Long story short… I have 8 DSL lines that I am combining using 2 RB2011UAS-IN… each is a gateway in my network and I manually assign people to a gateway.
This config is working great until I enable my L7 rules to stop torrent downloads. When I turn them on the processor load is very sporadic! it will jump from 4-7% to 100% and then reboot. Sometimes 5 times an hour.
We disabled the L7 Rules and the problems stopped. We want a router that will support all 8 of our lines on a single router with 1 Local port that we can take to our other switch. I understand that the RB2011UAS-IN has 2 switch groups and I have not figured out how to group them so that I can use the ports as described above. However from what I am seeing now I need something with more horse power than RB2011UAS-IN to process the L7 rules.
We have about 150 clients using the 2 RB2011UAS-IN right now.
Any insight to what RouterBoard we should upgrade to would be AWSOME!
I would be looking at either the Cloud Core Router or Cloud Core Switch.
However though, L7 application firewalling is very CPU intensive. You might want to consider something like a Barracuda firewall etc, which is specifically designed for such control. Just a suggestion.
Are you afraid of ppl “stealing” all the bandwidth? Use PCQ queues to divide the bandwidth fair and let everyone to what ever (s)he wants to do with it. And with encryption they will be able to find a way around it anyway.
Or is this due to legal issues? Like you don’t want to get into trouble because those ppl are sharing copyright protected content over your connection? In that case i suggest communicate a clear policy to your users that fileshareing is forbidden. There is not need to find all torrent traffic. It’s sufficient to find some connections per client to detected policy-violations to put the clients ip on an addresslist. This addresslist can be used block the access for those who are violating the rule.
L7 rules are heavy. If you use them try to apply them only on a small proportion of the traffic. For example by whitelisting known traffic earlier in the ruleset.
We service a small American/Canadian community in Baja California. The main ISP here is TelMex, however they do not offer services in our area… So we use wireless to get internet to the 150 homes here from the main town about 5 miles away. Our main problem is that the FASTEST internet we can get is 3MB DSL. We now have 12 of these lines located at 3 different locations. Each location has a MikroTik and then sent to our main tower via 5GHz backhaul.
Where we need help now is in the configuration of the MikroTik routers. We would like a recommendation for a consultant who knows the programing well. We have 2 RB2011UiAS and 1 RB1100AHx2.
Our current issues: we use PCC to combine the DSL modems.
•People cannot connect to FTP servers from any of the MikroTiks
•Several of our clients want to use VPN services like HideMyAss or StrongVPN to spoof the IP address so they can use services like NetFlix and pandora. But they say that the connections are SO slow they are not useable when they are connected to the VPN from the MikroTik routers… if I put them on standalone modem they are useable… but still slow due to the fact that they are limited to 3MB Down and .3Up.
•Due to the slowness of our internet we MUST block torrent services and i would personally like to block speedtest.net (people have a tendency to notice that the internet is slow… so they go do a speed test and email me the results. i get 30-40 emails per day with speed test results! I know the internet is slow… multiple people running speed test is only going to make it SLOWER)
•Right now we have 4 WAN ports and 1 LAN port on each of the Routers… we would like to use the unused ports as alternate LAN ports if possible.
Im pretty sure this is a possible configuration…and we would like to pay someone to do a remote session and set it up for us… any referrals would be AWSOME! feel free to send me a private message so email address or phone numbers are not public.
Thanks again for everyones help in the community!
better connectivity is not an option. We have looked into sat links… and they are all metered. E1/T1 lines here cost 1500USD per month for 2M up/down with a 3 year contract. Cable is not available. No fiber links. Our options are not very vast unfortunately.