Does anyone know how to block Windows 10 update-delivery-optimization (built-in feature for getting Windows Updates through P2P) using mikrotik firewall rules? Please see http://windows.microsoft.com/en-gb/windows-10/windows-update-delivery-optimization-faq for details.
Sniff the traffic and see what protocol it uses.
but why? it will save your bandwidth
No, it will kill my bandwidth. Default setting in non-VL editions of Windows 10 is to upload to other users on the internet.
You will have to sniff the traffic to see what protocol is used.
Or you can just limit all upload
This could be very hard, because you have to be lucky to catch the moment when it is uploading to some other client. I cannot find any information about protocols and ports used anywhere.
Maybe try asking directly to Microsoft support?
We starting to have problems with clients complaining about slow opening web pages etc. And when I look at their traffic history almost full upload to internet.
Nobody has this problems?
Of course the fact that a client uses full upload on their connection does not necessarily mean it is due to this feature.
It can also mean their PC has been hacked (trojan software installed) and is being used in DDoS attacks etc.
Reading the FAQ document above it is easy to turn this feature off, so when a client complains try to (have them) do that
and see if there is an improvement. When not, it has to have some other cause.
(of course it is worrying that a company like Microsoft does things like this, also including download of Windows 10
over connections in which they have no insight w.r.t. bandwidth and bottlenecks, but that is not on-topic here)
Yes it could be trojan, but in this case is not. After turning off updates in windows 10, upload was almost zero. What I want to say it is problem and people complains to ISP, because if you saturate upload..openning web pages is very slow…and also windows distribute using p2p updates on your network but before that it analyzes structure of your network and sens it to central MS servers…and this could be used in future to distribute various attacks in case of windows security problems…and MAN OF COURSE IT IS NOT!!! OFF TOPIC… This could be disaster in future for ISPs and security problems…
So question is how to limit it. Because by default it is enabled in almost all windows 10 users installations…
Microsoft makes use of own protocol named BITS, that is based on HTTP. The whole traffic is encrypted (SSL/TLS) and used ports vary a lot.
Summary: it works like torrent and thus is impossible to be detected by firewall and blocked/limited.
Is any way to find out what is microsoft gathering about users and transfers?
Maybe it would be a good idea to have a separate section of the forum or a pointer to a different forum for “future ISP problems”,
because it appears that there are quite some small-scale ISP operations on the forum that face challenges that are not at all
related to MikroTik, but more to the evolution of the internet towards encryption and avoidance of simple blocking by network operators…
That may not be as easy as you hope. I don’t expect the traffic to be easily identifiable and easy to isolate or limit.
Of course, speaking in general it is wise to do some queueing on your customer connections to avoid that a single customer can
take all bandwidth (upload or download). It could help to shape the upload on your internet connection (that means: put a queue or queue tree on it)
to slightly below the actual capacity, so that the decision what is important and what can be delayed is made by the router.
Then you can subdivide bandwidth per customer and/or depending on priority of the traffic.
If I use simple queue to limit max individual user downloads…what queue type would be ideal to prevent full upload of services like BITS and Microsoft unwanted traffic consumption?
with WIndows Update itself its much simpler: you can use adress-list with ms services and put some bandwidth limitations to counter some secuirty or economical issues/disasters, eventual otherwise.
but with P2P-alike “delivery optimisation” you can’t. its almost same about Tor.
I have the same problem in many of my networks, and many are VSAT with limited bandwidth by month, and in one or two days, the runs off the allowance.
I can check and switch off every computer under my control, but many times, the people brings their own computer and kill the bandwidth and allowance.
Is a nightmare.
It is not something “we” can solve, it has to be solved by Microsoft.
And they are not affected so they are probably not interested in solving it…
(they think it was a great idea, and for them it probably is because it reduces the load on their servers)
Yes, is a great idea for microsoft, but very bad for us, the networks admins
Someone have any suggestion to limit this traffic?
As far as i know Windows update is using standart http (TCP 80) for updates. So from https://technet.microsoft.com/cs-cz/library/bb693717.aspx i made Layer7 filter
/ip firewall layer7-protocol add name=WinUpl7 regexp="^.*(get|GET).+(windowsupdate.microsoft.com|update.microsoft.com|download.microsoft.com|windowsupdate.com).*\$"
Firewall rule matching http and layer7 filter
/ip firewall filter add action=add-dst-to-address-list address-list=Winupdate \
address-list-timeout=0s chain=forward dst-address-list=!Winupdate \
dst-port=80 layer7-protocol=WinUpl7 out-interface=ether1 protocol=tcp
And then you can block or queue address list Winupdate.