same as what? do you use 'action=masquerade'?Facing same issue here as well
Noted. I saw that later. Will test it.So if you have the same issue, then the solution should also be the same:viewtopic.php?p=620765#p620765
..
..
..
..
..
..
Hi, guys, take a look..
Are your clients using public IPs or private?anybody know what's the problem ?
Yes , YesIf your clients are on public IPs for the most part, you can have connection tracking turned off for some things and on for other things, controlling that with the Raw table.anybody know what's the problem ?
.
/ip firewall raw add action=notrack chain=prerouting src-address-list=public_pools
Yes, also note that if you want some contents of your public_pools to still be processed by connection tracking, you can "accept" that traffic above the notrack rule, accepted traffic is still processed by the main firewall as well, so accept doesn't mean "I trust this", it means "I want to track this"Yes , YesIf your clients are on public IPs for the most part, you can have connection tracking turned off for some things and on for other things, controlling that with the Raw table.anybody know what's the problem ?
.
I must using action notrack ?
is it enough ?Code:Select all/ip firewall raw add action=notrack chain=prerouting src-address-list=public_pools
Yes probably.Still have some connection with destination address of my public pools .
Do I need to turn of to dst-address of my public pools too ?
Just curious - if static interfaces were also disconnecting/reconnecting would this also result in high CPU usage by connection tracking ?If you are using Masquarade on the router, that is the problem.
When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect.
So if you have lots of PPPoE session connecting/disconnecting, connection tracking will constantly be recalculated which will can high CPU usage.
Solution:
Stop using Masquarade on routers that have a lot of dynamic interfaces.
Either use srcnat, or fix your architecture (use routing).
can you please give us how we can do that I am facing same problemIf you are using Masquarade on the router, that is the problem.
When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect.
So if you have lots of PPPoE session connecting/disconnecting, connection tracking will constantly be recalculated which will can high CPU usage.
Solution:
Stop using Masquarade on routers that have a lot of dynamic interfaces.
Either use srcnat, or fix your architecture (use routing).
It doesn't matter if the user has public or private IP, it's about interfaces.
When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage.
So simply eliminate NAT from that router.
Have a separate router "in front" of the PPPoE concentrator, that NATs the traffic from the private IPs.
Setup routing (even static routes) between the PPPoE concentrator and the new router.
Terminate public and private IPs on the PPPoE concentrator.
That way, you will not have CPU usage issues.
你读过这个话题abo血型的以前的帖子吗ve? Especially, have you noticed that most likely the use of masquerade to do src-nat is the reason of the problem? Are the addresses you get via PPPoE static or do they change over time?We Setup Last month 1 CCR 1036 12G-4S
With load balancing or Natting in same Router...
Problem just Connecting or disconnecting PPPoE clients cause Cpu usages High 100%...
Now Yesterday we Purchase another CCR 1036 12G-4s...
We do not understanding how we do natting or load balancing in 2nd router...Or PPPOE users in 1st Router...
Can some Give Us Configurations with any Ip Series So we can adjust them with our Network...
Thanks...
Those are all configured in bridge mode.I'd say check FW rules on those Mikrotik devices.
No. they dont have any firewall. Is only a bridge on apDo these Mikrotik devices have any route configured on them? I.e. do they know where to send the icmp response?
Thanks for fast response.If they have no route, you can only access/ping them from their own subnet. They will bridge any traffic on L2, but if they have to send a packet anywhere outside 192.168.200.0/30, they need a route.
thank you.If they have no route, you can only access/ping them from their own subnet. They will bridge any traffic on L2, but if they have to send a packet anywhere outside 192.168.200.0/30, they need a route.
Masquerade is not a problem.It doesn't matter if the user has public or private IP, it's about interfaces.
When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage.
So simply eliminate NAT from that router.
Have a separate router "in front" of the PPPoE concentrator, that NATs the traffic from the private IPs.
Setup routing (even static routes) between the PPPoE concentrator and the new router.
Terminate public and private IPs on the PPPoE concentrator.
That way, you will not have CPU usage issues.
Same problem show my network, how to solved it please helpI think this problem appeared in some recent versions of ROS.
It definitely exists on 6.35.4 and 6.38.1.
When we have network outages, some PPPoE sessions are disconnecting with 'peer not responding' errors.
In this moments CCR CPUs are 100% utilised, so than router almost stop passing any traffic.
This can continue for some minutes. Router looses OSPF neighbors, and it's all becomes a catastrophe!
It number of disconnecting sessions is over 200-300 it collapses 100%.
Seeing this on several different CCRs.
I am facing same Problem too CCR1036 8s 2s+ PPPoE Secret only 800. Any solution ?I am facing same Problem. Any solution ?
This is the only way to overcome cpu issues.Using a single mikrotik's router would be far from optimal if you're using PPPoE and connection tracking.Using two powerful (CCR with 32 cores, for example) routers setup have its advantages:
1. It will work with thousands of PPPoE sessions without problems (while connection tracking is disabled).2. It will load-balance queueing by separating per-users bandwidth control (on the PPPoE concentrator) and uplink bandwidth control (on the edge router). Even with the life-saving sfq everywhere.3. Edge router can easily be configured for failover, NAT, firewall to even counter some generated flood from internet.4. PPPoE users will not disconnect because of CPU hitting 100%, if there's will be a DoS attack. They will reach internal resources (company web site/user panel/tech support area) in that case to try to figure out what's going on.5. And even more that I've forgot.chain.png