Layer 7 is processor intensive, so that may be part of it.
What happens if you disable the layer 7 rule?
On 1/20/2011 3:20 PM, Robert Haas wrote:
Is there any reason the following rules would cause 100% CPU usage?
---
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Peer to Peer -
Connection" disabled=no new-connection-mark=P2P_CON p2p=all-p2p
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="BITTORRENT - LAYER 7 -
Connection" disabled=no layer7-protocol=bittorrent
new-connection-mark=P2P_CON \
passthrough=yes
add action=add-src-to-address-list address-list=P2P_USERS
address-list-timeout=5m chain=prerouting comment="Peer to Peer - Add SRC to
Address List" \
connection-mark=P2P_CON disabled=yes src-address=66.211.40.0/21
/ip firewall filter
add action=log chain=forward comment="Limit Peer to Peer Users"
connection-limit=40,32 connection-state=new disabled=yes
log-prefix=PEER_TO_PEER_CON_LIMIT \
protocol=tcp src-address-list=P2P_USERS
add action=drop chain=forward comment="Limit Peer to Peer Users"
connection-limit=40,32 connection-state=new disabled=yes protocol=tcp
src-address-list=\
P2P_USERS
---
If I enable these rules the router goes to 100% CPU usage and begins puking
traffic. I've tried on two separate machines one running 5.0rc7 and another
running 4.16, both puked after a few minutes of heavy traffic.
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
--
Scott Reed
Owner
NewWays Networking, LLC
Wireless Networking
Network Design, Installation and Administration
Mikrotik Advanced Certified
www.nwwnet.net
(765) 855-1060
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
