Page 1 of 1

Routerboard Spec Recommendation

Posted: Wed Nov 28, 2018 3:15 pm
by sigmasquared
Hi all, wondering is someone can perhaps guide me. A client has an HP N40L Microserver running RouterOS x86 (AMD Turion II 1.5 GHz processor). They have around 40 users on a 300mbps uplink. They use around 30 mangle rules (checking content on prerouting) for adding sites like Netflix, Steam, iTunes etc to address lists, which are then blocked by the firewall. On the Microserver, the CPU maxes out and they throttle down to about 10-30mbps. I'm looking to recommend a new routerboard to them, any thoughts on what may comfortably perform with this requirement?

Should I jump straight for RB4011iGS+RM? Or would a HEX / HEX S suffice?

I run the same rules on a hAP AC^2 which doesn't blink an eye, but my uplink is much slower and I only have 4 users.

Re: Routerboard Spec Recommendation

Posted: Wed Nov 28, 2018 5:26 pm
by nescafe2002
It depends on the actual mangle rule set. Post your rules. Perhaps some optimization can be applied and not all packets have to be inspected.

Personally I'd get rid of the content filters and apply queueing to distribute bandwith, but it depends on whether your provider has a montly maximum upload/download limit.

Re: Routerboard Spec Recommendation

Posted: Thu Nov 29, 2018 9:49 am
by sigmasquared
Not looking to manage bandwidth, it's more to block the address lists of Netflix, Steam etc on a corporate network.
/ip firewall mangle
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=\
    windowsupdate.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=windowsupdate.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=download.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=wustat.windows.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=\
    ntservicepack.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=update.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=ws.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=mp.microsoft.com
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
    30m chain=prerouting comment="Identify Netflix Address List" content=\
    nflxvideo.net
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
    30m chain=prerouting comment="Identify Netflix Address List" content=\
    netflix.com
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting comment="Identify Youtube Address List" content=\
    youtube.com
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting comment="Identify Youtube Address List" content=\
    googlevideo.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    phobos.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    deimos3.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    albert.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    gs.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    itunes.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    ax.itunes.apple.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steampowered.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamcommunity.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamgames.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamusercontent.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamcontent.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamstatic.com
add action=mark-packet chain=forward comment="Identify Steam Traffic (TCP)" \
    dst-port=27015-27030,27036,27037 new-packet-mark=SteamGames passthrough=\
    yes protocol=tcp
add action=mark-packet chain=forward comment="Identify Steam Traffic (UDP)" \
    dst-port=3478,4379,4380,27000-27031,27036 new-packet-mark=SteamGames \
    passthrough=yes protocol=udp
   

Re: Routerboard Spec Recommendation

Posted: Thu Nov 29, 2018 10:27 am
by Steveocee
The Hex(s) would only be as powerful if a little less than your current router so I would steer away from that if possible.
RB4011 is a relatively decent choice although I would argue that as this is effectively a corporate and production environment it would be very good justification to run in a CCR1009 which would also give future headroom if their connectivity improves.

RB4011 is still a relatively new product and although there are not a lot of "problem" threads regarding them, the CCR's are tried, tested, proven and "industrial" in their build quality.

Re: Routerboard Spec Recommendation

Posted: Thu Nov 29, 2018 10:49 am
by nescafe2002
I have added your content filters to my RB4011 and this is the result:
explorer_2018-11-29_09-39-17.png
explorer_2018-11-29_09-38-46.png

In comparison, same speedtest with disabled mangle rules (without fasttrack):
explorer_2018-11-29_09-41-28.png
explorer_2018-11-29_09-47-12.png


You should really look into your mangle rules. They are a firewall killer.

Content filter might work for http, but better use tls-matcher on port 443. And limit to those specific ports (80 and 443).

Fasttrack your connections after 10kb, as the keyword will be in host header / sni anyway:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related

Re: Routerboard Spec Recommendation

Posted: Thu Nov 29, 2018 12:55 pm
by sigmasquared
Thanks! Shall add the fasttrack and see how it goes, and will look into tls-matcher.

Re: Routerboard Spec Recommendation

Posted: Thu Nov 29, 2018 4:21 pm
by nescafe2002
You may even better block the sites based on dns, e.g. to block all dns lookups ending on windowsupdate.microsoft.com (including windowsupdate.microsoft.com):
/ip dns static
add address=127.0.0.1 regexp="windowsupdate\\.microsoft\\.com\$"

(I have requested to allow address=0.0.0.0 in static dns to be able to reply nxdomain for this use case, but MT claims that 0.0.0.0 is not an ip address).