Hi Dirk, When I profile the total CPU usage it moves pretty fast, but it roughly looks like this during a heavy download:- Networking 15 Unclassified 12 Firewall 5 Not sure what Unclassified is, my understanding was the default "Fasttrack-connection" entry in the FW should hardware offload the processing of those packets,. The special dummy rule at the top of the tree only shows around 3-4Mbps of traffic when the speedtest shows 102-103Mbps. This is the firewall entries I have, the only thing I've added is a DST-NAT entry to RDP in. Thanks, Chris /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment=RDP dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=RDP-ALLOW to-addresses=192.168.88.200 to-ports=3389 /ipv6 address add address=::6e3b:6bff:fe51:4038 eui-64=yes from-pool=superloop interface=bridge /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=superloop pool-prefix-length=56 request=address,prefix use-interface-duid=yes use-peer-dns=no /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN On Fri, Mar 1, 2024 at 12:41 PM Two Fat Monkeys - Dirk Bermingham via Public <public@talk.mikrotik.com.au> wrote:
Hi Chris,
There are a few areas to look, particularly your firewall config, also, profile your cpu usage so you can get a picture of what processes are consuming the CPU then we can provide further advice from there. Are you maxing out a core with firewall or networking processes?
The other place to look is queuing, fq-codel can be your best friend in times like these.
Regards,
Dirk
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Chris Lee via Public Sent: Friday, March 1, 2024 1:33 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Cc: Chris Lee <chris@datachaos.com.au> Subject: [MT-AU Public] High CPU and latency spike on RB750Gr3 during downloads
Hi all,
Am running RB750Gr3 firmware 7.13.5 with the out of box factory configuration for internet router. I have disabled RSTP on the bridge.
On NBN FTTP 100/40 plan with NTD connected to eth1 on the RB750Gr3.
Rest of my internal LAN is connected to eth2.
When I max out a download or run a speed test at 100Mbps I find the CPU on the HEX is getting up to 30-35%, and on upload around 20-25%.
At the same time I see in all my pings beyond my first hop ISP gateway that I get a big spike in latency which feels like the Mikrotik is struggling to process the traffic inbound.
I thought the RB750Gr3 was good for up to Gigabit speeds, but even then I'm only asking for 100Mbps - is there anything I need to tweak further in the configuration to fix this or should I be looking at a newer router like the L009 series, will that provide smoother throughput ?
Thanks, Chris _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au