Community discussions

 
harjeetv
just joined
Topic Author
Posts: 8
Joined: Tue Jan 23, 2018 2:40 pm
Location: India
Contact:

CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Wed Oct 09, 2019 6:52 pm

Hi,

Today i tried shifting clients from some other vendor NAS to ccr1009 with about 1200 users / 1G Traffic and the CPU went 100%. All it does is authentication + queue. NAT is done on other router behind this ccr1009.

Queue process takes about 45%-50% CPU
Firewall process takes about 25%-30% CPU
Networking process takes about 15%-20% CPU

Here is the output of Firewall.
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/3 comment="MC, Class D, IANA" list=bogons
/ip firewall filter
add action=drop chain=pre-hs-input connection-limit=10,32 dst-port=64872-64875 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=4444 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=4444 protocol=udp
add action=drop chain=virus comment="Infected UDP Flood" dst-port=58092 protocol=udp
add action=drop chain=virus comment="Infected UDP Flood" dst-port=43701 protocol=udp
add action=drop chain=virus comment="Infected UDP Flood" dst-port=54652 protocol=udp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Accept Related connections" connection-state=related
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
 
pe1chl
Forum Guru
Forum Guru
Posts: 5825
Joined: Mon Jun 08, 2015 12:09 pm

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Wed Oct 09, 2019 6:59 pm

Your firewall is configured wrong. You should have the established/related rules first and the other rules below it.
 
harjeetv
just joined
Topic Author
Posts: 8
Joined: Tue Jan 23, 2018 2:40 pm
Location: India
Contact:

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Wed Oct 09, 2019 7:20 pm

Moved these rules to the top

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Accept Related connections" connection-state=related
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=pre-hs-input connection-limit=10,32 dst-port=64872-64875 protocol=tcp

 
pe1chl
Forum Guru
Forum Guru
Posts: 5825
Joined: Mon Jun 08, 2015 12:09 pm

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Wed Oct 09, 2019 9:22 pm

I would advise you to sort the firewall rules first on chain (e.g. all forward rules, all input rules, your "virus" rules, etc) to make things more clear.
For every packet the rules will be processed (in that chain) from top to bottom, and stops when it finds a match.
So "established" should always be first as that is the rule that will match 99.99% of all packets. So the CPU amount will decrease.
 
harjeetv
just joined
Topic Author
Posts: 8
Joined: Tue Jan 23, 2018 2:40 pm
Location: India
Contact:

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Sat Oct 12, 2019 6:43 pm

I had sorted the firewall rules, even removed all once to check if the CPU goes down, but there was not much change. Next i tried with CCR 1036 and the CPU was 15-20%. It seems that CCR 1009 can handle 750-850 Hotspot queues with CPU < 70% and no performance issues.

Note: I had put a load of up to 1500 Hotspot Queues on CCR 1009 and it was 100% all the time.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 92 guests