Why does one client bring down entire network?

itchibahn · November 27, 2009, 4:54am

I noticed when one client’s radio is enabled, he brings down all other 7 clients causing timeouts. I’ve set AP TX and Client TX limits, but it doesn’t seem make much difference.

Looking at the 15 second snapshot of clients traffic, there are 215 destinations with loads of small packets.

What else can I do to limit this client from timing out rest of the clients?
I was using RB333/XR2 with v3.2 but tried 4.2 without any improvement.

itchibahn · November 27, 2009, 6:47am

Looking at the packets, they seem to be P2P connections. So I tried to limit using firewall rules below but making no dent:

   ;;; P2P Connections Limit to 10
     chain=forward action=add-src-to-address-list p2p=all-p2p address-list=P2P_Users 
     address-list-timeout=12h 

   chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=P2P_Users src-port=1025-65535 
     connection-limit=10,32 

   chain=forward action=drop tcp-flags=syn protocol=tcp src-address-list=P2P_Users dst-port=1025-65535 
     connection-limit=10,32 

   chain=forward action=drop tcp-flags=syn protocol=tcp dst-address-list=P2P_Users src-port=1025-65535 
     connection-limit=10,32 

   chain=forward action=drop tcp-flags=syn protocol=tcp dst-address-list=P2P_Users dst-port=1025-65535 
     connection-limit=10,32

itchibahn · November 27, 2009, 7:20pm

With firewall rules, it doesn’t seem to help at all. I’ve also tried Simple Queues on WiKi, but all those packets are still there in IP Traffic Accounting, and still timeout the other clients. Anyone has any suggestion?

/ interface bridge settings
set use-ip-firewall=yes
/ ip firewall mangle 
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet new-packet-mark=other passthrough=no
/queue simple 
add name="main" target-addresses=a.b.c.d max-limit=256k/1M
add name="http" parent=main packet-marks=http max-limit=256k/1M priority=1
add name="p2p" parent=main packet-marks=p2p max-limit=64k/64k priority=8
add name="other" parent=main packet-marks=other max-limit=256k/1M priority=4

Belyivulk · November 29, 2009, 4:00am

You can do two things:

Limit his number of connections entirely - but how much data is he pushing?

The better solution is to upgrade all your CPE to 3.30 + wireless beta package and enable RTS/CTS (See this post)

I think that this will most likely solve your issue.

http://forum.mikrotik.com/t/rts-cts-insane-improvements/33433/1

Let us know how you get on

jwcn · November 29, 2009, 5:15am

I already commented on the above referenced post but let me do so here again.

If you are running Nstream with polling you don’t need/want RTS. If you are not running Nstream than you need to use RTS. Set it ONLY on the CPE side. NOT on the AP side. You do not need to run 3.30 on the AP for it to support RTS.

Belyivulk · November 29, 2009, 6:20am

You can follow the comments on the post i mentioned by watching that post.

Otherwise we have also used this to control torrenters connections.

chain=forward action=drop protocol=tcp connection-limit=150,32

This does cause issues for the customer if they are torrenting and trying to surf at the same time though.

RK1 · November 29, 2009, 8:27am

Are you sure it’s legit traffic and not a virus/trojan/zombie?

What are these AP and Client TX limits you speak of?
I hope you didn’t manually reduce the air rates, that will only make things worse.

You MUST do all traffic shaping on the CPE, not AP, side in this case.

itchibahn · December 19, 2009, 8:40pm

The clients are UBNT 3.4, and they have “RTS Threshold” and “Fragmentation Threshold” set default. I’ve set RB333 “Hw. Protection Mode: rts cts” and set NS2’s “RTS Threshold=512” and “Fragmentation Threshold=1173”, and now I cannot access the client to make changes will have to visit him and do it onsite. What would you recommend for starting off RTS values?

Also trying connection-limit=150,32 as suggested, but don’t see any dropped packets. And still timing out…

He’s not xfering much data, seems more of lots of packets. Plus I have his bandwidth capped to 1M/256K from both AP side and client side.

Thanks.

tgrand · December 19, 2009, 11:02pm

If I am not mistaken the RTS/CTS is off by default.
Uncheck the off box.

This will enable the client to request to send data.
The problem you are encountering is due to the fact that this client continues to broadcast, ultimately deafening the AP to the other clients.

itchibahn · December 19, 2009, 11:11pm

Yes, I’ve even visited the client side and had them scan all the PC’s. They seem to be clean. Looking at the packets, it’s mostly port 80, all-p2p, and communication services such as VoIP, Messengers, etc.

mac-address=aa:bb:cc:dd:ee:ff interface=wlan1 signal-range=-120.120 authentication=yes forwarding=yes ap-tx-limit=1000000 client-tx-limit=256000 private-algo=none
private-key=“” private-pre-shared-key=“” management-protection-key=“”

Air rates are all left to alone to defaults.

Also have at client side, on NS2 limited bandwidth to 1M/256K.

itchibahn · December 19, 2009, 11:16pm

With it being off, the default value for RTS 2346. What would you recommend for it’s value? I tried 512 and although it’s connected to the AP, it locked me out. I’m gonna have to make a visit onsite to reset it. This was prior to enabling on AP side “Hw Protection Mode=rts cts”, enabling on AP side didn’t allow me to access the client’s radio.

jwcn · December 20, 2009, 3:49pm

You shouldn’t activate it on the AP side, only the client side.

We use 256k for RTS and 768 for frag on our Ubiquiti radios and EWMA for the alogrithim

wireless12 · December 20, 2009, 5:10pm

hii

yes

itchibahn · December 24, 2009, 2:58am

256K not 256? 256K is much higher than default 2346. Could you explain why such a high value please?

jcremin · December 24, 2009, 6:11am

I’m guessing just a typo… Easy to do after typing 256k a thousand times a day

jwcn · December 24, 2009, 6:49am

typo it is, my bad.

itchibahn · December 24, 2009, 1:54pm

Doesn’t the smaller packet size for RTS causes the client to get AP’s attention more often? So do you put higher RTS Threshold and Fragmentation Threshold values for the clients with high P2P uses and lower values for rest of the clients?

jwcn · December 25, 2009, 2:39am

Thats the point, you want the client to get the AP’s attention. In a congested number you lower the number.

mahnet · December 27, 2009, 3:37pm

As much as i have experienced using Mikrotik it is only because of Virus/Trojan which sometimes go undetected. Secondly a client can bring down your entire sector if it has Torrents uploading data. If u are talking about multiple computers on the client side and quite a few use Torrents and simultaneously browsing data. there is nothing u can do. switch over to a PtP link instead of giving connection thru ur Mikrotik. Nano is an excellent client hence no issues with that. See my earlier posts, I faced similar problems but none cld give me a solution. I tried to look for reasons myself and came up with this conclusion, because so far no one cld suggest a positive working solution.

jwcn · December 28, 2009, 1:39am

Your suggestion is a bandaid fix which doesn’t address the core issue.