PCQ Rate Limit: Multiple Routers

RouterOS The User Manager
1

I am having difficulties with setting up rate limit using PCQ’s!

Basically, I am using multiple routers as following:

RB-N → RB-B → RB-A

Each router will provide IP’s by its own, masquerade with it’s pub eth connected to the next router
same again, next router will provide IP’s by its own, masquerade with it’s pub eth connected to main router.

now I have one PCQ running on main router, load balancing connections for each router in the way using “global out”.

how come users on router N, can get higher band than one router before it. and again users on router C will get higher band
than router B ?

… I tried UM profile limitation, but it seems as i need to assign users with ips, if i do that, only first router connected to
main router running UM can get normal communications, the next router in the path will get ip on login, but can’t communicate at all…


most importantly, I would like to have one major PCQ running on main router for all routers connected to it.
taking the fact that routers are connected to routers connected to main routers. like a chain of routers!

thanks

2

Don’t NAT everywhere, just NAT when the traffic exits your WAN interface. That will require routing to be set up throughout your entire network.

3

do you mean i should remove the masquerade on routers in the path, and just leave the masquerade on the main router?

please advice,

thanks,

4

Yes.

5

log error:

userA (192.168.25.9): RADIUS accounting request not sent: no response

it seems like users can’t get to main router which is running UM if I remove masquerade!

?

6

oh my goodness: logs are filled with blue “accounting problem”… hhhh

these errors are for users who is currently logged in though…

7

Like I said, you’ll have to make sure all routers have routes to one another. NAT hides them from one another.

PCQ is based on IP addresses. When you NAT at every hop you’re making all traffic behind that router appear to come from the same IP address.

8

maybe I missed this part… can you be for the mood of providing a little walkthrough or a link…

the routers connected to the main router don’t get such accounting error.. but only routers connected afterward do get such errors.

maybe i need routing with RIP I guess, but will there be any guide please…


thanks,

9

That’s not really something you can cover in a forum post. The wiki has great articles, though.
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples
http://wiki.mikrotik.com/wiki/Manual:Routing/OSPF

10

ohhh, this is an assignment, but i like it… hhhh..

thanks so much bro…

11

I did everything as said in the guide, but i still got error RADIUS accounting problem…

12

Have you checked whether the IP addresses configured in User Manager as NAS IPs have changed? Now that the routers don’t masquerade anymore the RADIUS server may see the clients as different IPs.

13

The routers are set as following:

ISP > RB-Main > RB-STEP11 > RB-STEP12 > RB-STEP13
ISP > RB-Main > RB-STEP21 > RB-STEP22 > RB-STEP23

UM is running on RB-Main

All Radius accounting problems starts with RB-STEP12, 13, 22, 23

STEPs 11 and 21 has no problems..

I set the OSPF as following:

RB-Main
area 0.0.0.0


area 0.0.0.0
RB-STEP11
area 0.0.0.1


area 0.0.0.1
RB-STEP12
area 0.0.0.2


area 0.0.0.2
RB-STEP13


the router-id on all stays as default 0.0.0.0

I don’t know what i am misdoing that’s causing this accounting error…

14

ok, this is now urgent… i got all setup fine, but users on 3rd routers can get logged in, but can’t surf…
this is after leaving masquerade on all routers except the main router…


please…

15

just for more info:

under firewall, connections:

connections unreplied ospf protocol.

16

Restore your working configuration to when rate limits weren’t working right so everyone can at least get out.

Then bench out the changes or get a consultant involved. I don’t think a forum can help troubleshoot a network with more than three routers in an adequate timeframe. It looks like both OSPF and RADIUS are misconfigured at this point.

17

well, all i do to make everything work again is re-enable masquerade on RBs and everything is back to working status.

I don’t think its because of a misconfiguration of UM, I even added the route table for the routers in the sequence in UM, and they do get logged in fine.. but right there, there is no communications with outside world.

its back to normal working status, and if ospf is not an answer to the limitation, what other options are there?

18

If everything makes it to the final router OK but then cannot go out to the Internet then the final router is misconfigured. Check routing on that router, as well as its NAT configuration.

19

so weird:

on each router: looking at Routing > OSPF > Routes, I see each and every routers in the entire network.

however, all connections from RB to internet is working as:

yes working: RB-Main
yes working: RB-Main < RB-Step1
not working: RB-Main < RB-Step1 < RB-Step2

Masquerade is on on RB-Main.
Masquerade is off on RB-Step1
Masquerade is off on RB-Step2

to make RB-Step2 open to the internet, all i do is turn on masquerade on RB-Step2

if there is something wrong on RB-Main, then how come itself and RB-Step1 can communicate.
the problem is always at step2

20

More Update:

what is the relationship between DNS and Masquerade?

I requested a user on RB-Step2 to download a large file.

once the connection began and download started, I disabled the Masquerade on RB-Step2 but the download continued till the end.

once the download completed, the user was not able to open pages anymore!
obviously, this test shows that once the connection is established it won’t be interrupted but only new connections are un-replied…

could my problem be related to DNS?

this is just a thought…