Community discussions

MikroTik App
 
TomasD
just joined
Topic Author
Posts: 9
Joined: Tue May 27, 2014 11:26 pm

100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 11:41 am

Hello,

I've just noticed that whenever I am transferring something between two devices (e.g. 10.1.3.100 and 10.1.1.5) connected via switch, which is connected to RB2011UiAS-RM, RB2011UiAS-RM CPU is topping 100% during the whole copying time:
Profile.JPG
I know that the CPU on RB2011UiAS-RM isn't the most powerful one, but, since we are talking about a single user, single transfer, only few firewall rules, no bridges, and, I would say, quite simple overall configuration, I am still thinking that there's some issue with my configuration and not with the router itself.

If someone could take a look into the config below and give any tips, I would really appreciate that.

ros code

# jul/15/2014 11:29:35 by RouterOS 6.15
# software id = AGU2-T3A6
#
/interface ethernet
set [ find default-name=ether5 ] comment="Master port for the switch group" \
    name=ether5-master
set [ find default-name=ether6 ] comment="WAN" name=ether6-wan
set [ find default-name=ether10 ] poe-out=off
/ip neighbor discovery
set ether5-master comment="Master port for the switch group"
set ether6-wan comment="WAN"
/interface vlan
add comment="Management VLAN" interface=ether5-master l2mtu=1594 name=\
    vlan100-mgt vlan-id=100
add comment="Servers VLAN" interface=ether5-master l2mtu=1594 name=\
    vlan200-srv vlan-id=200
add comment="End-user devices VLAN" interface=ether5-master l2mtu=1594 name=\
    vlan300-euc vlan-id=300
add comment="DMZ VLAN" interface=ether5-master l2mtu=1594 name=vlan400-dmz \
    vlan-id=400
add comment="Guest VLAN" interface=ether5-master l2mtu=1594 name=vlan500-gst \
    vlan-id=500
/interface ethernet
set [ find default-name=ether1 ] comment="Downstream wireless access point" \
    master-port=ether5-master name=ether1-ap
set [ find default-name=ether2 ] comment="Downstream switch" master-port=\
    ether5-master name=ether2-sw
/ip neighbor discovery
set ether1-ap comment="Downstream wireless access point"
set ether2-sw comment="Downstream switch"
set vlan100-mgt comment="Management VLAN"
set vlan200-srv comment="Servers VLAN"
set vlan300-euc comment="End-user devices VLAN"
set vlan400-dmz comment="DMZ VLAN"
set vlan500-gst comment="Guest VLAN"
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-mode=secure
/ip ipsec proposal
set [ find default=yes ] lifetime=8h
/ip pool
add name=pool1-gst ranges=10.1.5.128-10.1.5.254
/ip dhcp-server
add add-arp=yes address-pool=pool1-gst disabled=no interface=vlan500-gst \
    lease-time=12h name=server1-gst
/port
set 0 name=serial0
/interface bridge port
add disabled=yes interface=vlan100-mgt
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface ethernet switch vlan
add independent-learning=yes ports=ether2-sw,ether1-ap,switch1-cpu switch=\
    switch1 vlan-id=100
add independent-learning=yes ports=ether2-sw,switch1-cpu switch=switch1 \
    vlan-id=200
add independent-learning=yes ports=ether2-sw,ether1-ap,switch1-cpu switch=\
    switch1 vlan-id=300
add independent-learning=yes ports=ether2-sw,switch1-cpu switch=switch1 \
    vlan-id=400
add independent-learning=yes ports=ether2-sw,ether1-ap,switch1-cpu switch=\
    switch1 vlan-id=500
add independent-learning=yes ports=ether2-sw,switch1-cpu switch=switch1 \
    vlan-id=999
/ip address
add address=10.1.1.1/24 comment="Management network" interface=vlan100-mgt \
    network=10.1.1.0
add address=10.1.2.1/24 comment="Servers network" interface=vlan200-srv \
    network=10.1.2.0
add address=10.1.3.1/24 comment="End-user devices network" interface=\
    vlan300-euc network=10.1.3.0
add address=10.1.4.1/24 comment="DMZ network" interface=vlan400-dmz network=\
    10.1.4.0
add address=10.1.5.1/24 comment="Guest network" interface=vlan500-gst \
    network=10.1.5.0
/ip dhcp-client
add comment="DHCP client for WAN" default-route-distance=0 \
    dhcp-options=hostname,clientid disabled=no interface=ether6-wan \
    use-peer-ntp=no
/ip dhcp-server network
add address=10.1.5.0/24 comment="Guest DHCP network" dns-server=10.1.5.1 \
    gateway=10.1.5.1 netmask=24 ntp-server=10.1.5.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.0.0/16 comment="Add Azure subnet as local network" list=\
    Local
add address=10.2.0.0/16 comment="Add home subnet as local network" list=Local
/ip firewall filter
add action=drop chain=forward comment="Drop all invalid connections behind the\
    \_router to save some resources from processing them further" \
    connection-state=invalid
add action=drop chain=input comment="Drop all invalid connections to the route\
    r to save some resources from processing them further" connection-state=\
    invalid
add chain=input comment="Accept local traffic to the router" \
    src-address-list=Local
add chain=input comment="Accept all established connections to the router" \
    connection-state=established
add chain=input comment="Accept all related connections to the router" \
    connection-state=related
add action=drop chain=forward comment="Isoloate guest network" dst-address=\
    10.0.0.0/8 src-address=10.1.5.0/24
add action=drop chain=input comment=\
    "Drop all remaining traffic coming to the router"
/ip firewall nat
add chain=srcnat comment="Do not NAT to Azure networks" dst-address=\
    10.2.0.0/16 src-address=10.1.0.0/16
add action=masquerade chain=srcnat comment="Default NAT for WAN" \
    out-interface=ether6-wan
/ip ipsec peer
add address=X.X.X.X/32 comment="Connection to Azure Servers network" \
    dpd-interval=disable-dpd lifetime=8h my-id-user-fqdn=Z.Z.Z.Z \
    nat-traversal=yes secret=
add address=Y.Y.Y.Y/32 comment="Connection to Azure DMZ network" \
    dpd-interval=disable-dpd lifetime=8h my-id-user-fqdn=Z.Z.Z.Z \
    nat-traversal=yes secret=
/ip ipsec policy
add comment="Azure servers network access" dst-address=10.2.2.0/24 \
    sa-dst-address=X.X.X.X sa-src-address=Z.Z.Z.Z src-address=\
    10.1.0.0/16 tunnel=yes
add comment="Azure DMZ network access" dst-address=10.2.4.0/24 \
    sa-dst-address=Y.Y.Y.Y sa-src-address=Z.Z.Z.Z src-address=\
    10.1.0.0/16 tunnel=yes
/ip route
add comment="Route for the router to reach Azure subnets via IPSEC" distance=\
    1 dst-address=10.2.0.0/16 gateway=vlan100-mgt
/ip smb shares
set [ find default=yes ] disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether6-wan type=external
add interface=ether1-ap type=internal
add interface=ether2-sw type=internal
add interface=ether5-master type=internal
/lcd interface
set sfp1 interface=sfp1
set ether1-ap interface=ether1-ap
set ether2-sw interface=ether2-sw
set ether3 interface=ether3
set ether4 interface=ether4
set ether5-master interface=ether5-master
set ether6-wan interface=ether6-wan
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=DABRT01
/system logging
add disabled=yes topics=route
add disabled=yes topics=debug
add disabled=yes topics=firewall
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=212.59.0.1 secondary-ntp=212.59.0.2
/system ntp server
set enabled=yes
If you need any additional details, please let me know.

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 6:22 pm

According to the picture and your description it seems that you are routing between the networks with performing firewall rules on the traffic rather than switching.
Or the devices are both connected to the same switch within their own vlans? I didn't understand that well.
 
TomasD
just joined
Topic Author
Posts: 9
Joined: Tue May 27, 2014 11:26 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 6:33 pm

According to the picture and your description it seems that you are routing between the networks with performing firewall rules on the traffic rather than switching.
Or the devices are both connected to the same switch within their own vlans? I didn't understand that well.
10.1.3.100 is connected to 9th port (VLAN300) of the switch, while 10.1.1.5 is connected to 4th port (VLAN100) of the switch:
Switch.JPG
The switch (TL-SG3216) is trunk-connected to the ether1-sw port (which is slave for ether5-master) of the router.

So, yes, the devices are in different VLANs and I do expect to have routing/firewall between them, because I need them to communicate. Anyhow, I still find it hard to believe that routing+couple of firewall rules means 100% CPU usage RB2011. I suspected I misconfigured something under /interface ethernet switch (switch1-cpu?).

Thank you.
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 7:14 pm

During the time I saw that even the profile shows 100 percent of utilisation it is normally able to do more traffic. So the question is if it limits your transfers or if you just wonder why it shows so high utilisation. Anyway routing performance is heavily degraded by firewall, see the performance table on the official website. Maybe try to make the firewall more effective:check only new connections and accept established and related by default, if you already didn't so. Or reorganise the rules according the usage statistics. It may help a bit.
 
TomasD
just joined
Topic Author
Posts: 9
Joined: Tue May 27, 2014 11:26 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 7:22 pm

During the time I saw that even the profile shows 100 percent of utilisation it is normally able to do more traffic. So the question is if it limits your transfers or if you just wonder why it shows so high utilisation. Anyway routing performance is heavily degraded by firewall, see the performance table on the official website. Maybe try to make the firewall more effective:check only new connections and accept established and related by default, if you already didn't so. Or reorganise the rules according the usage statistics. It may help a bit.
It's not only the display in WinBox - I'm pretty sure that affects my transfer speed as well. I cannot get more than 45MB/s, while I used to have ~70MB speed between the same devices while using a simple home router.

Regarding the firewall rules, I just tried disabling ALL the firewall rules I have - the issue still persists:
Speed.JPG
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 7:40 pm

Well, than I have no backup idea, maybe someone else can give you a hint.

Anyway, I see 42,6MB/s at your picture. It means for me 340Mbit/s. As the gigabit switch in RB2011 is connected to CPU by only one 1Gbit/s link, it needs to send traffic to the CPU, process it and send back via the same link. It does not look so bad...
 
TomasD
just joined
Topic Author
Posts: 9
Joined: Tue May 27, 2014 11:26 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Tue Jul 15, 2014 7:43 pm

Well, than I have no backup idea, maybe someone else can give you a hint.

Anyway, I see 42,6MB/s at your picture. It means for me 340Mbit/s. As the gigabit switch in RB2011 is connected to CPU by only one 1Gbit/s link, it needs to send traffic to the CPU, process it and send back via the same link. It does not look so bad...
Thanks, anyway. I hope someone else will have some other ideas :roll:
 
TomasD
just joined
Topic Author
Posts: 9
Joined: Tue May 27, 2014 11:26 pm

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Mon Jul 21, 2014 8:46 pm

Dear,

does anyone have any more ideas/comments about this?
 
yacsap
Member Candidate
Member Candidate
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: 100% CPU usage on transfer via RB2011UiAS-RM

Sat Mar 07, 2015 10:07 am

the answer is simple, different subnet = traffic not as simply as switch to switch, but it was connected because of routing procedure (i.e. masquerade).

RB2011 has 2 switch group, gigabit and fast ethernet, each has different switch chip -- means port 1-5 and 6-10 are on different broadcast domain.

if you want to copy large file without routing procedure, put on the same switch group, and use same IP subnet (e.g. 192.168.0.1/30 as source, and then 192.168.0.2/30 as destination)
[ IMikroTik ] >

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], che, dawe4444, Google [Bot], Majestic-12 [Bot], mkx, wwj and 88 guests