Community discussions

MikroTik App
 
jonbeard
just joined
Topic Author
Posts: 2
Joined: Sat Mar 18, 2023 12:49 am

CCR2216-1G-12XS-2XQ - Cant handle 2M PPS??

Sat Mar 18, 2023 1:12 am

Hi friends! My first post on here, although I have read lots of different posts on here and always been super informative.

Looking for some help here. I am working on trying to diagnose why CPU's are peaking around 80% when doing about 2-3Gbps and about 1-2million PPS. I have fasttrack enabled and configured properly (I THINK) and I wouldnt say anything special about my config.

I am hoping someone can sanity check what I have here and make sure I am not missing something here. We have CCR2216-1G-12XS-2XQ and are using the 25G ports on a 10G speed currently.

Currently right now we have one port for uplink, and another port that goes to a Cisco Nexus N3K switch that acts as our "distribution switch" and from there it connects the different racks. We recently picked up a high bandwidth customer (high dollar) that is mining something called NKN. Its apparently bandwidth mining. No big deal, we have plenty of bandwidth pipe, but he is pushing a lot of packets and I suspect thats whats causing an issue. BUT still, this MikroTik SHOULD be able to keep up... Right???

I have attached my config below:
/interface bridge
add mtu=1500 name=local
/interface ethernet
set [ find default-name=sfp28-1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full auto-negotiation=no comment=UPLINK l2mtu=1592 speed=10Gbps
set [ find default-name=sfp28-3 ] auto-negotiation=no comment=Q10-SW1 l2mtu=1592 speed=10Gbps
/interface gre
add local-address=109.xxxxxx mtu=1464 name=ddos-gre-01 remote-address=172.xxxxxxx
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing table
add disabled=no fib name=non-path
/routing bgp template
set default address-families=ip as=xxxxxxx disabled=no output.redistribute=connected router-id=109.xxxxxxx routing-table=main
/interface bridge port
add bridge=local interface=ether1
add bridge=local interface=qsfp28-1-2
add bridge=local interface=qsfp28-1-3
add bridge=local interface=qsfp28-1-4
add bridge=local interface=qsfp28-2-1
add bridge=local interface=qsfp28-2-2
add bridge=local interface=qsfp28-2-3
add bridge=local interface=qsfp28-2-4
add bridge=local interface=sfp28-2
add bridge=local interface=sfp28-3
add bridge=local interface=sfp28-4
add bridge=local interface=sfp28-5
add bridge=local interface=sfp28-6
add bridge=local interface=sfp28-7
add bridge=local interface=sfp28-8
add bridge=local interface=sfp28-9
add bridge=local interface=sfp28-10
add bridge=local interface=sfp28-11
add bridge=local interface=sfp28-12

/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-established-timeout=6m tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-time-wait-timeout=2m udp-stream-timeout=2m \
    udp-timeout=30s
/interface list member
add interface=qsfp28-1-1 list=WAN
add interface=local list=LAN
/ip address
add address=45.95.xxxx/24 interface=local network=45.xxxx
add address=45.94.xxxx/29 interface=local network=45.xxxx
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=141.xxxx/24 interface=local network=141.xxxx
add address=45.xxxx/29 comment=CLT-10-32 interface=local network=45.xxxx
add address=45.xxxx/29 comment=CLT-10-33 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/27 comment="IPMI BLOCK" interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=45.xxxx/27 comment="VPS BLOCK" interface=local network=45.xxxx
add address=45.xxxx/27 interface=local network=45.xxxx
add address=45.xxxx/28 interface=local network=45.xxxx
add address=45.xxxx/28 interface=local network=45.xxxx
add address=45.xxxx/28 interface=local network=45.xxxx
add address=45.xxxx/28 interface=local network=45.xxxx
add address=146.xxxx/24 comment=CID010 interface=local network=146.xxxx
add address=45.xxxx/29 interface=local network=45.xxxx
add address=146.xxxx/25 interface=local network=146.xxxx
add address=146.xxxx/25 interface=local network=146.xxxx
add address=45.xxxx/24 comment=CID065 interface=local network=45.xxxx
add address=10.xxxx/30 comment="DDOS BGP " interface=ddos-gre-01 network=10.xxxx
add address=45.xxxx/24 disabled=yes interface=ddos-gre-01 network=45.xxxx
add address=109.xxxx/29 comment="MAIN ROUTER IP" interface=sfp28-1 network=109.xxxx
/ip dhcp-client
add disabled=yes interface=qsfp28-1-1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,1.0.0.1
/ip firewall address-list
add address=141.xxxx/24 list=ddos_bgp
add address=45.xxxx/24 list=ddos_bgp
add address=146.xxxx/24 list=bgp-subnets
add address=45.xxxx/24 list=bgp-subnets
add address=141.xxxx/24 list=bgp-subnets
add list=ddos-attackers
add list=ddos-targets
add address=45.xxxx/24 list=bgp-subnets
add address=45.xxxx/24 list=bgp-subnets
/ip firewall filter
add action=accept chain=input comment=WINBOX protocol=tcp src-port=8291
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=accept chain=input
add action=accept chain=forward
add action=drop chain=forward connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add blackhole comment="BGP Dummy, don't remove" disabled=no distance=1 dst-address=45.xxxx/24 gateway="" pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add blackhole comment="BGP Dummy, don't remove" disabled=no distance=1 dst-address=45.xxxx/24 gateway="" pref-src="" routing-table=non-path scope=30 suppress-hw-offload=no target-scope=1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=109.xxxx pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing bgp connection
add as=xxxx disabled=no local.address=109.xxxx .role=ebgp multihop=no name=uplink-bgp output.network=bgp-subnets .redistribute=connected,static remote.address=109.xxxx/32 .as=xxxx routing-table=main
add as=xxxx connect=yes disabled=no local.address=10.xxxx .role=ebgp multihop=yes name=ddos-bgp output.filter-chain=bgp-out .network=ddos_bgp .redistribute=connected,static remote.address=10.xxxx/32 .as=xxxx .ttl=1 \
    router-id=10.xxxx routing-table=main
/routing filter rule
add chain=bgp-out disabled=no rule="if (dst in bgp-subnets) {accept} else {reject}"
I have attached a screenshot to view profile during peak moments. I have tried disabling the firewall rules entirely to see if that would help with the load, and it doesnt really have much effect. Can anyone help me out here? I am sure it is just a stupid configuration issue I am looking past. Certainly this thing can handle more! :D

Happy Friday!
You do not have the required permissions to view the files attached to this post.
 
User avatar
sirbryan
Member
Member
Posts: 303
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: CCR2216-1G-12XS-2XQ - Cant handle 2M PPS??

Sat Mar 18, 2023 5:38 am

What version are you running?

For reference, my CCR2116's (same 16-core processors) are hitting 2.5Gbps, 200Kpps, at 12%. So it could be a PPS issue more than a throughput issue. You want to figure out how to push as much as you can towards L3HW offload.
 
jonbeard
just joined
Topic Author
Posts: 2
Joined: Sat Mar 18, 2023 12:49 am

Re: CCR2216-1G-12XS-2XQ - Cant handle 2M PPS??

Sat Mar 18, 2023 1:53 pm

I am running the latest, 7.8

I will look into this offloading feature, thank you for the suggestion!

Who is online

Users browsing this forum: adrianmartin16, anav, Bing [Bot], hatred, koer, lurker888, Michiganbroadband, thomassocz and 89 guests