I am having difficulties with setting up rate limit using PCQ's!
Basically, I am using multiple routers as following:
RB-N -> RB-B -> RB-A
Each router will provide IP's by its own, masquerade with it's pub eth connected to the next router
same again, next router will provide IP's by its own, masquerade with it's pub eth connected to main router.
now I have one PCQ running on main router, load balancing connections for each router in the way using "global out".
how come users on router N, can get higher band than one router before it. and again users on router C will get higher band
than router B ?
....... I tried UM profile limitation, but it seems as i need to assign users with ips, if i do that, only first router connected to
main router running UM can get normal communications, the next router in the path will get ip on login, but can't communicate at all...
most importantly, I would like to have one major PCQ running on main router for all routers connected to it.
taking the fact that routers are connected to routers connected to main routers. like a chain of routers!
thanks
Re: PCQ Rate Limit: Multiple Routers
Don't NAT everywhere, just NAT when the traffic exits your WAN interface. That will require routing to be set up throughout your entire network.
Re: PCQ Rate Limit: Multiple Routers
do you mean i should remove the masquerade on routers in the path, and just leave the masquerade on the main router?
please advice,
thanks,
please advice,
thanks,
Re: PCQ Rate Limit: Multiple Routers
log error:
userA (192.168.25.9): RADIUS accounting request not sent: no response
it seems like users can't get to main router which is running UM if I remove masquerade!
?
userA (192.168.25.9): RADIUS accounting request not sent: no response
it seems like users can't get to main router which is running UM if I remove masquerade!
?
Re: PCQ Rate Limit: Multiple Routers
oh my goodness: logs are filled with blue "accounting problem"... hhhh
these errors are for users who is currently logged in though...
these errors are for users who is currently logged in though...
Re: PCQ Rate Limit: Multiple Routers
Like I said, you'll have to make sure all routers have routes to one another. NAT hides them from one another.
PCQ is based on IP addresses. When you NAT at every hop you're making all traffic behind that router appear to come from the same IP address.
PCQ is based on IP addresses. When you NAT at every hop you're making all traffic behind that router appear to come from the same IP address.
Re: PCQ Rate Limit: Multiple Routers
maybe I missed this part... can you be for the mood of providing a little walkthrough or a link...That will require routing to be set up throughout your entire network.
the routers connected to the main router don't get such accounting error.. but only routers connected afterward do get such errors.
maybe i need routing with RIP I guess, but will there be any guide please...
thanks,
Re: PCQ Rate Limit: Multiple Routers
That's not really something you can cover in a forum post. The wiki has great articles, though.
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples
http://wiki.mikrotik.com/wiki/Manual:Routing/OSPF
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples
http://wiki.mikrotik.com/wiki/Manual:Routing/OSPF
Re: PCQ Rate Limit: Multiple Routers
ohhh, this is an assignment, but i like it... hhhh..
thanks so much bro...
thanks so much bro...
Re: PCQ Rate Limit: Multiple Routers
I did everything as said in the guide, but i still got error RADIUS accounting problem....
Re: PCQ Rate Limit: Multiple Routers
Have you checked whether the IP addresses configured in User Manager as NAS IPs have changed? Now that the routers don't masquerade anymore the RADIUS server may see the clients as different IPs.
Re: PCQ Rate Limit: Multiple Routers
The routers are set as following:
ISP > RB-Main > RB-STEP11 > RB-STEP12 > RB-STEP13
ISP > RB-Main > RB-STEP21 > RB-STEP22 > RB-STEP23
UM is running on RB-Main
All Radius accounting problems starts with RB-STEP12, 13, 22, 23
STEPs 11 and 21 has no problems..
I set the OSPF as following:
RB-Main
area 0.0.0.0
area 0.0.0.0
RB-STEP11
area 0.0.0.1
area 0.0.0.1
RB-STEP12
area 0.0.0.2
area 0.0.0.2
RB-STEP13
the router-id on all stays as default 0.0.0.0
I don't know what i am misdoing that's causing this accounting error....
ISP > RB-Main > RB-STEP11 > RB-STEP12 > RB-STEP13
ISP > RB-Main > RB-STEP21 > RB-STEP22 > RB-STEP23
UM is running on RB-Main
All Radius accounting problems starts with RB-STEP12, 13, 22, 23
STEPs 11 and 21 has no problems..
I set the OSPF as following:
RB-Main
area 0.0.0.0
area 0.0.0.0
RB-STEP11
area 0.0.0.1
area 0.0.0.1
RB-STEP12
area 0.0.0.2
area 0.0.0.2
RB-STEP13
the router-id on all stays as default 0.0.0.0
I don't know what i am misdoing that's causing this accounting error....
Re: PCQ Rate Limit: Multiple Routers
ok, this is now urgent... i got all setup fine, but users on 3rd routers can get logged in, but can't surf...
this is after leaving masquerade on all routers except the main router...
please....
this is after leaving masquerade on all routers except the main router...
please....
Re: PCQ Rate Limit: Multiple Routers
just for more info:
under firewall, connections:
connections unreplied ospf protocol.
under firewall, connections:
connections unreplied ospf protocol.
Re: PCQ Rate Limit: Multiple Routers
Restore your working configuration to when rate limits weren't working right so everyone can at least get out.
Then bench out the changes or get a consultant involved. I don't think a forum can help troubleshoot a network with more than three routers in an adequate timeframe. It looks like both OSPF and RADIUS are misconfigured at this point.
Then bench out the changes or get a consultant involved. I don't think a forum can help troubleshoot a network with more than three routers in an adequate timeframe. It looks like both OSPF and RADIUS are misconfigured at this point.
Re: PCQ Rate Limit: Multiple Routers
well, all i do to make everything work again is re-enable masquerade on RBs and everything is back to working status.
I don't think its because of a misconfiguration of UM, I even added the route table for the routers in the sequence in UM, and they do get logged in fine.. but right there, there is no communications with outside world.
its back to normal working status, and if ospf is not an answer to the limitation, what other options are there?
I don't think its because of a misconfiguration of UM, I even added the route table for the routers in the sequence in UM, and they do get logged in fine.. but right there, there is no communications with outside world.
its back to normal working status, and if ospf is not an answer to the limitation, what other options are there?
Re: PCQ Rate Limit: Multiple Routers
If everything makes it to the final router OK but then cannot go out to the Internet then the final router is misconfigured. Check routing on that router, as well as its NAT configuration.
Re: PCQ Rate Limit: Multiple Routers
so weird:
on each router: looking at Routing > OSPF > Routes, I see each and every routers in the entire network.
however, all connections from RB to internet is working as:
yes working: RB-Main
yes working: RB-Main < RB-Step1
not working: RB-Main < RB-Step1 < RB-Step2
Masquerade is on on RB-Main.
Masquerade is off on RB-Step1
Masquerade is off on RB-Step2
to make RB-Step2 open to the internet, all i do is turn on masquerade on RB-Step2
if there is something wrong on RB-Main, then how come itself and RB-Step1 can communicate.
the problem is always at step2
on each router: looking at Routing > OSPF > Routes, I see each and every routers in the entire network.
however, all connections from RB to internet is working as:
yes working: RB-Main
yes working: RB-Main < RB-Step1
not working: RB-Main < RB-Step1 < RB-Step2
Masquerade is on on RB-Main.
Masquerade is off on RB-Step1
Masquerade is off on RB-Step2
to make RB-Step2 open to the internet, all i do is turn on masquerade on RB-Step2
if there is something wrong on RB-Main, then how come itself and RB-Step1 can communicate.
the problem is always at step2
Re: PCQ Rate Limit: Multiple Routers
More Update:
what is the relationship between DNS and Masquerade?
I requested a user on RB-Step2 to download a large file.
once the connection began and download started, I disabled the Masquerade on RB-Step2 but the download continued till the end.
once the download completed, the user was not able to open pages anymore!
obviously, this test shows that once the connection is established it won't be interrupted but only new connections are un-replied...
could my problem be related to DNS?
this is just a thought....
what is the relationship between DNS and Masquerade?
I requested a user on RB-Step2 to download a large file.
once the connection began and download started, I disabled the Masquerade on RB-Step2 but the download continued till the end.
once the download completed, the user was not able to open pages anymore!
obviously, this test shows that once the connection is established it won't be interrupted but only new connections are un-replied...
could my problem be related to DNS?
this is just a thought....
Re: PCQ Rate Limit: Multiple Routers
NAT only happens on the first packet of the connection, and then is repeated for the stateful connection. If the first packet got NAT'd and then NAT is turned off the entire connection is NAT'd, but future connections are not. I doubt you have a DNS problem. If NAT fixes things you most likely have a routing problem, because NAT rewrites IP addresses in different networks to IP addresses in directly connected networks, making routes unnecessary.
Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", and "/ip firewall export". All wrapped in code tags, clearly indicating what router is which, and how they connect.
Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", and "/ip firewall export". All wrapped in code tags, clearly indicating what router is which, and how they connect.
Re: PCQ Rate Limit: Multiple Routers
Just to mention that RB-Step1 is connected to RB-Step2 by 2 Ubiquiti Face to Face PS5 both set on Bridge mode!
if run the PS5 as router, it will have an option for enabling NAT. do you think that is where the problem is, or it's still in the MT routing configuration?
if run the PS5 as router, it will have an option for enabling NAT. do you think that is where the problem is, or it's still in the MT routing configuration?
Re: PCQ Rate Limit: Multiple Routers
A bridge shouldn't be a problem, but I can only guess. I only have a rough idea of your network layout, and no configuration details to go by.
I really do think you'd be best served asking a consultant to look at this with you 1:1.
I really do think you'd be best served asking a consultant to look at this with you 1:1.
Re: PCQ Rate Limit: Multiple Routers
you asked me to layout my entire network onto this public forum with each and every route and ips! 
I believe that is to much of a security issue and an exploit...
if its ok, i can sent you all details by email instead... ?
there is always something i like to keep private, so please accept my ignorance.
I believe that is to much of a security issue and an exploit...
if its ok, i can sent you all details by email instead... ?
there is always something i like to keep private, so please accept my ignorance.
Re: PCQ Rate Limit: Multiple Routers
That's fair enough.
I do not consult 1:1, via email. Maybe someone else can help you out.
I do not consult 1:1, via email. Maybe someone else can help you out.
Re: PCQ Rate Limit: Multiple Routers
well, you have walked me through the cone circle up to the edge, and i have solved 90% of the limiting issues.
either and or, I so appreciate every single character that you typed in replies to this post.
I thank you so much Fewi - I lay down my head to your mastership...
thank you,
I will try to look further and deeper to the routing section in the hope for finding the ending solution..
good day,
either and or, I so appreciate every single character that you typed in replies to this post.
I thank you so much Fewi - I lay down my head to your mastership...
thank you,
I will try to look further and deeper to the routing section in the hope for finding the ending solution..
good day,
Re: PCQ Rate Limit: Multiple Routers
I'm glad to have been of some help.
Re: PCQ Rate Limit: Multiple Routers
i have these firewalls on each router - could this be the cause of Unreplied connections?
could this mean Masquerade will bypass these rules, but un-masquerade wont?
just wondering!
could this mean Masquerade will bypass these rules, but un-masquerade wont?
just wondering!
Code: Select all
/ip firewall filter
add action=drop chain=input comment="" disabled=no src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=\fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=\fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=\fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1w3d chain=input comment="" disabled=no protocol=tcp tcp-flags=\!fin,!syn,!rst,!psh,!ack,!urg
Re: PCQ Rate Limit: Multiple Routers
I don't think those rules would cause the problems you're experiencing.
Re: PCQ Rate Limit: Multiple Routers
new connections are all:
syn received
syn received
............ this thing is killing me ! ......
syn received
syn received
............ this thing is killing me ! ......
Re: PCQ Rate Limit: Multiple Routers
the intention is to allow clients from RB-D connect to internet without the need to add masquerade
the object is to have one pcq on RB-Main to control band for all user across the network.
at this current setup, with or without RB-D masquerade, users are able to connect to UM on RB-Main and log in, but unable
to surf net afterward. if masquerade was on, users on RB-D are able to surf net.
Re: PCQ Rate Limit: Multiple Routers
alright,
dears at mikrotik support, and dear Fewi:
The problem is solved.
after doing little more research on the differences between "AP/Station" and "AP WDS/Station WDS", I found that my system
needs WDS also.
doing this minor change with the help of Fewi and his guide for OSPF, the entire network is functional as expected.
Thank you Fewi,
Thank you all
dears at mikrotik support, and dear Fewi:
The problem is solved.
after doing little more research on the differences between "AP/Station" and "AP WDS/Station WDS", I found that my system
needs WDS also.
doing this minor change with the help of Fewi and his guide for OSPF, the entire network is functional as expected.
Thank you Fewi,
Thank you all
Who is online
Users browsing this forum: No registered users and 20 guests