Morning all,
So I recently setup Cake Qos and ip6. But I am super paranode, that I did not optimize correctly. The main reason Cake was implemented was due to my Internet providers messed up route, twice removed. I was able to pull tons more bandwidth then I paid for ------ but it was super unstable. Huge latency issues and tons of dropped packets and what not. Put Cake in place and it seems to smoothed things over really well. Latency is still in the 30-40 range, But stable so????
IP6 Is a total mystery to me. It does not make sense that you grab a block of addresses and the devices pick an address at random. It is working but feels ---- wrong ? or implemented incorrectly.
My biggest concern for cake is that I am limiting local Lan speeds
IP6 my worry is I opened my self to much to the internet. And put my self at risk.
Re: Cake QoS and IP6 setup check
Latency is still in the 30-40 range, But stable so????
I'm guessing that's ping time in milliseconds? Is that under load, or with nothing running?
It does not make sense that you grab a block of addresses
The scale of the address space is outside all human experience. Your brain didn't evolve with any ability to understand values this big, so it struggles and comes up with misanalogies.
I expect you're aware that IPv4 has a 32-bit address space, and that IPv6 has a 128-bit address space. A normal initial reaction is to see the latter as 4× bigger, but in fact a 34-bit address is 4× bigger, since every additional bit — that is, binary digit — is a doubling. To go from 32-bits to 128-bits is ninety-six doublings!
If your ISP gives you a /64 subnet, that isn't half the total IPv6 space, it's one out of 2⁶⁴ subnets available. If each IPv4 address in existence were assigned one of these subnets as a companion, that would use up 2⁹⁶ IPv6 addresses. To use them all up, every IPv4 address would have to be assigned 2³² of these IPv6 /64 subnets.
the devices pick an address at random.
That's only one way for IPv6 addressing to work. You can draw them from a DHCPv6 pool, or assign them statically, or base them on MAC addresses, or…
My biggest concern for cake is that I am limiting local Lan speeds
So don't put it on the LAN interfaces. You can target a RouterOS queue at any interface you like. Post your configuration and a network diagram if you want someone to vet your configuration.
my worry is I opened my self to much to the internet. And put my self at risk.
While NAT does provide a type of firewalling, doing without NAT doesn't mean you are now without a firewall. RouterOS IPv6 firewall rules still apply, even when your clients have public IPv6 addresses.
Again, post your config if you want reassurance.
Re: Cake QoS and IP6 setup check
yes that is ms / and under load.
Let me know if that works--- new to uploading configs.
scrubbed some other stuff that I thought should not be shared --- if it is an issue I can go over that -- but it should not be needed.
Let me know if that works--- new to uploading configs.
scrubbed some other stuff that I thought should not be shared --- if it is an issue I can go over that -- but it should not be needed.
Code: Select all
# may/31/2022 12:26:02 by RouterOS 7.2.3
# software id = 56LU-W8EI
#
# model = RB4011iGS+
# serial number = B8F40B74C8FF
/interface bridge
add admin-mac=C4:AD:34:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp insert-queue-before=bottom interface=bridge name=\
defconf
/ipv6 dhcp-server
add address-pool="ip 6 pool 60" interface=bridge name=ipv6
/port
set 0 name=serial0
set 1 name=serial1
/queue tree
add disabled=yes name="Total BW" parent=global
/queue type
add kind=pcq name="PCQ download" pcq-classifier=dst-address pcq-rate=500M
add kind=pcq name="PCQ upload" pcq-classifier=src-address pcq-rate=20M
add kind=fq-codel name="Default-fq codel"
add cake-diffserv=diffserv4 cake-mpu=84 cake-nat=yes cake-overhead=38 \
cake-overhead-scheme=ethernet cake-rtt=60ms cake-wash=yes kind=cake name=\
"default cake"
add cake-bandwidth=440.0Mbps cake-mpu=84 cake-nat=yes cake-overhead=38 \
cake-overhead-scheme=ethernet cake-rtt=70ms kind=cake name=\
"cake from wan"
add cake-bandwidth=30.0Mbps cake-mpu=84 cake-nat=yes cake-overhead=38 \
cake-overhead-scheme=ethernet cake-rtt=60ms cake-wash=yes kind=cake name=\
"cake from lan"
add kind=none name=nono
/queue simple
add disabled=yes max-limit=400M/20M name=queue1 queue=\
"Default-fq codel/Default-fq codel" target=ether1 total-queue=\
"Default-fq codel"
add comment="upload and download are backwords ---- upload =wan" name=\
"new test with cake" queue="cake from wan/cake from lan" target=ether1 \
total-queue="default cake"
/queue tree
add disabled=yes name=download packet-mark=download parent="Total BW" queue=\
"PCQ download"
add disabled=yes name=upload packet-mark=upload parent="Total BW" queue=\
"PCQ upload"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
identity="x" name=zt1 \
port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zerotier1 network=x
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.246 client-id=1:70:5a:f:42:a3:d2 mac-address=\
70:5A:0F:42:A3:D2 server=defconf
add address=192.168.1.24 client-id=1:8:0:27:5e:2:33 mac-address=\
08:00:27:5E:02:33 server=defconf
add address=192.168.1.248 client-id=1:38:18:4c:a4:67:75 mac-address=\
38:18:4C:A4:67:75 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=lan
add address=192.168.2.0/24 list=lan
add address=224.0.0.0/4 list=multcast
add address=255.255.255.255 list=multcast
/ip firewall filter
add action=accept chain=input dst-address-list=lan src-address-list=lan
add action=accept chain=input dst-address-list=multcast src-address-list=lan
add action=accept chain=forward in-interface-list=LAN src-address-list=lan
add action=accept chain=input in-interface=bridge src-address=0.0.0.0
add action=accept chain=forward comment="dst nated" connection-nat-state=\
dstnat
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input connection-nat-state=dstnat
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward log=yes
add action=accept chain=input log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 address
add address=::1 from-pool="ip 6 pool 60" interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name="ip 6 pool 60" \
pool-prefix-length=60 prefix-hint=::/56 request=address,prefix \
use-interface-duid=yes use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
add interface=bridge
/system clock
set time-zone-name=America/Chicago
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=192.168.1.0/24 interface=bridge
add allow-address=192.168.1.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Who is online
Users browsing this forum: zabloc and 24 guests