Community discussions

MikroTik App
 
mydi88
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 10:37 pm

Did Rb 1100AH manage more than 700 Users?

Tue Sep 17, 2019 12:59 am

Hello community,
I have to manage 700 Users in my university and i want to add an appliance to make URL Filtering. Now i have just a 3011 UiAS to make load balancing of 4 Lines (200 Mbps) = 800 Mbps.

So my question if i add a router board like 1100Ah X 4 to make filtering URL (Firewall role) could i in this case conserve performance of my network. i mean, could this appliance manage 700 Users and 800 Mbps without problems ?
 
User avatar
kiler129
Member
Member
Posts: 354
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Did Rb 1100AH manage more than 700 Users?

Tue Sep 17, 2019 7:54 pm

It all depends what you mean by "URL filtering". I'm assuming you mean looking into HTTP requests without actually running a proxy. In such case you may possibly manage to do it. However, this is a bad idea, let me digest the idea for you.

URL filtering was somewhat effective in the 90s' and early 2000s'. This was easily possible since almost all sessions on the web were unencrypted HTTP traffic. This also made accelerating web proxies in the local network a great solution. Today the landscape is totally different. Almost all (~90%) of the web uses HTTPS:
Screen Shot 2019-09-17 at 11.38.53 AM.png
Source: https://transparencyreport.google.com/h ... view?hl=en

This is the traffic you cannot touch. You may be tempted to block whole domains and use SNI for that. Sure you can implement that today but that method is quickly going away due to TLS 1.3. The new version introduces ESNI which essentially means you cannot get the SNI information: https://www.cloudflare.com/ssl/encrypted-sni/
You may also be tempted to implement MITM with custom certificates (which in the university environment due to BYOD is probably impossible anyway) but this effort is lost nowadays too due to HSTS. While this is not as popular as HTTP overall it's getting momentum:
Screen Shot 2019-09-17 at 11.46.12 AM.png
You also may consider using DNS for filtering by setting your local server as default in DHCP. You can even go as far as MITM users' custom DNS and redirect queries to your DNS. However, this is going away quickly too due to DoH which basically makes DNS encrypted. The kicker here is it needs no adoption from site vendors but instead places the responsibility on browsers vendors. In reality we have Chrome, Safari, Firefox, and Edge. Firefox.
Mozilla already started enabling DoH by default, Chrome started experimenting with that too. I expect Apple with their privacy-oriented nature to follow soon.



All in all you cannot really implement URL filtering in 2019 on devices you don't control. You can enforce certain policies on university-owned computers but BYOD users will still be able to visit any websites they want.
You do not have the required permissions to view the files attached to this post.
 
mydi88
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 10:37 pm

Re: Did Rb 1100AH manage more than 700 Users?

Tue Sep 17, 2019 11:50 pm

Thanks for all of this good informations.
I still need to know if this appliance can support this number of users. I want to know this information from someone wich use this appliance in real case (Huge number of users)
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: Did Rb 1100AH manage more than 700 Users?

Thu Sep 19, 2019 2:00 pm

How about saying how your 3011 is coping with your workload? That will give anyone reading this thread a better idea of how an 1100AH [presumably x4] would handle your workload.

Who is online

Users browsing this forum: No registered users and 14 guests