list=!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase1 \
address-list-timeout=30m chain=input comment=IN-Services_Phase1-UDP \
dst-address-list=!HQ1Addresses dst-port=21,22,23,69,80,443,5060,8080 \
in-interface-list=WAN protocol=udp src-address-list=!HQ1Addresses
add action=add-src-to-address-list address-list=@Services_Phase2 \
address-list-timeout=30m chain=input comment=IN-Services_Phase2 dst-port=\
21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp \
src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase2 \
address-list-timeout=30m chain=input comment=IN-Services_Phase2-UDP \
dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp \
src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 \
address-list-timeout=1w chain=input comment=IN-Services_Phase3 dst-port=\
21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp \
src-address-list=@Services_Phase2
add action=add-src-to-address-list address-list=@Services_Phase3 \
address-list-timeout=1w chain=input comment=IN-Services_Phase3-UDP \
dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp \
src-address-list=@Services_Phase2
add action=drop chain=input comment=IN-Phase3_dropRAW src-address-list=\
@Services_Phase3
add action=drop chain=input comment="IN-Block Shodan" src-address-list=\
shodan
add action=drop chain=input comment="IN-Defend from pingers" \
src-address-list=pingers
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=forward dst-port=161 protocol=udp
add action=accept chain=output dst-port=161 protocol=udp
ipsec breaks.That's magic.
First, the IPsec control packets and transport packets are handled by chains input and output. Payload packets from/to external devices, which get extracted from IPsec transport packets, and which are going to be encapsulated into IPsec transport packets, are handled by chain forward. So whatever you do in chain forward cannot cause the IPsec tunnels to get to "msg1 sent" state.
Second, out of the five rules you've listed above, for the two for chain input I can see no way how they could break anything, regardless where exactly you place them.
So enable only the "accept" one of them in chain input, make an export of the complete firewall filter after that, and if that breaks IPsec, post that export. If it doesn't break anything, enable also the "drop invalid" one in chain input, export the filter, and again if it breaks anything, post that export.
Is this statement valid with the firewall filter rules exactly as in the posted .rsc file, including the disabled=yes at some of them?ipsec breaks.
its established, but there is no traffic, i cant communicate with that subnets.
None of those firewall rules blocks IPsec as such, nor do they block traffic to/from the subnets reachable via IPsec (unless you've added them to the shodan or pingers or @Services_Phase3 address lists). In fact, the firewall rules block almost nothing.
In the printout of the security associations, I can see that traffic to/from the VoIP thing is bi-directional, but the traffic to/from pfsense is unidirectional from the HQ router to pfsense, except a single SA which shows packets received from pfsense side.
This confirms that firewall rules are unrelated to the issue. Whether the SA rekeying has failed on all SAs or whether there is another reason can only be found out if you can visualize the encryption keys used at pfsense side. What does /ip ipsec statistics print show in this state?
/ip ipsec statistics print
out-state-expired: 157
out-no-states: 67342
in-template-mismatches: 16