I would like to try this method to throttle Windows updates – thanks for sharing a way to address this critical need.
I cannot get the /system schedule portion of your solution to add IP addresses to address lists (and I do have many cached DNS entries matching the criteria). Can you provide code that I could paste into the Source: field in the Winbox GUI for a new script?
I’m talking about translating this part into a script.
:foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" \
|| name~\"windowsupdate\" || name~\"download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") \
&& (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}
Thanks, and sorry for my RouterOS scripting ignorance.
Have you tried using the dynamic address feature in IP/firewall/address-list? Put the http address in the address field, instead of the numeric ip address. Then Mtik dynamically creates entries in the address list. @ZeroByte mentioned this in another post, and it proved very helpful to me. Hope it helps you too. It was a new feature recently introduced, 6.3x, can’t remember exactly which version, so check the change logs and make sure your version supports it. You of course need to know the text addresses that windows update uses …
Why would anybody want to throttle Windows Updates ?
If you are doing it because of network issues, then how about fixing the bigger problem - the network.
If you are throttling updates to paying customers, then you are opening yourself up to a law suite from customers.
If you need to throttle, then use a policy/queue that treats all sites on the internet and customers fairly.
Keep in mind that you can throttle customers down to a rate of speed for which they are purchasing.
In SA our internet is SLOW and windows takes all the bandwith.
I’m doing this so that i can continue using the web if windows is updating, i couldn’t care if WU takes 2 hours to complete as log as it doesn’t affect the rest.
Wolter
/ip firewall nat
add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp
/system scheduler
add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" || name~\"windowsupdate\" || name~\"\
download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") && (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=00:01:00
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS
/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
does it work for windows 10 updates? yes windows 10 updates hog all the bandwidth when downloading and you cant even surf.
instead of script couldnt this work with address list ?
yes because in latert ROS address list are dynamic too if you place a name instead of ip
i cant remember from which version and after this feature was added.
update. …
i found it 6.36
firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
Ok - so the network is dead/saturated slow.
If you can’t fix the network, then you may want to consider building a Squid caching proxy server.
A correctly configured Squid server can burst up to full Ethernet interface speeds on cache hits thus saving Internet WAN bandwidth.
A Squid cache miss can go into cache so that the next person doing the same thing ends up with a cache hit.
Point taken. With a squid you can also throttle WU. Been there done that, got the T-Shirt
Proxy doesn’t solve the saturated line problem, it only elevates the traffic after its been cached.The first time its downloaded you still want to throttle the line speed. To configure squid to act as a WSUS is a fine art. (and doesn’t always work). Windows 10 updates are distributed between Win10 machines on the LAN, thus using a proxy server to cache win10 updates doesn’t make sense.
In fact, with so many sites moving to https (443) not a lot get cached,
in the place i leave we have adsl and vdsl. there are hotels with 5mbps download and 1mbps upload and i have to share this line to customer free internet. yes windows update is a bandwidth hog after all. customers didnt come to hotel to upgrade their laptop or pc lol
This is working perfectly for me; thanks! I was able to use the layer 7 protocol to mark packets and fit them into my queue tree. Now I can browse the web and check email on my $100/month 500 Kbps Internet connection (yes, that’s about 0.5 Mbps – buying my way out of this performance problem is not in my budget). Windows updates will still get installed – as they must – but their multitude of TCP connections will have limited impact on my foreground tasks instead of making the Internet unusable.
yes this is working also for me. when my w10 pc at home starts downloading updates even internet radio stops playing. i make a simple queue with half my total bandwidth and it works. nice
