Community discussions

MUM Europe 2020
 
jwamsley
just joined
Topic Author
Posts: 20
Joined: Thu Jan 25, 2007 12:38 am

Windows 10 updates killing my network

Thu Sep 15, 2016 6:31 pm

I have been using Mikrotik routers for about a year with simple queues to regulate traffic. All was fine and great until recently when we made the decision as a company to go to Windows 10 to take advantage of the "Free" upgrade. We have turned off the sharing of updates on the internet on all PCs, so I am sure it isn't that causing the problem. Since Anniversary update has come out, it is killing my network bandwidth. I have six locations with a total of 150 windows PCs on 10M MPLS with Mikrotik routers that are directed to a colo that has a Mikrotik RB1100AH. I can see the traffic, but the traffic isn't regulated by the queues. I have a queue for windows updates coming from 13.107.4.50 set at 1M and when I torch it is over 3M. I have been watching for new ip addresses the PCs try to download updates from and keep adding 512K queues to try to Band-Aid the issue. 512K seems to keep the traffic below 2M. The problem I am having is one person can take down a branch unknowingly with windows automatically updating. I have done a google search and see others having this issue using different routers, but have not seen it on Mikrotiks.

Anybody else having this issue? Any fixes to be shared?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Windows 10 updates killing my network

Thu Sep 15, 2016 7:48 pm

In the past you could alleviate this by setting up a proxy server that would cache the update files.
This no longer works because everyone has gone "encrypted" even for situations like this where it makes no sense.
Turning off sharing of updates will have only made it worse for you, as some of the downloading would have remained local.
I think the only thing you can do is download the update manually and install it on all PCs so they won't download it.
When your queues don't work, make sure they are not being cut around by fastpath/fasttrack. Disable it and see if
that solves your queue issue.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: Windows 10 updates killing my network

Thu Sep 15, 2016 9:39 pm

Hello, this same thing was driving me crazy as well, so I gathered all Microsoft's BGP prefixes and created access list in order to block them completely - during hours I don't want them to spend my traffic. Windows update does not work, web access to Bing does not work, no Microsoft telemetry works, Skype doesn't work. The only thing that works are some MS localized websites since they are not always hosted in their own AS's.

The list is compiled a month ago from fresh LG on the internet, and here is MikroTik friendly format that allows you to do whatever you like with scheduling Windows machines' access to Microsoft services (selectively allowing them to update in certain time-frame, or shaping/throttlng bandwidth):
/ip firewall address-list add list=microsoft address=65.53.0.0/16
/ip firewall address-list add list=microsoft address=65.54.0.0/24
/ip firewall address-list add list=microsoft address=65.54.1.0/24
/ip firewall address-list add list=microsoft address=65.54.2.0/24
/ip firewall address-list add list=microsoft address=65.55.28.0/23
/ip firewall address-list add list=microsoft address=65.55.28.0/22
/ip firewall address-list add list=microsoft address=65.55.188.0/24
/ip firewall address-list add list=microsoft address=70.42.230.0/23
/ip firewall address-list add list=microsoft address=104.44.112.0/24
/ip firewall address-list add list=microsoft address=131.107.0.0/20
/ip firewall address-list add list=microsoft address=131.107.217.0/24
/ip firewall address-list add list=microsoft address=131.107.0.0/16
/ip firewall address-list add list=microsoft address=157.54.0.0/16
/ip firewall address-list add list=microsoft address=157.57.0.0/16
/ip firewall address-list add list=microsoft address=157.58.192.0/19
/ip firewall address-list add list=microsoft address=157.58.248.0/23
/ip firewall address-list add list=microsoft address=157.58.0.0/16
/ip firewall address-list add list=microsoft address=157.59.0.0/16
/ip firewall address-list add list=microsoft address=157.60.0.0/16
/ip firewall address-list add list=microsoft address=167.220.8.0/24
/ip firewall address-list add list=microsoft address=167.220.9.0/24
/ip firewall address-list add list=microsoft address=167.220.10.0/24
/ip firewall address-list add list=microsoft address=167.220.24.0/22
/ip firewall address-list add list=microsoft address=167.220.16.0/20
/ip firewall address-list add list=microsoft address=167.220.40.0/21
/ip firewall address-list add list=microsoft address=167.220.48.0/21
/ip firewall address-list add list=microsoft address=167.220.64.0/19
/ip firewall address-list add list=microsoft address=167.220.0.0/17
/ip firewall address-list add list=microsoft address=167.220.148.0/22
/ip firewall address-list add list=microsoft address=167.220.152.0/24
/ip firewall address-list add list=microsoft address=167.220.236.0/22
/ip firewall address-list add list=microsoft address=167.220.248.0/21
/ip firewall address-list add list=microsoft address=198.105.232.0/22
/ip firewall address-list add list=microsoft address=198.180.95.0/24
/ip firewall address-list add list=microsoft address=199.2.137.0/24
/ip firewall address-list add list=microsoft address=199.242.48.0/22
/ip firewall address-list add list=microsoft address=204.182.144.0/24
/ip firewall address-list add list=microsoft address=204.255.244.0/23
/ip firewall address-list add list=microsoft address=167.220.192.0/22
/ip firewall address-list add list=microsoft address=167.220.196.0/22
/ip firewall address-list add list=microsoft address=167.220.200.0/24
/ip firewall address-list add list=microsoft address=167.220.201.0/24
/ip firewall address-list add list=microsoft address=194.69.96.0/22
/ip firewall address-list add list=microsoft address=194.69.100.0/22
/ip firewall address-list add list=microsoft address=194.69.126.0/23
/ip firewall address-list add list=microsoft address=13.107.3.0/24
/ip firewall address-list add list=microsoft address=13.107.4.0/24
/ip firewall address-list add list=microsoft address=13.107.5.0/24
/ip firewall address-list add list=microsoft address=13.107.6.0/24
/ip firewall address-list add list=microsoft address=13.107.7.0/24
/ip firewall address-list add list=microsoft address=13.107.9.0/24
/ip firewall address-list add list=microsoft address=13.107.12.0/24
/ip firewall address-list add list=microsoft address=13.107.13.0/24
/ip firewall address-list add list=microsoft address=13.107.15.0/24
/ip firewall address-list add list=microsoft address=13.107.16.0/24
/ip firewall address-list add list=microsoft address=13.107.18.0/24
/ip firewall address-list add list=microsoft address=13.107.21.0/24
/ip firewall address-list add list=microsoft address=13.107.22.0/24
/ip firewall address-list add list=microsoft address=13.107.24.0/24
/ip firewall address-list add list=microsoft address=13.107.44.0/24
/ip firewall address-list add list=microsoft address=13.107.58.0/24
/ip firewall address-list add list=microsoft address=13.107.160.0/24
/ip firewall address-list add list=microsoft address=40.90.4.0/24
/ip firewall address-list add list=microsoft address=64.4.48.0/24
/ip firewall address-list add list=microsoft address=65.54.192.0/24
/ip firewall address-list add list=microsoft address=65.54.193.0/24
/ip firewall address-list add list=microsoft address=65.54.195.0/24
/ip firewall address-list add list=microsoft address=65.54.196.0/24
/ip firewall address-list add list=microsoft address=65.54.197.0/24
/ip firewall address-list add list=microsoft address=65.54.198.0/24
/ip firewall address-list add list=microsoft address=65.54.199.0/24
/ip firewall address-list add list=microsoft address=65.54.200.0/24
/ip firewall address-list add list=microsoft address=65.54.201.0/24
/ip firewall address-list add list=microsoft address=65.54.202.0/24
/ip firewall address-list add list=microsoft address=65.54.203.0/24
/ip firewall address-list add list=microsoft address=65.54.207.0/24
/ip firewall address-list add list=microsoft address=65.54.208.0/24
/ip firewall address-list add list=microsoft address=65.54.210.0/24
/ip firewall address-list add list=microsoft address=65.54.211.0/24
/ip firewall address-list add list=microsoft address=65.54.213.0/24
/ip firewall address-list add list=microsoft address=65.54.215.0/24
/ip firewall address-list add list=microsoft address=65.54.216.0/24
/ip firewall address-list add list=microsoft address=65.54.219.0/24
/ip firewall address-list add list=microsoft address=65.54.222.0/24
/ip firewall address-list add list=microsoft address=65.54.223.0/24
/ip firewall address-list add list=microsoft address=94.245.84.0/24
/ip firewall address-list add list=microsoft address=104.44.66.0/24
/ip firewall address-list add list=microsoft address=104.44.67.0/24
/ip firewall address-list add list=microsoft address=104.44.68.0/24
/ip firewall address-list add list=microsoft address=104.44.69.0/24
/ip firewall address-list add list=microsoft address=104.44.75.0/24
/ip firewall address-list add list=microsoft address=131.253.21.0/24
/ip firewall address-list add list=microsoft address=204.14.180.0/24
/ip firewall address-list add list=microsoft address=204.79.197.0/24
/ip firewall address-list add list=microsoft address=131.253.72.0/22
/ip firewall address-list add list=microsoft address=131.253.80.0/20
/ip firewall address-list add list=microsoft address=131.253.112.0/21
/ip firewall address-list add list=microsoft address=131.253.120.0/22
/ip firewall address-list add list=microsoft address=167.220.232.0/22
/ip firewall address-list add list=microsoft address=103.25.156.0/24
/ip firewall address-list add list=microsoft address=103.36.96.0/22
/ip firewall address-list add list=microsoft address=103.255.140.0/23
/ip firewall address-list add list=microsoft address=103.255.140.0/22
/ip firewall address-list add list=microsoft address=111.221.28.0/24
/ip firewall address-list add list=microsoft address=202.89.232.0/21
/ip firewall address-list add list=microsoft address=167.220.28.0/23
/ip firewall address-list add list=microsoft address=167.220.237.0/24
/ip firewall address-list add list=microsoft address=13.64.0.0/11
/ip firewall address-list add list=microsoft address=13.107.20.0/24
/ip firewall address-list add list=microsoft address=13.104.0.0/14
/ip firewall address-list add list=microsoft address=23.96.0.0/14
/ip firewall address-list add list=microsoft address=23.100.0.0/15
/ip firewall address-list add list=microsoft address=23.102.0.0/16
/ip firewall address-list add list=microsoft address=23.103.64.0/18
/ip firewall address-list add list=microsoft address=23.103.128.0/17
/ip firewall address-list add list=microsoft address=40.64.0.0/10
/ip firewall address-list add list=microsoft address=51.10.0.0/15
/ip firewall address-list add list=microsoft address=51.12.0.0/15
/ip firewall address-list add list=microsoft address=51.18.0.0/16
/ip firewall address-list add list=microsoft address=51.51.0.0/16
/ip firewall address-list add list=microsoft address=51.53.0.0/16
/ip firewall address-list add list=microsoft address=51.103.0.0/16
/ip firewall address-list add list=microsoft address=51.104.0.0/15
/ip firewall address-list add list=microsoft address=51.107.0.0/16
/ip firewall address-list add list=microsoft address=51.116.0.0/16
/ip firewall address-list add list=microsoft address=51.120.0.0/16
/ip firewall address-list add list=microsoft address=51.124.0.0/16
/ip firewall address-list add list=microsoft address=51.132.0.0/16
/ip firewall address-list add list=microsoft address=51.136.0.0/15
/ip firewall address-list add list=microsoft address=51.138.0.0/16
/ip firewall address-list add list=microsoft address=51.140.0.0/14
/ip firewall address-list add list=microsoft address=51.144.0.0/15
/ip firewall address-list add list=microsoft address=52.96.0.0/12
/ip firewall address-list add list=microsoft address=52.112.0.0/14
/ip firewall address-list add list=microsoft address=52.120.0.0/14
/ip firewall address-list add list=microsoft address=52.125.0.0/16
/ip firewall address-list add list=microsoft address=52.126.0.0/15
/ip firewall address-list add list=microsoft address=52.130.0.0/15
/ip firewall address-list add list=microsoft address=52.132.0.0/14
/ip firewall address-list add list=microsoft address=52.136.0.0/13
/ip firewall address-list add list=microsoft address=52.145.0.0/16
/ip firewall address-list add list=microsoft address=52.146.0.0/15
/ip firewall address-list add list=microsoft address=52.148.0.0/14
/ip firewall address-list add list=microsoft address=52.152.0.0/13
/ip firewall address-list add list=microsoft address=52.160.0.0/11
/ip firewall address-list add list=microsoft address=52.224.0.0/11
/ip firewall address-list add list=microsoft address=65.55.44.0/24
/ip firewall address-list add list=microsoft address=65.55.117.0/24
/ip firewall address-list add list=microsoft address=65.52.0.0/14
/ip firewall address-list add list=microsoft address=66.119.144.0/20
/ip firewall address-list add list=microsoft address=70.37.0.0/17
/ip firewall address-list add list=microsoft address=70.37.128.0/18
/ip firewall address-list add list=microsoft address=94.245.64.0/18
/ip firewall address-list add list=microsoft address=104.40.0.0/13
/ip firewall address-list add list=microsoft address=104.146.0.0/19
/ip firewall address-list add list=microsoft address=104.146.128.0/17
/ip firewall address-list add list=microsoft address=104.208.0.0/13
/ip firewall address-list add list=microsoft address=111.221.16.0/20
/ip firewall address-list add list=microsoft address=111.221.64.0/18
/ip firewall address-list add list=microsoft address=131.253.1.0/24
/ip firewall address-list add list=microsoft address=131.253.5.0/24
/ip firewall address-list add list=microsoft address=131.253.6.0/24
/ip firewall address-list add list=microsoft address=131.253.8.0/24
/ip firewall address-list add list=microsoft address=131.253.12.0/22
/ip firewall address-list add list=microsoft address=131.253.18.0/24
/ip firewall address-list add list=microsoft address=131.253.24.0/21
/ip firewall address-list add list=microsoft address=131.253.33.0/24
/ip firewall address-list add list=microsoft address=131.253.32.0/20
/ip firewall address-list add list=microsoft address=131.253.61.0/24
/ip firewall address-list add list=microsoft address=131.253.62.0/23
/ip firewall address-list add list=microsoft address=131.253.128.0/17
/ip firewall address-list add list=microsoft address=132.245.0.0/16
/ip firewall address-list add list=microsoft address=134.170.0.0/16
/ip firewall address-list add list=microsoft address=137.116.0.0/15
/ip firewall address-list add list=microsoft address=137.135.0.0/16
/ip firewall address-list add list=microsoft address=137.135.128.0/17
/ip firewall address-list add list=microsoft address=138.91.0.0/16
/ip firewall address-list add list=microsoft address=138.196.0.0/16
/ip firewall address-list add list=microsoft address=146.147.0.0/16
/ip firewall address-list add list=microsoft address=150.171.0.0/16
/ip firewall address-list add list=microsoft address=157.55.0.0/16
/ip firewall address-list add list=microsoft address=157.56.0.0/16
/ip firewall address-list add list=microsoft address=157.60.23.0/24
/ip firewall address-list add list=microsoft address=157.60.31.0/24
/ip firewall address-list add list=microsoft address=167.220.240.0/22
/ip firewall address-list add list=microsoft address=168.61.0.0/16
/ip firewall address-list add list=microsoft address=168.62.0.0/15
/ip firewall address-list add list=microsoft address=191.232.0.0/13
/ip firewall address-list add list=microsoft address=192.48.225.0/24
/ip firewall address-list add list=microsoft address=192.84.159.0/24
/ip firewall address-list add list=microsoft address=192.84.160.0/23
/ip firewall address-list add list=microsoft address=192.197.157.0/24
/ip firewall address-list add list=microsoft address=193.149.64.0/19
/ip firewall address-list add list=microsoft address=193.221.113.0/24
/ip firewall address-list add list=microsoft address=198.49.8.0/24
/ip firewall address-list add list=microsoft address=198.200.130.0/24
/ip firewall address-list add list=microsoft address=198.206.164.0/24
/ip firewall address-list add list=microsoft address=199.30.16.0/20
/ip firewall address-list add list=microsoft address=199.60.28.0/24
/ip firewall address-list add list=microsoft address=199.74.210.0/24
/ip firewall address-list add list=microsoft address=199.103.90.0/23
/ip firewall address-list add list=microsoft address=199.103.122.0/24
/ip firewall address-list add list=microsoft address=199.242.48.0/21
/ip firewall address-list add list=microsoft address=202.89.224.0/21
/ip firewall address-list add list=microsoft address=204.79.135.0/24
/ip firewall address-list add list=microsoft address=204.79.179.0/24
/ip firewall address-list add list=microsoft address=204.79.195.0/24
/ip firewall address-list add list=microsoft address=204.79.252.0/24
/ip firewall address-list add list=microsoft address=204.95.96.0/20
/ip firewall address-list add list=microsoft address=204.152.140.0/23
/ip firewall address-list add list=microsoft address=206.138.168.0/21
/ip firewall address-list add list=microsoft address=206.191.224.0/19
/ip firewall address-list add list=microsoft address=207.46.0.0/19
/ip firewall address-list add list=microsoft address=207.46.33.0/24
/ip firewall address-list add list=microsoft address=207.46.34.0/23
/ip firewall address-list add list=microsoft address=207.46.36.0/22
/ip firewall address-list add list=microsoft address=207.46.40.0/21
/ip firewall address-list add list=microsoft address=207.46.48.0/20
/ip firewall address-list add list=microsoft address=207.46.98.0/24
/ip firewall address-list add list=microsoft address=207.46.64.0/18
/ip firewall address-list add list=microsoft address=207.46.128.0/17
/ip firewall address-list add list=microsoft address=207.68.128.0/18
/ip firewall address-list add list=microsoft address=207.82.250.0/23
/ip firewall address-list add list=microsoft address=208.68.136.0/21
/ip firewall address-list add list=microsoft address=208.76.45.0/24
/ip firewall address-list add list=microsoft address=208.76.46.0/24
/ip firewall address-list add list=microsoft address=208.84.0.0/24
/ip firewall address-list add list=microsoft address=208.84.1.0/24
/ip firewall address-list add list=microsoft address=208.84.2.0/24
/ip firewall address-list add list=microsoft address=208.84.3.0/24
/ip firewall address-list add list=microsoft address=209.1.112.0/23
/ip firewall address-list add list=microsoft address=209.185.128.0/22
/ip firewall address-list add list=microsoft address=209.185.240.0/22
/ip firewall address-list add list=microsoft address=209.240.192.0/19
/ip firewall address-list add list=microsoft address=213.199.128.0/18
/ip firewall address-list add list=microsoft address=216.32.180.0/22
/ip firewall address-list add list=microsoft address=216.32.240.0/22
/ip firewall address-list add list=microsoft address=216.33.240.0/22
/ip firewall address-list add list=microsoft address=64.41.193.0/24
/ip firewall address-list add list=microsoft address=65.55.112.0/24
/ip firewall address-list add list=microsoft address=65.55.171.0/24
/ip firewall address-list add list=microsoft address=65.221.5.0/24
/ip firewall address-list add list=microsoft address=204.176.46.0/24
/ip firewall address-list add list=microsoft address=209.1.15.0/24
/ip firewall address-list add list=microsoft address=216.32.180.0/24
/ip firewall address-list add list=microsoft address=216.34.51.0/24
/ip firewall address-list add list=microsoft address=131.253.16.0/23
/ip firewall address-list add list=microsoft address=131.253.22.0/23
/ip firewall address-list add list=microsoft address=157.58.2.0/23
/ip firewall address-list add list=microsoft address=194.69.104.0/23
/ip firewall address-list add list=microsoft address=191.234.96.0/23
/ip firewall address-list add list=microsoft address=191.234.98.0/23
/ip firewall address-list add list=microsoft address=40.72.0.0/17
/ip firewall address-list add list=microsoft address=40.72.0.0/16
/ip firewall address-list add list=microsoft address=40.72.128.0/17
/ip firewall address-list add list=microsoft address=40.125.128.0/17
/ip firewall address-list add list=microsoft address=40.126.64.0/18
/ip firewall address-list add list=microsoft address=42.159.0.0/18
/ip firewall address-list add list=microsoft address=42.159.64.0/18
/ip firewall address-list add list=microsoft address=42.159.128.0/18
/ip firewall address-list add list=microsoft address=42.159.0.0/16
/ip firewall address-list add list=microsoft address=42.159.192.0/18
/ip firewall address-list add list=microsoft address=103.9.8.0/23
/ip firewall address-list add list=microsoft address=103.9.8.0/22
/ip firewall address-list add list=microsoft address=139.217.0.0/17
/ip firewall address-list add list=microsoft address=139.217.0.0/16
/ip firewall address-list add list=microsoft address=139.217.128.0/17
/ip firewall address-list add list=microsoft address=139.219.0.0/17
/ip firewall address-list add list=microsoft address=139.219.0.0/16
/ip firewall address-list add list=microsoft address=139.219.128.0/17
/ip firewall address-list add list=microsoft address=167.220.244.0/22
/ip firewall address-list add list=microsoft address=192.92.214.0/24
/ip firewall address-list add list=microsoft address=64.4.0.0/18
You probably would want to allow Skype to communicate, so here is short exclude list that allows basic Skype connectivity (no file transfer, etc). You can inspect traffic in your network further and broaden the list in order to allow full Skype functionality, just add whole respective IP clusters instead of only one destionation address that Skype is trying to reach.
/ip firewall address-list add list=skype address=40.64.0.0/10
/ip firewall address-list add list=skype address=23.96.0.0/14
/ip firewall address-list add list=skype address=64.4.0.0/18
/ip firewall address-list add list=skype address=65.52.0.0/14
/ip firewall address-list add list=skype address=157.55.0.0/16
Che
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: Windows 10 updates killing my network

Fri Sep 16, 2016 8:33 am

Wsus
 
kajolrock
just joined
Posts: 5
Joined: Fri Sep 15, 2017 5:32 pm

Re: Windows 10 updates killing my network

Tue Dec 05, 2017 3:02 pm

You can try this

/ ip firewall filter
add action=reject chain=forward comment="block_Win_Update" content=update.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=download.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=download.windowsupdate.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=wustat.windows.com disabled=no
add action=reject chain=forward comment="block_Win_Update" content=stats.microsoft.com disabled=no
add action=reject chain=forward comment="block_Win_Update" content=ntservicepack.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=windowsupdate.com disabled=no reject-with=icmp-network-unreachable
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Windows 10 updates killing my network

Tue Dec 05, 2017 3:43 pm

I would not recommend blocking by address (because you do not know the addresses, and the blocks contain a lot of other services)
and also not those blocks on content with some generic domain names that could appear in other requests as well.

I have some success with identifying the MSDO protocol using this rule:
/ip firewall layer7-protocol
add name=MSDO regexp=User-Agent:.Microsoft-Delivery-Optimization
And then marking traffic as low-priority using:
/ip firewall mangle
add action=mark-connection chain=postrouting comment=\
    "Microsoft Delivery Optimization" connection-mark=no-mark dst-port=80 \
    layer7-protocol=MSDO new-connection-mark=cs1 out-interface-list=internet \
    passthrough=yes protocol=tcp
This connection mark is then used to change the DSCP of those packets to CS1:
add action=change-dscp chain=postrouting comment=\
    "Set DSCP based on connection markings" connection-mark=cs1 new-dscp=8 \
    passthrough=yes
Using the DSCP value you can then assign a priority to the packet and use a low-limit queue to limit the traffic
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 298
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Windows 10 updates killing my network

Tue Dec 05, 2017 8:47 pm

is any way for windows 10 ?

Who is online

Users browsing this forum: roeschlo and 43 guests