Community discussions

MUM Europe 2020
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

High cpu usage on bridge TCP / bridge weirdness

Tue May 27, 2008 6:15 am

Hello,
i'm running two RB411 with R52 in turbo-A mode in WDS transparent bridge mode, i've disabled conntrack, disabled all packages but the basic ones(system, wireless, adv tools, security and routerboard).
i'm running ROS 3.10 and bios 2.15

links stablish in 36mbpsx2 each way, i'm running TCP test with btest on my PC and the other on the remote RB411(the bridgehead), 1500 byte packets, TCP test.
trhoughtput tops @23.1mbps with a cpu usage of 85/90 for the AP and 20~ for the station.

why is the cpu usage that high?, because i'm running the BW test on the AP station?, or this is completely normal?.

Also,
if the station is unplugged/disabled, the AP Changes it's ether1 IP!, i have 192.168.2.2 on ether1 and 10.1.0.1 on bridge1
when both ends are linked, everything works fines and peachy, when the station goes down, the AP no longer answers to 192.168.2.2 and instead returns 10.1.0.1 as it's ip(i had to connect via MAC with Winbox).
WDS is set to dynamic, otherwise the bridge woulnd't come up(with wds static)

thanks in advance
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: High cpu usage on bridge TCP / bridge weirdness

Thu May 29, 2008 8:24 am

Yes, that CPU usage is normal. If you want a real test, you need to test through the link with other Mikrotik's on each side or with PC's on each side. Using the AP or client to generate test traffic will burden the CPU with traffic generation and take away from traffic handling.

As for the IP address change, IP addresses on interfaces are inherited by the bridge in which the interface sits (if one). When the client disassociates, the WLAN interface stops "running" and is therefore taken out of the bridge. Since that interface is now gone, the bridge inherits it's IP from another interface in the bridge. To fix this, you should either disable running check on the WLAN or set an admin MAC address of the bridge to that of an interface in the bridge which shouldn't stop running, e.g. ether1. Once you've done that, you can continue to let the bridge inherit the IP address, or specifically assign the IP address to the bridge.
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Thu May 29, 2008 1:34 pm

JJ,
thanks for the answer, what i did was to not assign any IP to the bridge(only IP assigned is ether1) and it apparently works as it should, bridge connectes, traffic passes.

is there a need to put an IP address on the bridge itself for my P2P scenario?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: High cpu usage on bridge TCP / bridge weirdness

Thu May 29, 2008 3:56 pm

You could also just assign the IP address to the bridge itself, that way no matter which port was disconected the IP address would always be up (so long as the bridge is enabled)
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 8:01 am

My network consists of many routers connected by radios in ap/bridge wds-static mode.I always assign an IP address to the bridge and never assign an IP address to any of the interfaces that are ports on the bridge.

I do this so I have an address that I can use to manage the router which contains that bridge.

As previously suggested, I also assign a managed mac address to the bridge. If you don't do this, the mac address of the bridge may change as links go up and down. This causes forwarding issues with the bridged network each time this occurs. A static managed mac address for the bridge solves this.
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 10:23 am

Another tip - if you are looking for speed and dont need firewall / nat features, disable the Connection Tracking system (IP -- Firewall -- Connections -- Tracking). This will give a good 10-15% speed increase.
savagedavid
MTCE+T (MikroTik Certified Everything + Trainer)
MikroTik support and training in South Africa
http://www.mikrotiksa.com
david [at] mikrotiksa dot com
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 5:40 pm

Do not disable connection tracking on a version 2.x router. This will also disable the router's ability to pass IP fragments across any bridge. On version 3.x routers, you can do this if you have disabled (the default) "Use IP Firewall" option on the bridge settings.
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 7:00 pm

in version 3.x then i can disable conntrack safely?(apart from the IP firewall)
Do not disable connection tracking on a version 2.x router. This will also disable the router's ability to pass IP fragments across any bridge. On version 3.x routers, you can do this if you have disabled (the default) "Use IP Firewall" option on the bridge settings.
dsobin,
a "managed MAC" is a MAC i invent to put in both ends of the bridge?. what's the difference of assigning a IP to the bridge opposite to assigning it to the ether1 interace?(you have access to the routers anyway with an ip on ether1, assuming they're all in the same subnet)

i couldn't make WDS-static mode to work, the stations keeps "searching for network" and never connects, the moment i changed it to dynamic it worked instantly.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 7:15 pm

If ether1 is one of the ports on the bridge, assigning an IP to the ether is frowned upon. The documents I've read recommend assigning the IP to the bridge, since all of the ports will then share that IP.

The managed mac can be a made up one or just copy and paste one of the macs connected to the bridge. Be sure that each of your bridges has a DIFFERENT mac or the mac forwarding process will get confused. It's ok to pick a random mac for a bridge, but I find it easier to pick one of the macs already assigned as a port on that bridge.

To get static wds to work, you must tell each wds interface the mac address of its partner at the OTHER END of the link. Also, I always check the "ignore ssid" in the wds tab of the parent interface, since I just use mac addresses to make the links.
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Sun Jun 01, 2008 11:26 pm

hmm i'll double check my settings once i have both ends online again(waiting for the damn poe inyectors).

Where do you put the MAC(i'm assuming you mean the MAC of the respective WLAN cards) of each partner in the WDS?

Also, when you mean "pick one mac already assigned to a port" wouldn't that duplicate a MAC?, i mean, i have MAC for Ether1, MAC for WLAN1 and the random generated MAC for bridge1 on each endpoint
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: High cpu usage on bridge TCP / bridge weirdness

Mon Jun 02, 2008 12:54 am

Where do you put the MAC(i'm assuming you mean the MAC of the respective WLAN cards) of each partner in the WDS?
Yes, the MAC of the distant end WLAN card is entered into the wds "sub-device" of the near end WLAN card. You create this wds sub-device using the "wireless" window. Click the "+" sign and select wds as the item you want to add. As master device, select the WLAN card that you are using for this link. In the "mac address" section of this newly added wds device, enter the mac address of the wlan card at the opposite end of the link. Do this for both ends of the link.
Also, when you mean "pick one mac already assigned to a port" wouldn't that duplicate a MAC?, i mean, i have MAC for Ether1, MAC for WLAN1 and the random generated MAC for bridge1 on each endpoint
Consider that if you don't manually assign a mac to the bridge, it will pick a mac from one of its ports and assign that to itself. Yes, in a sense this duplicates the mac address, but not in a harmful way. The mac address of the bridge is just a way for the bridge to identify itself to the other bridges. As far as I can tell, this value isn't used for anything else. The drawback of letting the bridge pick an address for itself is that if one of its ports stops running, or if you swap out a radio card or disable a port for some reason, and that happens to be the device whose mac address the bridge had picked, it will pick a new mac address from among its other ports and mac forwarding temporarily stops until things get sorted out again. Picking a random mac address for the bridge won't hurt anything, but you need to insure you don't accidently pick the same random mac for any other bridge in your network. That duplication would be bad.
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Mon Jun 02, 2008 2:41 am

i won't have that problem then, it's a P2P bridge, with only 1 of each interface, it's highly unlikely i'll swap cards(until they're broken, then a little downtime dueto forwarding won't hurt compared to the global downtime) or disable the ether/wlan interfaces.

i'll check ont he WDS sub-interface for the wds-static link, what do i gain by using static opposite to wds-dynamic?
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: High cpu usage on bridge TCP / bridge weirdness

Mon Jun 02, 2008 5:52 pm

If this is the only link in your network and it's P-P, it doesn't really matter whether you use static or dynamic. It also doesn't really matter if you pick a random mac for the bridges or don't pick any mac at all and instead let the bridge pick one from one of it's ports. It also doesn't really matter if you assign the ip to the bridge or let it pick up an ip from one of its ports.

All of these items are important in larger networks with 3 or more bridges and alternate routes between nodes.

I use static wds so I can create several point to multi-point wds links from a single radio. By naming each wds link, and setting the mac address of its partner, I can control what's happening in a large network. With only two nodes, you don't really need to worry about these things. If your network might grow, it's worth following all of the best practices on assigning macs and IP's to bridges and using static wds to control where the links go.
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Mon Jun 02, 2008 6:58 pm

thanks dsobin for your data, it's been very helpful to clarify a lot of my doubts

for now(and for the foreseable future) it'll stay in P2P only so i'll levae it in dynamic to minimize the hassle, even if a 2nd node is added, i'd need a 2nd routerboard+radio combo standalone from the 1st link(P2P-lan-P2P). In this case i'll never run into those managements snags you mention
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Mon Jun 02, 2008 9:23 pm

one more question,
what's the proper usage form of bridge filter?.
for example, i want to prevent the remote site from accesing one of my stations, which chain to i use? input, forward or output?

also -this one's more tricky- i have a DHCP server on a router on my local lan, i want the remote LAN to have access to my router but not receive leases, AFAIK i need to set the bridge filter to drop broadcasts (i don't know in which chain) originating from the router... but wait... that won't work, it's the endstations that send the broadcast.
Can i do this with bridge filter or i need specific mangle rules?(which i want to avoid to not tax the cpu)
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: High cpu usage on bridge TCP / bridge weirdness

Wed Jun 04, 2008 8:20 pm

To filter client-to-client traffic on the bridge, use the forward chain.

The input chain for is for traffic that is directed to the bridge itself, such as WinBox management packets directed at the router itself. Likewise, the output chain is for traffic originating from the bridge itself.

The forward chain is for packets arriving from outside the bridge and leaving the bridge to go somewhere else.

You can filter dhcp traffic to keep your local server handling only local clients. I did this once but it took a few days of experimenting and packet tracing to figure out how to do it. Is the DHCP server on a MT router? Are all the clients that are to be served by this DHCP server connected to this same router?

Your filter has to specify ports 67 and 68, since these are what the DHCP protocol uses. You need to accomplish two things: Keep DHCP traffic from your local LAN from leaving the router to other routers, and keep DHCP traffic from other routers from entering your local LAN. I don't recall exactly how I did it, but it eventually worked.

Perhaps some helpful person reading this can shed some light on exactly what is needed.
Remember to give karma to all those who help you - Click the "+" box to the left, under "Karma"
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: High cpu usage on bridge TCP / bridge weirdness

Wed Jun 04, 2008 8:40 pm

dsobin,
it's just what i need, block dhcp on both ends of the bridge.

maybe just blocking 67/68 UDP will suffice without touching broadcast.

the DHCP server is a non-MT router on one end of the network, on the other i don't know if there is a dhcp server.

:(, too bad you can't remember, i hope that someone reads this and sheds some light

Who is online

Users browsing this forum: Google [Bot] and 99 guests