Help - how do I limit pps by address lists for WISP?

kolson606 · March 4, 2016, 7:07pm

I need to limit pps by address lists. We are an WISP that has AP's that can handle roughly 3000 pps but recently video traffic can have low bandwidth and very high pps killing the AP. For example, we have 4 Mbps of bandwidth running 3000 pps instead of what it should be at around 333 pps.

I got this working in the FW for address list 587pps. But the other address list (250pps) doesn't seem to shape on pps correctly, especially the upstream. What am I doing wrong here? If mangle is a better option please provide a sample example using my mockup. In this case I have two address lists, one for static IPs that will get 584 pps or 7 Mb up/down and the other is for 250 pps which will be for 3 Mbps. We don't need to prioritize traffic. Just drop packets to protect the APs other clients when this happens. Simple transparent bridge. No routing or nat on this server. I thought address lists would be easiest because then we can change the "package" the customer may have. PPS is a huge issue lately and doesn't often correlate with bandwidth and is death for WISPs. We control bandwith with other servers (Netequalizers)

Here's my current config: Any help would be appreciated! Thanks.

\

/interface bridge
add name=allportsbridge
/interface ethernet
set [ find default-name=ether1 ] comment=WANInternet
set [ find default-name=ether2 ] comment=LANinside
/ip neighbor discovery
set ether1 comment=WANInternet
set ether2 comment=LANinside
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=allportsbridge interface=ether1
add bridge=allportsbridge interface=ether2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall address-list
add address=10.0.0.248 list=584ppsList
add address=10.0.0.250 list=250ppsList
/ip firewall filter
add chain=forward comment="Accept 584 pps for download" dst-address-list=
584ppsList limit=584,292
add chain=forward comment="Accept 584 pps for upload" limit=584,292
src-address-list=584ppsList
add chain=forward comment="Accept 250 pps for download" dst-address-list=
250ppsList limit=250,125
add chain=forward comment="Accept 250 pps for upload" dst-limit=
0,5,dst-address limit=250,125 src-address-list=250ppsList
add action=drop chain=forward comment="Drop download 584 pps"
connection-limit=0,32 dst-address-list=584ppsList limit=0,5
add action=drop chain=forward comment="Drop upload 584 pps" limit=0,5
src-address-list=584ppsList
add action=drop chain=forward comment="Drop download 250 pps"
dst-address-list=250ppsList
add action=drop chain=forward comment="Drop upload 250 pps" limit=0,5
src-address-list=250ppsList

kolson606 · March 24, 2016, 9:32pm

SOLVED-This worked great. By putting in the CORE of my network I was indeed able to shape rogue location service traffic and virus attacks. By limiting internet based traffic at the core on pps my AP’s came back to life, even on upstream only traffic. The issue was the ruleset had to be created FIRST, then create the address lists. Order did matter. In this example standard access list is equiv to 2Mb up/down, upscale is 7 Mb up/down and superslow is 256k up/down. Exempt is wide open and dropall is to disconnect ip. Some of the characters on the long lines on the right got dropped in the pasting.

/ip firewall address-list
add address=10.0.0.250 list=standard
add address=10.0.0.251 list=upscale
add address=10.0.0.252 list=upscale
add address=10.0.0.241 list=exempt
add address=10.0.0.255 list=superslow
add address=10.0.0.253 list=exempt
add address=10.0.0.248 list=dropall
/ip firewall filter
add chain=forward comment=“Up upscale” limit=584,292 src-address-list=upscale
add chain=forward comment=“Down upscale” dst-address-list=upscale limit=
584,292
add action=drop chain=forward comment=“Drop up upscale” src-address-list
upscale
add action=drop chain=forward comment=“Drop down upscale” dst-address-li
upscale
add chain=forward comment=“Up standard” limit=166,83 src-address-list=
standard
add chain=forward comment=“Down standard” dst-address-list=standard limi
166,83
add action=drop chain=forward comment=“Drop up standard” src-address-lis
standard
add action=drop chain=forward comment=“Drop down standard” dst-address-l
standard
add chain=forward comment=“Up superslow” limit=20,10 src-address-list=
superslow
add chain=forward comment=“Down superslow” dst-address-list=superslow li
20,10
add action=drop chain=forward comment=“Drop up superslow” src-address-li
superslow
add action=drop chain=forward comment=“Drop down superslow” dst-address-
superslow limit=0,5
add action=drop chain=forward comment=“Dropall down” dst-address-list=dr
add action=drop chain=forward comment=“Dropall up” src-address-list=drop