Community discussions

MikroTik App
 
4ikotillo
just joined
Topic Author
Posts: 3
Joined: Wed Oct 22, 2014 3:25 pm

High CPU Load on 3011. How to optimize config?

Sat Dec 24, 2022 3:05 pm

Hello, I have Mikrotik RB3011UiAS ROs 7.6.
Configuration:
WAN sfp 500 mb/s.
1 GRE tunnel without encryption
150-200 Mb/s traffic from GRE to LAN
30 Route rules, Standart Firewall(Fasttrack is enabled), 4 mangle rules(change TCP MSS), OSPF.
The problem is 95-100% CPU on one Core. Is it possible to optimize the configuration to reduce the load on the processor?
Image
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: High CPU Load on 3011. How to optimize config?

Sat Dec 24, 2022 3:51 pm

In addition to the screenshots...can you please share your config?
/export file=anynameyoulike

Please make sure that all personal information is removed
 
4ikotillo
just joined
Topic Author
Posts: 3
Joined: Wed Oct 22, 2014 3:25 pm

Re: High CPU Load on 3011. How to optimize config?

Sat Dec 24, 2022 4:13 pm

Yes, no problem

Config:
# dec/24/2022 17:07:54 by RouterOS 7.6
# software id = T3PD-PJML
#
# model = RB3011UiAS
# serial number = 
/interface bridge
add name=Lo
add admin-mac=64:D1:54:06:A3:45 auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether2 ] comment=HEX
set [ find default-name=ether3 ] comment="SWITCH 10.6.4.2-10.6.4.11"
set [ find default-name=ether4 ] comment="SWITCH 10.6.4.12-10.6.4.21"
set [ find default-name=ether5 ] comment="SWITCH 10.6.3.3-10.6.3.11"
/interface gre
add allow-fast-path=no name=gre-SERVER remote-address=1.2.3.4
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=vpn-pool name=VPN-pool ranges=172.16.50.2-172.16.50.50
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=172.16.50.1 name=VPN only-one=yes \
    remote-address=VPN-pool use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 router-id=10.7.1.8
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing table
add fib name=6.3.2
add fib name=6.3.3
add fib name=6.3.4
add fib name=6.3.5
add fib name=6.3.6
add fib name=6.3.7
add fib name=6.3.8
add fib name=6.3.9
add fib name=6.3.10
add fib name=6.3.11
add fib name=6.4.2
add fib name=6.4.3
add fib name=6.4.4
add fib name=6.4.5
add fib name=6.4.6
add fib name=6.4.7
add fib name=6.4.8
add fib name=6.4.9
add fib name=6.4.10
add fib name=6.4.11
add fib name=6.4.12
add fib name=6.4.13
add fib name=6.4.14
add fib name=6.4.15
add fib name=6.4.16
add fib name=6.4.17
add fib name=6.4.18
add fib name=6.4.19
add fib name=6.4.20
add fib name=6.4.21
/snmp community
set [ find default=yes ] addresses=192.168.202.3/32
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether6
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
/ip firewall connection tracking
set tcp-established-timeout=25m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN enabled=yes \
    one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=sfp1 list=WAN
add interface=gre-SERVER list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.20.1.30/30 interface=gre-SERVER network=10.20.1.28
add address=10.7.1.8 interface=Lo network=10.7.1.8
add address=10.6.3.1/24 interface=bridge network=10.6.3.0
add address=10.6.4.1/24 interface=bridge network=10.6.4.0
add address=192.168.0.225/24 interface=bridge network=192.168.0.0
add address=192.168.1.2/24 interface=bridge network=192.168.1.0
add address=192.168.4.2/24 interface=bridge network=192.168.4.0
/ip dhcp-client
add interface=ether1
add interface=sfp1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop invalid" connection-state=invalid \
    disabled=yes
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept IPIP" protocol=ipip
add action=accept chain=input comment="accept from SERVER" src-address=\
    1.2.3.4
add action=accept chain=input comment="accept from SERVER" src-address=\
    1.2.3.4
add action=accept chain=input comment="accept GRE" protocol=gre
add action=accept chain=input comment="accept winbox" dst-port=8291 protocol=\
    tcp
add action=accept chain=input comment=l2tp-server port=1701,500,4500 \
    protocol=udp
add action=accept chain=input comment=l2tp-server protocol=ipsec-esp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=sfp1 log=yes new-connection-mark=con-LK passthrough=yes \
    src-address=4.3.2.1
add action=change-mss chain=forward new-mss=1300 out-interface=bridge \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=forward new-mss=1300 out-interface=gre-SERVER \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=forward in-interface=bridge new-mss=1300 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=forward in-interface=gre-SERVER new-mss=1300 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="ALL ---> INTERNET" out-interface=\
    sfp1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.2 routing-table=6.3.2
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.3 routing-table=6.3.3
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.4 routing-table=6.3.4
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.5 routing-table=6.3.5
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.6 routing-table=6.3.6
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.7 routing-table=6.3.7
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.8 routing-table=6.3.8
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.9 routing-table=6.3.9
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.10 routing-table=6.3.10
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.3.11 routing-table=6.3.11
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.2 routing-table=6.4.2
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.3 routing-table=6.4.3
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.4 routing-table=6.4.4
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.5 routing-table=6.4.5
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.6 routing-table=6.4.6
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.7 routing-table=6.4.7
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.8 routing-table=6.4.8
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.9 routing-table=6.4.9
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.10 routing-table=6.4.10
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.11 routing-table=6.4.11
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.12 routing-table=6.4.12
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.13 routing-table=6.4.13
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.14 routing-table=6.4.14
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.15 routing-table=6.4.15
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.16 routing-table=6.4.16
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.17 routing-table=6.4.17
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.18 routing-table=6.4.18
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.19 routing-table=6.4.19
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.20 routing-table=6.4.20
add disabled=no dst-address=0.0.0.0/0 gateway=10.6.4.21 routing-table=6.4.21
add disabled=yes distance=2 dst-address=1.2.3.4/32 gateway=10.6.2.217
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip tftp
add ip-addresses=0.0.0.0/0 real-filename=/wrt req-filename=.*
/ppp secret
add name=USER profile=VPN
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=gre-SERVER networks=10.20.1.28/30 \
    priority=1 type=ptp
add area=backbone-v2 disabled=no interfaces=Lo networks=10.7.1.8 priority=1
add area=backbone-v2 disabled=no interfaces=bridge networks=10.6.3.0/24 \
    priority=1
add area=backbone-v2 disabled=no interfaces=bridge networks=10.6.4.0/24 \
    priority=1
/routing rule
add action=lookup-only-in-table disabled=yes routing-mark=6.3.2 table=6.3.2
add action=lookup-only-in-table disabled=yes routing-mark=6.3.3 table=6.3.3
add action=lookup-only-in-table disabled=yes routing-mark=6.3.4 table=6.3.4
add action=lookup-only-in-table disabled=yes routing-mark=6.3.5 table=6.3.5
add action=lookup-only-in-table disabled=yes routing-mark=6.3.6 table=6.3.6
add action=lookup-only-in-table disabled=yes routing-mark=6.3.7 table=6.3.7
add action=lookup-only-in-table disabled=yes routing-mark=6.3.8 table=6.3.8
add action=lookup-only-in-table disabled=yes routing-mark=6.3.9 table=6.3.9
add action=lookup-only-in-table disabled=yes routing-mark=6.3.10 table=6.3.10
add action=lookup-only-in-table disabled=yes routing-mark=6.3.11 table=6.3.11
add action=lookup-only-in-table disabled=no src-address=10.0.0.144/32 table=\
    6.3.2
add action=lookup-only-in-table disabled=no src-address=10.0.0.145/32 table=\
    6.3.3
add action=lookup-only-in-table disabled=no src-address=10.0.0.146/32 table=\
    6.3.4
add action=lookup-only-in-table disabled=no src-address=10.0.0.147/32 table=\
    6.3.5
add action=lookup-only-in-table disabled=no src-address=10.0.0.148/32 table=\
    6.3.6
add action=lookup-only-in-table disabled=no src-address=10.0.0.149/32 table=\
    6.3.7
add action=lookup-only-in-table disabled=no src-address=10.0.0.150/32 table=\
    6.3.8
add action=lookup-only-in-table disabled=no src-address=10.0.0.151/32 table=\
    6.3.9
add action=lookup-only-in-table disabled=no src-address=10.0.0.152/32 table=\
    6.3.10
add action=lookup-only-in-table disabled=no src-address=10.0.0.153/32 table=\
    6.3.11
add action=lookup-only-in-table disabled=no src-address=10.0.0.154/32 table=\
    6.4.2
add action=lookup-only-in-table disabled=no src-address=10.0.0.155/32 table=\
    6.4.3
add action=lookup-only-in-table disabled=no src-address=10.0.0.156/32 table=\
    6.4.4
add action=lookup-only-in-table disabled=no src-address=10.0.0.157/32 table=\
    6.4.5
add action=lookup-only-in-table disabled=no src-address=10.0.0.158/32 table=\
    6.4.6
add action=lookup-only-in-table disabled=no src-address=10.0.0.159/32 table=\
    6.4.7
add action=lookup-only-in-table disabled=no src-address=10.0.0.160/32 table=\
    6.4.8
add action=lookup-only-in-table disabled=no src-address=10.0.0.161/32 table=\
    6.4.9
add action=lookup-only-in-table disabled=no src-address=10.0.0.162/32 table=\
    6.4.10
add action=lookup-only-in-table disabled=no src-address=10.0.0.163/32 table=\
    6.4.11
add action=lookup-only-in-table disabled=no src-address=10.0.0.164/32 table=\
    6.4.12
add action=lookup-only-in-table disabled=no src-address=10.0.0.165/32 table=\
    6.4.13
add action=lookup-only-in-table disabled=no src-address=10.0.0.166/32 table=\
    6.4.14
add action=lookup-only-in-table disabled=no src-address=10.0.0.167/32 table=\
    6.4.15
add action=lookup-only-in-table disabled=no src-address=10.0.0.168/32 table=\
    6.4.16
add action=lookup-only-in-table disabled=no src-address=10.0.0.169/32 table=\
    6.4.17
add action=lookup-only-in-table disabled=no src-address=10.0.0.170/32 table=\
    6.4.18
add action=lookup-only-in-table disabled=no src-address=10.0.0.171/32 table=\
    6.4.19
add action=lookup-only-in-table disabled=no src-address=10.0.0.172/32 table=\
    6.4.20
add action=lookup-only-in-table disabled=no src-address=10.0.0.173/32 table=\
    6.4.21
add action=lookup-only-in-table disabled=yes routing-mark=6.4.2 table=6.4.2
add action=lookup-only-in-table disabled=yes routing-mark=6.4.3 table=6.4.3
add action=lookup-only-in-table disabled=yes routing-mark=6.4.4 table=6.4.4
add action=lookup-only-in-table disabled=yes routing-mark=6.4.5 table=6.4.5
add action=lookup-only-in-table disabled=yes routing-mark=6.4.6 table=6.4.6
add action=lookup-only-in-table disabled=yes routing-mark=6.4.7 table=6.4.7
add action=lookup-only-in-table disabled=yes routing-mark=6.4.8 table=6.4.8
add action=lookup-only-in-table disabled=yes routing-mark=6.4.9 table=6.4.9
add action=lookup-only-in-table disabled=yes routing-mark=6.4.10 table=6.4.10
add action=lookup-only-in-table disabled=yes routing-mark=6.4.11 table=6.4.11
add action=lookup-only-in-table disabled=yes routing-mark=6.4.12 table=6.4.12
add action=lookup-only-in-table disabled=yes routing-mark=6.4.13 table=6.4.13
add action=lookup-only-in-table disabled=yes routing-mark=6.4.14 table=6.4.14
add action=lookup-only-in-table disabled=yes routing-mark=6.4.15 table=6.4.15
add action=lookup-only-in-table disabled=yes routing-mark=6.4.16 table=6.4.16
add action=lookup-only-in-table disabled=yes routing-mark=6.4.17 table=6.4.17
add action=lookup-only-in-table disabled=yes routing-mark=6.4.18 table=6.4.18
add action=lookup-only-in-table disabled=yes routing-mark=6.4.19 table=6.4.19
add action=lookup-only-in-table disabled=yes routing-mark=6.4.20 table=6.4.20
add action=lookup-only-in-table disabled=yes routing-mark=6.4.21 table=6.4.21
/snmp
set contact=user@gmail.com enabled=yes location="POINT 6.3" \
    trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=NLP6.3
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
Last edited by BartoszP on Sun Jan 15, 2023 10:29 pm, edited 1 time in total.
Reason: no need to quote whole previous post ... we can follow the stream of discussion, do not expose serial numbers and any crucial data
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 562
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: High CPU Load on 3011. How to optimize config?

Sat Jan 14, 2023 1:53 pm

Just immediately downgrade to 6.48.6, and you will have again low cpu load.

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], itvisionpk, mogiretony, tjanas94 and 80 guests