Menu
What's new
By:
Filters Better Search

Diversion pixelserv-tls high CPU usage

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

L

luckycharms

Occasional Visitor
Hi all,

pixelserv-tls is consuming about 36% of my AC88u's CPU. Is this to be expected? Both my cores are close to maxed out at 100%. I'm getting slow internet speeds, and wondering if this is potentially part of the problem. Everything is updated...

Thanks in advance...
 
You’re probably seeing many concurrent blocking attempts, each spawning a Pixelserv-tls thread. Some sites throw a fit with the faked cert and need to be whitelisted in Diversion, or hardcoded to 0.0.0.0 to avoid overwhelming pixelserv. I haven’t used it in a long time, but that was the gist of my last experience with it.
 
dave14305 said:
You’re probably seeing many concurrent blocking attempts, each spawning a Pixelserv-tls thread. Some sites throw a fit with the faked cert and need to be whitelisted in Diversion, or hardcoded to 0.0.0.0 to avoid overwhelming pixelserv. I haven’t used it in a long time, but that was the gist of my last experience with it.
Click to expand...
Another contributor is the size of the block file which is loaded into memory pointed towards pixelserv-tls. usually the block file size and the fact pixelserv-tls operates at tight memory constraints usually pulverizes request that are forwarded from dnsmasq to be blocked by pixelserv-tls.
 
I don't have any issues with pixelserv. How many blocked domains do you have? I load 11 host files with a total of 382'000 blocked domains.
Also what firmware are you on?
 
Mutzli said:
I don't have any issues with pixelserv. How many blocked domains do you have? I load 11 host files with a total of 382'000 blocked domains.
Also what firmware are you on?
Click to expand...
That should be fine anything below 800k should be fine domain wise. Anything past that pixelserv and dnsmasq have a rough resource struggle. Using the standard block list with pixelservtls proves to be a challenge (~1million domains)
 
Wait wait wait @luckycharms - while I appreciate the shotgun approach, it's not really helping us help you
www.snbforums.com

How to test speed between router and modem

Hi all, I'm trying to troubleshoot slow internet issues. The ISP modem gives around 800 Mbps when connecting to its wifi signal. However, spMerlin and my laptop give much slower speeds (100 - 250 Mbps) going through my AC88u merlin router. I'm not sure where the problem is, but wanted to try...
www.snbforums.com www.snbforums.com
can you please share with us your network config first, please? <- I ask twice because it's that important
 
heysoundude said:
Wait wait wait @luckycharms - while I appreciate the shotgun approach, it's not really helping us help you
www.snbforums.com

How to test speed between router and modem

Hi all, I'm trying to troubleshoot slow internet issues. The ISP modem gives around 800 Mbps when connecting to its wifi signal. However, spMerlin and my laptop give much slower speeds (100 - 250 Mbps) going through my AC88u merlin router. I'm not sure where the problem is, but wanted to try...
www.snbforums.com www.snbforums.com
can you please share with us your network config first, please? <- I ask twice because it's that important
Click to expand...
Also, it might help to know if you are using things like AI Protect and QoS.

Post in thread 'Asuswrt-Merlin 386.7 Beta is now available' https://www.snbforums.com/threads/asuswrt-merlin-386-7-beta-is-now-available.79282/post-769608

Trendmicro and pixelservtls might be doing all kinds of things to each other.
 
Last edited:
I suspect @luckycharms may be trying to use both his ISP-provided modem/router combo unit for access to the internet, but also their asus router with merlin for the scripts.
Something's gotta give.
 
heysoundude said:
I suspect @luckycharms may be trying to use both his ISP-provided modem/router combo unit for access to the internet, but also their asus router with merlin for the scripts.
Something's gotta give.
Click to expand...
So your thoughts are double NAT? Do you think they need to put the ISP modem in complete bridge mode? If that is the case, then I see where you are coming from. Alot of problems "potentially can" form with script (and firewall) behaviors when a double nat is present. The double nat creates an extra layer to have to be concerned about and not all developers guarantee successful running of their scripts in this type of environment.
 
SomeWhereOverTheRainBow said:
So your thoughts are double NAT? Do you think they need to put the ISP modem in complete bridge mode? If that is the case, then I see where you are coming from. Alot of problems "potentially can" form with script (and firewall) behaviors when a double nat is present. The double nat creates an extra layer to have to be concerned about and not all developers guarantee successful running of their scripts in this type of environment.
Click to expand...
maybe double NAT, in which case yes to bridge mode...unless more wireless client devices on their network are AX-capable, in which case dump the Asus, get the booster unit from the ISP (possibly free of charge from what I recall on the provider's website) and enjoy the wifi6.
If they're also looking for what some of the Merlin scripts provide, PiHole seems to be the go-to in that case.
OR - replace the ISP's combo unit with a simple gateway/modem, then get a pair of RT-AX68 for the wifi6 AND Merlin/scripts.
the other thread I referenced earlier here stated that there was a mismatch in the wireless speeds between ISP(AX) and Asus(AC) routers - if they want their line/package speeds wirelessly everywhere, they have to go full 802.11AX one way or another...the question is with ISP equipment/support, or with Merlin. which will be easiest for them?
(I feel pixelserv issues are a bit of a red herring when it comes to the network performance issues the OP initially posted about...pinging from one router to the next won't help - step back and look for network "issues" rather than router config issues)
 
heysoundude said:
maybe double NAT, in which case yes to bridge mode...unless more wireless client devices on their network are AX-capable, in which case dump the Asus, get the booster unit from the ISP (possibly free of charge from what I recall on the provider's website) and enjoy the wifi6.
If they're also looking for what some of the Merlin scripts provide, PiHole seems to be the go-to in that case.
OR - replace the ISP's combo unit with a simple gateway/modem, then get a pair of RT-AX68 for the wifi6 AND Merlin/scripts.
the other thread I referenced earlier here stated that there was a mismatch in the wireless speeds between ISP(AX) and Asus(AC) routers - if they want their line/package speeds wirelessly everywhere, they have to go full 802.11AX one way or another...the question is with ISP equipment/support, or with Merlin. which will be easiest for them?
(I feel pixelserv issues are a bit of a red herring when it comes to the network performance issues the OP initially posted about...pinging from one router to the next won't help - step back and look for network "issues" rather than router config issues)
Click to expand...
The only way I can eliminate Pixelserv-tls from the mix is if the user disables any features that may enable trendmicro. ( the two seem to be having a bad relationship of which we cannot confirm or deny any relationships to the bad performace issues. However, what we do know is there are several router related performance functions that are all tied into the AI-Protect and trendmicro agreement. All of which might be inadvertently enabling trendmicro....)
 
SomeWhereOverTheRainBow said:
The only way I can eliminate Pixelserv-tls from the mix is if the user disables any features that may enable trendmicro. ( the two seem to be having a bad relationship of which we cannot confirm or deny any relationships to the bad performace issues. However, what we do know is there are several router related performance functions that are all tied into the AI-Protect and trendmicro agreement. All of which might be inadvertently enabling trendmicro....)
Click to expand...
Sure, but one problem at a time. We arrive at the core of the onion when we peel it layer by layer.
 
heysoundude said:
Sure, but one problem at a time. We arrive at the core of the onion when we peel it layer by layer.
Click to expand...
Yes you are right let us start with the very basic basic. We first need to confirm the user is able to get line speed simply by plugging a device directly into their modem and testing. (Basic troubleshooting 101).
 
SomeWhereOverTheRainBow said:
Yes you are right let us start with the very basic basic. We first need to confirm the user is able to get line speed simply by plugging a device directly into their modem and testing. (Basic troubleshooting 101).
Click to expand...
I think we can skip a step or two- OP has connectivity to his ISP (see the post I referenced in my original reply on this thread).
What we're unsure of is how their AC88 is configured to work with their ISP's combo gateway/modem/router unit.
And they've taken the weekend off or abandoned their activities, or possibly taken them to the ISP, so <shrug>

{I haven't used pixelserv in quite some time - I am under the (mistaken?) impression it is broken and no longer maintained, but kept in place for legacy users.} this is why I'm focusing on the wiring/protocols here.
 
SomeWhereOverTheRainBow said:
Going by that same logic you have to start at the modem and then work you way to the router once you can say you have officially eliminated the modem. Remember layer by layer concept.
Click to expand...
facepalm and smh.
You're right. Pedantic, but right.
I think going down the pixelserv rabbithole is somewhat premature based on what else they came here for help with. But you do you.
(the last post on @kvic 's original thread was almost 2y ago...the github hasn't been updated, links to dev's webpage/blog are broken...lots has changed in Merlin world since then, so if it works, it may be a miracle or/and a short term thing...)
 
Hi all, sorry for the slow reply, and thanks so much for the thoughts above. Network config: ISP modem <-> AC88u <-> Home Network. I have 128,580 domains blocked in Diversion (just subscribed to the standard blocking list). This issue was occurring before I had AIProtection enabled. I enabled it, not much change. Happy to disable it now too - just doesn't make a difference. I'm on merlin firmware 386_5.2, amtm 3.2.3, and diversion 4.2.2. My load average usually hovers around 3, with pixelserv-tls taking about 16-18% CPU. Any thoughts about where to go from here? Many thanks.
 
luckycharms said:
Hi all, sorry for the slow reply, and thanks so much for the thoughts above. Network config: ISP modem <-> AC88u <-> Home Network. I have 128,580 domains blocked in Diversion (just subscribed to the standard blocking list). This issue was occurring before I had AIProtection enabled. I enabled it, not much change. Happy to disable it now too - just doesn't make a difference. I'm on merlin firmware 386_5.2, amtm 3.2.3, and diversion 4.2.2. My load average usually hovers around 3, with pixelserv-tls taking about 16-18% CPU. Any thoughts about where to go from here? Many thanks.
Click to expand...
I don't know where you should go, but if it were me and it was early in the morning then I'd need quick coffee before my deep dive into the complex cpu/ pixelserv-tls issue... But knowing me, it is probably late in the evening and I am a few beers in (heh a few), and I discover a startling revelation that may be if I use a smaller block list then my CPU + memory usage might go down. Think of it this way, when DNSmasq forwards to 0.0.0.0 (i.e. pixelserv-tls disabled), it is actually forwarding to "Nothing" thereby our much larger blocklist will be able to run with a slightly higher than normal memory footprint and negligible CPU requirements. However, when DNSmasq uses that same size block list forwarding to Pixelserv-tls, we see the higher CPU+ memory usage from Pixelserv-tls processing request, and also the higher memory footprint from DNSmasq loading entries into memory. The more complex-the-list plus pixelserv-tls equals higher memory and cpu requirements; where as, With pixelserv-tls disabled plus the larger blocklist equals lower cpu requirements, but still reasonable memory usage.

1656291336506.png
 
Last edited:
what is your ultimate goal @luckycharms ? (there's a Merlin Firmware upgrade you should perform, v386.7...you're a bit behind)
Have you set up enough of a swap in diversion (2+ GB will be plenty helpful)?
If you're trying to enact some privacy/security for your LAN, the router will have to do some work, meaning processor cycles will use memory. that should only have a minimal impact on the speeds your clients send/receive data from the interwebz.
if you're seeing a load on the router when "no data is moving" on the LAN, you might want to look into just what might be talking to what/whom. On home networks today, there are "conveniences" that "call home" more than most people realise. I call this parasitic usage. to stop it, you have to find it, and that involves turning things off and looking into how they're configured and possibly even replacing them/eliminating them if the convenience isn't as beneficial as the "network headroom"
 
Last edited:
You must log in or register to reply here.

Similar threads

D
amtm bus error, pixelserv-tls segmentation fault
Replies
17
Views
1K
John Fitzgerald
John Fitzgerald
Lee MacMillan
What causes sustained high CPU usage?
Replies
2
Views
1K
Steve23
S
WhoYaGonnaCall
OpenVPN Performance vs router models
Replies
2
Views
552
WhoYaGonnaCall
WhoYaGonnaCall
M
AX86U sudden high CPU usage
Replies
19
Views
2K
kernol
kernol
G
Will upgrading my router result in meaningfully better handling of high thread networking?
Replies
16
Views
802
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
D amtm bus error, pixelserv-tls segmentation fault Asuswrt-Merlin AddOns 17
F pixelserv pixelserv-tls stats does not load Asuswrt-Merlin AddOns 1
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
D freeradius3 : (TLS) Failed loading legacy provider Asuswrt-Merlin AddOns 2
M AdGuardHome IPTables blocking TLS port 853 from other hosts Asuswrt-Merlin AddOns 3
vlord AdGuardHome High google.com queries from my AP Asuswrt-Merlin AddOns 11

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 624 (members: 22, guests: 602)
Top