I'm noticing now that I've upgraded to 1.8.5 that CPU usage on my EdgeRouter Lite-3 is higher than it used to be... And maxes out (100%) when doing things like a speed test on my 120 Mbps connection. In day to day use, I'm seeing a 2-4% increase in overall CPU usage, so that's not bad, but when the network is loaded up, the high CPU usage is concerning.
I have offloading enabled... and dont have a very custom configuration, it's all pretty basic... Anyone else having issues or have any ideas of why the usage is so high?
Config below. Any information would be greatly appreciated. Thank you!
Linux ubnt 3.10.20-UBNT #1 SMP Sat May 28 09:46:11 PDT 2016 mips64
firewall {
all-ping enable
broadcast-ping disable
group {
network-group BAD_NETWORKS {
description ""
network 58.0.0.0/8
network 60.0.0.0/8
network 78.0.0.0/8
network 183.0.0.0/8
network 193.0.0.0/8
network 220.0.0.0/8
network 213.0.0.0/8
network 124.0.0.0/8
network 222.0.0.0/8
network 221.0.0.0/8
network 223.0.0.0/8
network 112.0.0.0/8
network 125.0.0.0/8
network 219.0.0.0/8
network 211.0.0.0/8
network 218.0.0.0/8
network 202.0.0.0/8
}
}
ipv6-name IPv6_WAN_IN {
default-action drop
description "IPv6 packet from the internet to LAN"
rule 1 {
action accept
description "Allow established sessions"
rule 1 {
action accept
description "Allow established sessions"
state {
established enable
related enable
}
}
rule 5 {
action accept
description "Allow ICMPv6"
log disable
protocol icmpv6
}
rule 10 {
action drop
description "Drop invalid connections"
state {
invalid enable
}
}
}
ipv6-name IPv6_WAN_LOCAL {
default-action drop
description "IPv6 WAN to Local"
rule 5 {
action accept
description "Allow established sessions"
state {
established enable
related enable
}
}
rule 10 {
action drop
description "Drop invalid connections"
state {
invalid enable
}
}
rule 15 {
action accept
protocol ipv6-icmp
}
rule 30 {
action accept
description "Allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "Internet (WAN) to LAN"
enable-default-log
rule 1 {
action accept
description "Allow Established Connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "DROP BAD NETWORKS"
log disable
protocol all
source {
group {
network-group BAD_NETWORKS
}
}
}
rule 3 {
action accept
description "FTP IN"
destination {
port 21
}
log disable
protocol tcp_udp
state {
:
action accept
description "Allow Established Connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "DROP BAD NETWORKS"
log disable
protocol all
source {
group {
network-group BAD_NETWORKS
}
}
}
rule 3 {
action accept
description "FTP IN"
destination {
port 21
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 4 {
action accept
description "SSH IN"
destination {
port 22
}
log disable
protocol tcp
state {
established enable
invalid disable
new enable
related disable
}
}
rule 5 {
action accept
description "HTTP IN"
destination {
port 80
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related disable
}
}
rule 7 {
action drop
description "Drop Invalid Packets"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet (WAN) to Local"
rule 1 {
action accept
description "Allow Established Connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "DROP BAD NETWORKS"
log disable
protocol all
source {
group {
network-group BAD_NETWORKS
}
}
}
rule 3 {
action accept
description PPTP
destination {
port 1723
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 4 {
action accept
description "PPTP GRE"
log disable
protocol gre
state {
established enable
invalid disable
new enable
related enable
}
}
rule 4 {
action accept
description "PPTP GRE"
log disable
protocol gre
state {
established enable
invalid disable
new enable
related enable
}
}
rule 5 {
action accept
description L2TP
destination {
port 500,1701,4500
}
log disable
protocol udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 7 {
action accept
description ESP
log disable
protocol esp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 9 {
action drop
description "Drop Invalid Packets"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.0.0.1/24
description LAN
duplex auto
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
address dhcp
description WAN
dhcpv6-pd {
pd 0 {
interface eth0 {
service slaac
}
prefix-length 64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name IPv6_WAN_IN
name WAN_IN
}
local {
ipv6-name IPv6_WAN_LOCAL
name WAN_LOCAL
}
}
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth0
wan-interface eth2
}
protocols {
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN-Subnet {
authoritative disable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 8.8.8.8
dns-server 68.87.76.178
lease 86400
start 10.0.0.100 {
stop 10.0.0.130
}
}
}
}
gui {
https-port 443
}
nat {
rule 1 {
description "DEV Server"
destination {
port 80
}
disable
inbound-interface eth2
inside-address {
address 10.0.0.51
port 80
}
log disable
protocol tcp_udp
type destination
}
rule 2 {
description "TFS Server"
destination {
port 8080
}
disable
inbound-interface eth2
inside-address {
address 10.0.0.51
port 8080
}
log disable
protocol tcp_udp
type destination
}
rule 3 {
description SSH
destination {
port 22
}
inbound-interface eth2
inside-address {
address 10.0.0.52
port 22
}
log disable
protocol tcp_udp
type destination
}
rule 4 {
description "FTP Server"
destination {
port 21
}
disable
inbound-interface eth2
inside-address {
address 10.0.0.52
port 21
}
log disable
protocol tcp_udp
source {
}
type destination
}
rule 5000 {
description "Masquerade for WAN"
log disable
outbound-interface eth2
protocol all
type masquerade
}
}
snmp {
community ***** {
authorization ro
}
contact *****
location "Core Office"
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
domain-name santsys.com
flow-accounting {
ingress-capture pre-dnat
interface eth0
syslog-facility daemon
}
host-name S2-Gateway
login {
user admin {
authentication {
encrypted-password *****
plaintext-password ""
}
full-name "System Admin"
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipsec enable
ipv4 {
forwarding enable
gre enable
}
ipv6 {
forwarding enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Los_Angeles
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
allowed-network 10.0.0.0/24 {
}
allowed-network 10.200.0.0/24 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username ***** {
password *****
}
}
mode local
}
client-ip-pool {
start 10.200.0.151
stop 10.200.0.170
}
dhcp-interface eth2
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret *****
}
client-ip-pool {
start 10.200.0.151
stop 10.200.0.170
}
dhcp-interface eth2
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret *****
}
ike-lifetime 3600
}
mtu 1492
}
}
pptp {
remote-access {
authentication {
local-users {
username joshs {
password *****
}
}
mode local
}
client-ip-pool {
start 10.200.0.100
stop 10.200.0.150
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
mtu 1250
}
}
}