Community discussions

 
User avatar
sigmasquared
just joined
Topic Author
Posts: 19
Joined: Tue Sep 04, 2012 2:55 pm
Location: South Africa

Routerboard Spec Recommendation

Wed Nov 28, 2018 3:15 pm

Hi all, wondering is someone can perhaps guide me. A client has an HP N40L Microserver running RouterOS x86 (AMD Turion II 1.5 GHz processor). They have around 40 users on a 300mbps uplink. They use around 30 mangle rules (checking content on prerouting) for adding sites like Netflix, Steam, iTunes etc to address lists, which are then blocked by the firewall. On the Microserver, the CPU maxes out and they throttle down to about 10-30mbps. I'm looking to recommend a new routerboard to them, any thoughts on what may comfortably perform with this requirement?

Should I jump straight for RB4011iGS+RM? Or would a HEX / HEX S suffice?

I run the same rules on a hAP AC^2 which doesn't blink an eye, but my uplink is much slower and I only have 4 users.
 
nescafe2002
Long time Member
Long time Member
Posts: 625
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Routerboard Spec Recommendation

Wed Nov 28, 2018 5:26 pm

It depends on the actual mangle rule set. Post your rules. Perhaps some optimization can be applied and not all packets have to be inspected.

Personally I'd get rid of the content filters and apply queueing to distribute bandwith, but it depends on whether your provider has a montly maximum upload/download limit.
 
User avatar
sigmasquared
just joined
Topic Author
Posts: 19
Joined: Tue Sep 04, 2012 2:55 pm
Location: South Africa

Re: Routerboard Spec Recommendation

Thu Nov 29, 2018 9:49 am

Not looking to manage bandwidth, it's more to block the address lists of Netflix, Steam etc on a corporate network.
/ip firewall mangle
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=\
    windowsupdate.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=windowsupdate.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=download.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=wustat.windows.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=\
    ntservicepack.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=update.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=ws.microsoft.com
add action=add-dst-to-address-list address-list=WindowsUpdate \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Windows Update Address List" content=mp.microsoft.com
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
    30m chain=prerouting comment="Identify Netflix Address List" content=\
    nflxvideo.net
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
    30m chain=prerouting comment="Identify Netflix Address List" content=\
    netflix.com
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting comment="Identify Youtube Address List" content=\
    youtube.com
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    5m chain=prerouting comment="Identify Youtube Address List" content=\
    googlevideo.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    phobos.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    deimos3.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    albert.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    gs.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    itunes.apple.com
add action=add-dst-to-address-list address-list=iTunes address-list-timeout=\
    5m chain=prerouting comment="Identify iTunes Address List" content=\
    ax.itunes.apple.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steampowered.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamcommunity.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamgames.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamusercontent.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamcontent.com
add action=add-dst-to-address-list address-list=Steam address-list-timeout=\
    30m chain=prerouting comment="Identify Steam Address List" content=\
    steamstatic.com
add action=mark-packet chain=forward comment="Identify Steam Traffic (TCP)" \
    dst-port=27015-27030,27036,27037 new-packet-mark=SteamGames passthrough=\
    yes protocol=tcp
add action=mark-packet chain=forward comment="Identify Steam Traffic (UDP)" \
    dst-port=3478,4379,4380,27000-27031,27036 new-packet-mark=SteamGames \
    passthrough=yes protocol=udp
   
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Routerboard Spec Recommendation

Thu Nov 29, 2018 10:27 am

The Hex(s) would only be as powerful if a little less than your current router so I would steer away from that if possible.
RB4011 is a relatively decent choice although I would argue that as this is effectively a corporate and production environment it would be very good justification to run in a CCR1009 which would also give future headroom if their connectivity improves.

RB4011 is still a relatively new product and although there are not a lot of "problem" threads regarding them, the CCR's are tried, tested, proven and "industrial" in their build quality.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
nescafe2002
Long time Member
Long time Member
Posts: 625
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Routerboard Spec Recommendation

Thu Nov 29, 2018 10:49 am

I have added your content filters to my RB4011 and this is the result:
explorer_2018-11-29_09-39-17.png
explorer_2018-11-29_09-38-46.png

In comparison, same speedtest with disabled mangle rules (without fasttrack):
explorer_2018-11-29_09-41-28.png
explorer_2018-11-29_09-47-12.png


You should really look into your mangle rules. They are a firewall killer.

Content filter might work for http, but better use tls-matcher on port 443. And limit to those specific ports (80 and 443).

Fasttrack your connections after 10kb, as the keyword will be in host header / sni anyway:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related
You do not have the required permissions to view the files attached to this post.
 
User avatar
sigmasquared
just joined
Topic Author
Posts: 19
Joined: Tue Sep 04, 2012 2:55 pm
Location: South Africa

Re: Routerboard Spec Recommendation

Thu Nov 29, 2018 12:55 pm

Thanks! Shall add the fasttrack and see how it goes, and will look into tls-matcher.
 
nescafe2002
Long time Member
Long time Member
Posts: 625
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Routerboard Spec Recommendation

Thu Nov 29, 2018 4:21 pm

You may even better block the sites based on dns, e.g. to block all dns lookups ending on windowsupdate.microsoft.com (including windowsupdate.microsoft.com):
/ip dns static
add address=127.0.0.1 regexp="windowsupdate\\.microsoft\\.com\$"

(I have requested to allow address=0.0.0.0 in static dns to be able to reply nxdomain for this use case, but MT claims that 0.0.0.0 is not an ip address).

Who is online

Users browsing this forum: No registered users and 10 guests