Community discussions

MikroTik App
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 5:50 pm

Hey all,

I managed to copy the script from @pcunite to get my hap ac2 to Bridge/bypass the ATT RG.
I was using an Edgerouter X but it maxed out the CPU fairly easily.
Current hardware is now the HAP AC2 into ruckus ICX 7150 into two Ruckus Unleashed R510s

Well afterwards I can't connect to most sites. Facebook, speedtest.net, many others don't load or load very slowly.
Did some googling and tried to add a script to "clamp mtu to mss passthrough" or something like that. It seemed to help me get to Facebook and a few others but still very slow.

Dslreports randomly says I've rejected a file and it has to start over

Speeds are about 180Mb/s down and 100 up(wifi) but I was getting close to 250/250 with the edgerouter and cpu maxed out. Bufferbloat is very high according to the dslreports test as well.
Hap ac2 cpu hasn't gone over 13% load.

Firewall? Mangle? Mtu/udp issues? Hw offloading?
Not sure where to start to fix the connection/speed issues.
Last edited by Zorb on Fri Oct 09, 2020 8:09 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge

Fri Oct 09, 2020 5:57 pm

/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge

Fri Oct 09, 2020 6:14 pm

/export hide-sensitive file=anynameyouwish
Okay I will do this at lunchtime.
I think where I went in over my head was in order to get the bridge lan/wan stuff to work I had to start from clean with no default settings.. booting into default config and trying to run the script for the bridge was not working..
More weird stuff includes only one of my two Nest cameras being able to connect to the internet lol.
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 7:02 pm

/export hide-sensitive file=anynameyouwish
# oct/09/2020 11:01:34 by RouterOS 6.47.4
# software id = 1UKD-N09V
#
# model = RBD52G-5HacD2HnD
# serial number = CDFE0C5BA870
/interface bridge
add name=Bridge_LAN protocol-mode=none
add admin-mac=(ATT RG's MAC ADDRESS) auto-mac=no igmp-snooping=yes name=Bridge_WAN \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_LAN ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no \
    interface=Bridge_LAN lease-time=2d name=dhcp_LAN
add address-pool=dhcp disabled=no interface=Bridge_WAN name=dhcp1
/interface bridge port
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2 pvid=222
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
/interface list member
add interface=wlan2 list=WAN
add list=LAN
add interface=Bridge_WAN list=LAN
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=192.168.88.1/24 interface=Bridge_LAN network=192.168.88.0
/ip dhcp-client
add disabled=no interface=wlan2
add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=4.4.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow established related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new \
    in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" \
    connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface=\
    Bridge_WAN
/system clock
set time-zone-name=America/Chicago
/system scheduler
add name=OnRebootATT on-event=":delay 30\r\
    \n/system script run OnRebootATT" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=OnRebootATT owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_OnRebootATT\r\
    \n\r\
    \n:log info \"Script: Starting OnRebootStartATTRG\";\r\
    \n:delay 5\r\
    \n\r\
    \n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\
    \n/interface bridge set Bridge_WAN pvid=111\r\
    \n\r\
    \n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\
    \n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvi\
    d=1\r\
    \n/interface ethernet enable ether2\r\
    \n\r\
    \n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to \
    sync\";\r\
    \n:delay 180\r\
    \n\r\
    \n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\
    \n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvi\
    d=222\r\
    \n/interface ethernet disable ether2\r\
    \n\r\
    \n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shu\
    tting down. Enjoy your router.\";\r\
    \n/interface bridge set Bridge_WAN pvid=1\r\
    \n"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 10:00 pm

Yeah your config is hosed, has some conflicting issues, will look at it later
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 10:39 pm

Yeah your config is hosed, has some conflicting issues, will look at it later
Thank you!
I have no idea what's going on.
Would love to reset it to default but if I do that and run the script to do the bridge it says the interface is in use, and if I delete the existing bridge it disconnects and I can't get back in with winbox and I have to do a hard reset with netinstall...
 
User avatar
gnro
newbie
Posts: 32
Joined: Sun Aug 05, 2018 9:52 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 10:52 pm

At a quick look the problem seems to be that you are using lan ip 192.168.88.1 on two interfaces.
To make it work correctly you at least should remove/disable the ether1 ip, exactly this:
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
Other spotted: one to many dhcp pool, one dhcp server running on Bridge_Wan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 10:56 pm

The first question is why a bridge for the WAN??
This adds complexity where it may not be required.
You identify the VLAN to the appropriate ethernet interface (lets assume internet connected on ether1)
You need to add VLAN as part of the WAN interface list.
Why is your bridge wan on a DCHP server list, makes no sense to me.
Do you have two ISPs?? Why are two ether ports connected to the WAN??
Get rid of detect internet or least limit it to LAN, as it does funky things if you add WAN to it.

Things go downhill rapidly when you do this Which is it LOL................ the ether 1 which you state is part of your WAN, or is it the bridge-lan, very confusing.
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=192.168.88.1/24 interface=Bridge_LAN network=192.168.88.0

All to say you need to dram a network diagrams, and we need to better understand how you are getting interent and what is on ether1 and ether 2 physically
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 09, 2020 11:35 pm

So the whole thing was set up using the script on this page, listed under the bridge method.
viewtopic.php?t=154954

I'm not really sure where everything else went wrong regarding their being two DHCP pools etc.

Here's a borrowed diagram for how I'm set up right now, eth 3 goes to my ruckus icx7150 which goes to the two APs
BridgeMethod.png
For clarification also, the script disabled eth2 after 180 seconds after the RG has communicated to the ONT, and then my understanding is that the WAN spoofs the Mac address of the RG to take over traffic from the ONT
You do not have the required permissions to view the files attached to this post.
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 1:05 am

At a quick look the problem seems to be that you are using lan ip 192.168.88.1 on two interfaces.
To make it work correctly you at least should remove/disable the ether1 ip, exactly this:
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
Other spotted: one to many dhcp pool, one dhcp server running on Bridge_Wan.
This might be mostly solved, not 100% sure i don't have other config issues to work on but this post saved me - so here is how I fixed it incase any other noobies end up in this situation.

Based on your suggestions I looked for settings related to DHCP and ehter1 interface.
Went in to quickset and unchecked the DHCP button, that didn't help
Went to DHCP pools and found the pool that wasn't created by the script (ranges .3-255 instead of .10-255) and deleted it as there were indeed two.
That immediately made the pages that I could already connect to load MUCH faster, but I still couldn't connect to facebook, this forum, and many more.
Went into IP>Addresses and went to ether1 and marked disable.
boom, can suddenly connect to everything.

Disabled the MTU passthrough thing in mangle, not sure if I need it as it was a suggested workaround but it seemed to make things slower again.

Now I am getting about 200 Mb down 150 Mb up on DSLreports and 200/200 on Google Speed Test.
CPU load capped out at about 10%..
Bufferbloat is really bad still, terrified to try to play Call of Duty on this router cause usually anything over 20 MS bufferbloat ruins the game and I'm seeing 400-1000ms on here.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 3:56 am

If any body is a noob and wants to learn to avoid the OPs mistakes, AVOID going to the internet and pulling stuff from other sources, because you are a noob.
Start with the default setup and come here and let us know what you want to change (deviate from default) and guidance will ensue.

Please please do not use quickset, its not meant to be used to config the router.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 3:59 am

Okay I would like to know what is the the ATT RG Thingy? What is significant about vlan 222??
I get the ISP is connected on ether1 (the ont) and assuming internet comes in through that??

Or are you saying you have two separate ISPs??

Is the ruckus a managed switch?? or an access point with extra ports which are wired to other access points??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 4:12 am

Okay I would like to know what is the the ATT RG Thingy? What is significant about vlan 222??
I get the ISP is connected on ether1 (the ont) and assuming internet comes in through that??

Or are you saying you have two separate ISPs??

Is the ruckus a managed switch?? or an access point with extra ports which are wired to other access points??
The ATT RG is a router gateway supplied by our ISP, it is required according to them. I've been trying to bypass it for months with the ubiquiti edgerouter X and failed.

Its actually an ARRIS BGW210-700
If you plug your router into the ONT it will not validate and you get no internet, and if you just spoof the MAC address it wont work cause the router lacks the certificates required.
So the script basically lets the ONT and Router/gateway do their handshake, some element of the set up is there to hide the HAP's MAC address from the ONT so it doesn't shut itself down, and then disables ether2 and switches everything over. It's a bit above my paygrade to be honest but that's my understanding.

Regarding VLAN=222, im not exactly sure how that happened at all cause in the script it is supposed to be PVID=111 but I assume that number is irrelevant
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes]
The ruckus is a managed switch I believe... its an IXC 7150, theres oodles of settings Image

speaking of which.. trying to find its IP address, and its MAC address isn't listed on the DHCP leases..
Last edited by Zorb on Sat Oct 10, 2020 4:33 am, edited 2 times in total.
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 4:22 am

If any body is a noob and wants to learn to avoid the OPs mistakes, AVOID going to the internet and pulling stuff from other sources, because you are a noob.
Start with the default setup and come here and let us know what you want to change (deviate from default) and guidance will ensue.

Please please do not use quickset, its not meant to be used to config the router.
Yeah I derped a bit, but I bought this device solely to run this setup, and without running the script it wont connect to the internet in anyway unless i add it behind the RG, at which point its just a router behind a router so it was kind of hard to work backwards from default settings with it not functional or in the configuration I needed =[
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 5:20 am

The Arris has an IP passthrough mode, doesn't it? I believe that in this mode the HAP can get the external IP from it and after everything should function as expected with the default config that was suggested by anav.

The HAP AC2 is quite capable of basic QOS for low latency gaming, but the setup will require a little more work than the ER-X. There's a complete series of tutorials on Youtube on how to do simple QOS. In its simplest form, you use mangle and queues to prioritize web and other traffic, then you fasttrack marked udp packets for ports 3074-3078 for COD (and the ports for other games if required). Less is always more with queues, since everything is done by the CPU. You should also avoid adding unnecessary rules directly to the firewall and using L7 filtering because they will slow down traffic and might add weird latency issues with heavy traffic.

There's also a very easy way to avoid bufferbloat by simply using one simple queue for limiting all traffic with SFQ (a CoDel alternative). Regardless of what method you use, if you have latency issues, it's not the HAP that's the problem...
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 8:49 am

The Arris has an IP passthrough mode, doesn't it? I believe that in this mode the HAP can get the external IP from it and after everything should function as expected with the default config that was suggested by anav.

The HAP AC2 is quite capable of basic QOS for low latency gaming, but the setup will require a little more work than the ER-X. There's a complete series of tutorials on Youtube on how to do simple QOS. In its simplest form, you use mangle and queues to prioritize web and other traffic, then you fasttrack marked udp packets for ports 3074-3078 for COD (and the ports for other games if required). Less is always more with queues, since everything is done by the CPU. You should also avoid adding unnecessary rules directly to the firewall and using L7 filtering because they will slow down traffic and might add weird latency issues with heavy traffic.

There's also a very easy way to avoid bufferbloat by simply using one simple queue for limiting all traffic with SFQ (a CoDel alternative). Regardless of what method you use, if you have latency issues, it's not the HAP that's the problem...
Appreciate the reply!
Yes it does have a passthrough mode but nothing will be on the right eth ports in that config, so I was either stuck using the RG in it's disreputable bridge mode or configured as I have it now.
As soon as everything is plugged in this way it stops working, and to apply any of the commands in the script the bridge and wan set up by default had to be removed. I tried without resetting everything but removing any of that stuff made the hap disconnect and go dark
I'm sure there's a better way though

And yeah I wasn't assuming the Hap is the issue but just my configuration needing help.
I will look into what you describe!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 3:49 pm

Well that is some cool bypass, that clearly I dont understand.
It would take Sob probably a few paragraphs (like Lord of the Ring books long) to put in terms I could understand.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 10, 2020 6:05 pm

I don't have an Ariss modem to play with so my help will be very limited, but as you already found out, it's a PITA to bypass according to everything I read about it. I asked about the passthrough because it's the feature used on most modems when you want to use your own router. When you said all ports are wrong after, you mean on the modem?

I understand what pcunite's script cleverly does:

ether1 --> ONT
ether2 --> modem - script is used to authenticate with the ONT and port is turned off after the WAN ip is provided
ether3-ether5 --> your home LAN

However, I wouldn't even bother with the script and just remove the Ariss as soon as you get a WAN ip and power everything from a UPS to protect the network from power failure. If you remove the Ariss and connect the HAP to the ONT after you have internet, does it work with a default config?

Have you tried the supplicant method from the same thread? There's another simple solution on Youtube which involves leasing a static ip block from your provider. The user claims that it solved all the issues he was having trying to bypass the Ariss.

If you absolutely want to use the double bridge method, I would start from scratch with a blank config and configure everything myself troubleshooting at each step. I've been down that path and using someone else's config is opening a big can of worms when you have limited knowledge about ROS. The TKS videos are a good starting point with one caveat for gaming: Do not use L7 if you care about low latency gaming - the HAP is not powerful enough and it's probably bad practice on a home network even with a 4011.
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sun Oct 11, 2020 7:52 am

I don't have an Ariss modem to play with so my help will be very limited, but as you already found out, it's a PITA to bypass according to everything I read about it. I asked about the passthrough because it's the feature used on most modems when you want to use your own router. When you said all ports are wrong after, you mean on the modem?

I understand what pcunite's script cleverly does:

ether1 --> ONT
ether2 --> modem - script is used to authenticate with the ONT and port is turned off after the WAN ip is provided
ether3-ether5 --> your home LAN

However, I wouldn't even bother with the script and just remove the Ariss as soon as you get a WAN ip and power everything from a UPS to protect the network from power failure. If you remove the Ariss and connect the HAP to the ONT after you have internet, does it work with a default config?

Have you tried the supplicant method from the same thread? There's another simple solution on Youtube which involves leasing a static ip block from your provider. The user claims that it solved all the issues he was having trying to bypass the Ariss.

If you absolutely want to use the double bridge method, I would start from scratch with a blank config and configure everything myself troubleshooting at each step. I've been down that path and using someone else's config is opening a big can of worms when you have limited knowledge about ROS. The TKS videos are a good starting point with one caveat for gaming: Do not use L7 if you care about low latency gaming - the HAP is not powerful enough and it's probably bad practice on a home network even with a 4011.
The supplicant method is a bit more restrictive regarding hardware, allegedly, and I don't have the (802.1x?) certificates needed to do it.
Not sure how you'd go about unplugging the Arris and getting everything working without the script - HAP needs a spoofed MAC address - If you dont use the script to hide the ether2 port then the ATT RG detects duplicate MAC and shuts down.
If HAP is installed behind ATT RG, unplugging the ATT RG without a smooth transition is likely to make it re-authenticate with the ONT.
Idk, I tried many many ways with the Edgerouter X, and it was supposed to be easy on that router.

Really the issue is that I did start with a blank config lol, other than the script and I guess I messed it up trying to enable DHCP and get everything to route/detect eachother.
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Mon Oct 12, 2020 12:53 am

I was wondering if the modem was polled to keep the connection alive once it receives a WAN ip - I would have tried it because some users alluded to this being possible, but like I said earlier, I don't have an Arris...

Regardless, you have 5 options to get a WAN ip:

1. You connect the HAP behind the modem using the IP passthrough option in the modem (many step by step guides available from ATT users) which requires entering the router's MAC into the modem. Some users report having speed issues, some don't. It's not clear to me why this doesn't work for you as this is by far the easiest option. Without the IP passthrough, like you said, you have a router behind a router, which is a terrible idea, double NAT being the number one reason.
2. You lease a static IP block which will let you setup your devices as you wish by having more than one device connected to the WAN.
3. You bypass the modem using a script, as you are doing now. Maybe anav or another advanced user can explain it better than I can, but all the issues you are having are caused by an invalid configuration: the double bridge being problematic since the small HAP AC2 has only one switch chip which support 1 bridge with HW offloading (you may use multiple VLANs).
4. You use the supplicant method which requires you to root the modem to retrieve the security certificate and install it on the router.
5. You use pfSense before the modem to bypass it in a similar way as the script you're using now.

The HAP AC2 is capable of routing at much higher speeds than what you are getting with reasonable firewall rules and queues, but testing should be done wired to the router, not over wifi.

So it's not a QOS issue - your HAP is using a clever script that was designed for a router with 2 switch chips (please look at the diagrams for both routers and the Mikrotik Wiki). Once this is resolved, bufferbloat protection takes less than a minute to setup with a single SFQ queue (no mangle rules) and I can guide you for a more advanced config using fasttrack. IMO, trying to setup QOS before you can get close to wire speed with a basic config on the router is a big waste of time...
 
Zorb
just joined
Topic Author
Posts: 15
Joined: Fri Oct 09, 2020 1:41 am

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Fri Oct 16, 2020 5:03 am

I was wondering if the modem was polled to keep the connection alive once it receives a WAN ip - I would have tried it because some users alluded to this being possible, but like I said earlier, I don't have an Arris...

Regardless, you have 5 options to get a WAN ip:

1. You connect the HAP behind the modem using the IP passthrough option in the modem (many step by step guides available from ATT users) which requires entering the router's MAC into the modem. Some users report having speed issues, some don't. It's not clear to me why this doesn't work for you as this is by far the easiest option. Without the IP passthrough, like you said, you have a router behind a router, which is a terrible idea, double NAT being the number one reason.
2. You lease a static IP block which will let you setup your devices as you wish by having more than one device connected to the WAN.
3. You bypass the modem using a script, as you are doing now. Maybe anav or another advanced user can explain it better than I can, but all the issues you are having are caused by an invalid configuration: the double bridge being problematic since the small HAP AC2 has only one switch chip which support 1 bridge with HW offloading (you may use multiple VLANs).
4. You use the supplicant method which requires you to root the modem to retrieve the security certificate and install it on the router.
5. You use pfSense before the modem to bypass it in a similar way as the script you're using now.

The HAP AC2 is capable of routing at much higher speeds than what you are getting with reasonable firewall rules and queues, but testing should be done wired to the router, not over wifi.

So it's not a QOS issue - your HAP is using a clever script that was designed for a router with 2 switch chips (please look at the diagrams for both routers and the Mikrotik Wiki). Once this is resolved, bufferbloat protection takes less than a minute to setup with a single SFQ queue (no mangle rules) and I can guide you for a more advanced config using fasttrack. IMO, trying to setup QOS before you can get close to wire speed with a basic config on the router is a big waste of time...
Well everything was actually solved except i haven't figured out the QoS stuff yet, speeds are lower than expected since I was maxing the CPU out on the Edgerouter X with smart queue on and getting about 250 Mb and 5-10 ms bufferbloat.
Now I have 225 Mb and 100-500 ms bufferbloat.
I tried the walkthrough on QoS from PCUNITE but I assume I missed something cause it had no effect, I'm probably missing the part where I mark the traffic.


I tried option 1 first, speeds were low, bufferbloat was too high, and I don't really have room for the Arris in my lan closet.
Option 2 would be my next choice.
In my case I've had the arris unplugged for several days now and no issues.
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 17, 2020 12:52 am

I was wondering if the modem was polled to keep the connection alive once it receives a WAN ip - I would have tried it because some users alluded to this being possible, but like I said earlier, I don't have an Arris...

Regardless, you have 5 options to get a WAN ip:

1. You connect the HAP behind the modem using the IP passthrough option in the modem (many step by step guides available from ATT users) which requires entering the router's MAC into the modem. Some users report having speed issues, some don't. It's not clear to me why this doesn't work for you as this is by far the easiest option. Without the IP passthrough, like you said, you have a router behind a router, which is a terrible idea, double NAT being the number one reason.
2. You lease a static IP block which will let you setup your devices as you wish by having more than one device connected to the WAN.
3. You bypass the modem using a script, as you are doing now. Maybe anav or another advanced user can explain it better than I can, but all the issues you are having are caused by an invalid configuration: the double bridge being problematic since the small HAP AC2 has only one switch chip which support 1 bridge with HW offloading (you may use multiple VLANs).
4. You use the supplicant method which requires you to root the modem to retrieve the security certificate and install it on the router.
5. You use pfSense before the modem to bypass it in a similar way as the script you're using now.

The HAP AC2 is capable of routing at much higher speeds than what you are getting with reasonable firewall rules and queues, but testing should be done wired to the router, not over wifi.

So it's not a QOS issue - your HAP is using a clever script that was designed for a router with 2 switch chips (please look at the diagrams for both routers and the Mikrotik Wiki). Once this is resolved, bufferbloat protection takes less than a minute to setup with a single SFQ queue (no mangle rules) and I can guide you for a more advanced config using fasttrack. IMO, trying to setup QOS before you can get close to wire speed with a basic config on the router is a big waste of time...
Well everything was actually solved except i haven't figured out the QoS stuff yet, speeds are lower than expected since I was maxing the CPU out on the Edgerouter X with smart queue on and getting about 250 Mb and 5-10 ms bufferbloat.
Now I have 225 Mb and 100-500 ms bufferbloat.
I tried the walkthrough on QoS from PCUNITE but I assume I missed something cause it had no effect, I'm probably missing the part where I mark the traffic.


I tried option 1 first, speeds were low, bufferbloat was too high, and I don't really have room for the Arris in my lan closet.
Option 2 would be my next choice.
In my case I've had the arris unplugged for several days now and no issues.
So you removed the Ariss and connected the HAP directly to the ONT with ether1 as I suggested?

In this case, reset the default configuration from the system menu or type "/system reset-configuration" from the terminal. This should enable fasttrack on the bridge. You can now connect a laptop to any remaining ether port and run a few speed tests while monitoring the CPU cores from System/Resources/CPU.

Run cmd in Windows and type:
ping 8.8.8.8 -t

What is the average speed, ping and cpu usage? What is the speed you are paying for?

This is an important baseline, because fasttrack bypasses most of the firewall stack and once it is disabled for QOS, cpu will increase by at least 30%, and thus affect overall bandwidth. Furthermore, any rules we set for QOS must limit your WAN connection even further to be effective.

Keep the cmd prompt running...
Last edited by Moba on Sat Oct 17, 2020 1:25 am, edited 1 time in total.
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 17, 2020 1:20 am

Once you have a baseline (best case scenario), we can experiment with queues. The first solution to bufferbloat is a simple queue. It's a lazy hack, but it works with one major caveat: it's resource intensive on a small HAP.

1. You must add a new queue type for SFQ in the terminal:

/queue type
add kind=sfq name=sfq-default sfq-perturb=10

2. You create a simple queue to control all traffic:

/queue simple
add max-limit=200M/200M name=sfq-default queue=sfq-default/sfq-default target=192.168.88.0/24

The max limit of the queue must be less than the max speed with fasttrack.

3. You disable the default fasttrack rule from the firewall - don't delete it, it's useful for testing.

This should solve any bufferbloat issues quickly since it sets a hard limit for all your WAN bandwidth and it dynamically divides it equally among each client connected to the router as required (fair queuing).

Speed test again...
Last edited by Moba on Sat Oct 17, 2020 3:51 pm, edited 1 time in total.
 
Moba
just joined
Posts: 16
Joined: Sun Sep 27, 2020 6:15 pm

Re: New HAP ac2 as ATT Bridge (slow, sites not loading)

Sat Oct 17, 2020 2:01 am

Using Fasttrack for gaming traffic

COD is used here, but any other port specific traffic can be marked.

1. The connections need to be marked:

/ip firewall mangle
add action=mark-connection chain=forward comment=fasttrack-udp-dw-con dst-port="" new-connection-mark=fasttrack-udp-dw-con passthrough=no port=3074-3078,27000-27059 protocol=udp
add action=mark-connection chain=prerouting comment=fasttrack-udp-up-con dst-port="" new-connection-mark=fasttrack-udp-up-con passthrough=no port=3074-3078,27000-27059 protocol=udp

2. A rule is created in the firewall for each connection:

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack udp dw games" connection-mark=fasttrack-udp-dw-con
add action=fasttrack-connection chain=input comment="Fasttrack udp up games" connection-mark=fasttrack-udp-up-con

These rules will let COD traffic bypass the QOS queue and prioritize this traffic over everything else, thus minimizing latency.

Make sure you move those rules up to were the default Fasttrack rules are with Winbox. Additionally, you may wish to fasttrack DNS queries by adding them to the prerouting chain.

Who is online

Users browsing this forum: No registered users and 36 guests