Yep…while you read this, slaving away, I’m relaxing. I just wanted to rub it in, have fun. Here is where I am.
I initially had no QoS on my servers, which I quickly found was a BAD idea! I had tons of users opening tons of connections, which means my server kept becoming unresponsive. Each time a new connection comes in apache spawns a new process and it would eat somehwere around 25MB of ram; so after users would connect with multi threadded downloaders, my site would tank every day or so. To prevent this, I put connection limiting in place. I then noticed that users with higher connection speeds were pulling the videos quick, which could max out my internet connection, so I put in some controls for that in the form of an PCQ(Per Connection Queue). An PCQ allowed me to offer my videos at a fixed rate to each user that connects, thus no one user can max out the connection.
We start by matching HTTP get requests. I created an L7 rule to match my video files:
1 2 | /ip firewall layer7-protocol add comment="" name="Download - MP4" regexp="^.*get.+\\.mp4.*\$" |
Next I create a mangle rule to mark the connections heading to my server on port 80 matching my L7 rule.
Then a mangle rule marks packets based on packets that have the connection mark.
1 2 3 4 5 6 | /ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Connection MP4 Downloads on Greg's site" \
disabled=no dst-address=209.189.228.152 dst-port=80 layer7-protocol="Download - MP4" \
new-connection-mark=MP4Connection passthrough=yes protocol=tcp src-address=0.0.0.0/0
add action=mark-packet chain=prerouting comment="" connection-mark=MP4Connection disabled=no \
new-packet-mark=MP4Connection passthrough=no |
This firewall rule limits the number of connections per user to 3 based on the connection mark.
1 2 3 4 | /ip firewall filter
add action=tarpit chain=forward comment="Drop High Greg MP4" \
connection-limit=3,32 connection-mark=MP4Connection disabled=no \
in-interface=ether1 protocol=tcp |
I then created a PCQ that gives 200K to each user pulling my video based on destination. I did destination because I’m limiting traffic going out to the user, so this will classify each individual IP.
1 2 3 | /queue type
add kind=pcq name=GregMP4 pcq-classifier=dst-address pcq-limit=50 pcq-rate=\
200000 pcq-total-limit=6000000 |
Last I added the queue tree to my existing “OUT” queue. I specify my new PCQ and gave them a max of 6Mb and a minimum of 3Mb.
1 2 3 4 5 6 | /queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=10M name=OUT parent=ether1 priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=3M \
max-limit=6M name=GregMP4 packet-mark=MP4Connection parent=OUT priority=7 \
queue=GregMP4 |
So, if you guys have a specific resource you need to control a little more closely, give this a try. Let me know what you guys think 🙂
I should be on a boat…a rather large boat. I’m on a cruise fools! I’ll be out and away from a PC for a week.
Be jealous!
The updates are thus:
*) updated drivers and kernel (to linux-2.6.32.5);
Terrific!
*) ssh is now completely rewritten (supports connection forwarding, only DSA keys);
Sounds like fun. I hope they retained the ability to do ssh tunneling through the MTK.
*) added support for SSTP protocol (PPP over TLS);
This is the SSL VPN we’ve all been waiting for…thankfully they are dumping OpenVPN. A little extra info can be found here on SSTP.
*) added support for multiple Intel Ethernet cards;
*) added support for IPv6 over PPP
(enabled by default if ipv6 package is installed),
link-local addresses are assigned, and server can issue IPv6 global prefixes
to clients per ppp secret or RADIUS reply (Framed-IPv6-Prefix);
*) added proper support for MPLS over PPP (by default it is now disabled);
*) fixed RB800 temperature;
*) silentboot feature updated;
*) WinBox – any file dropped on WinBox will be uploaded to router;
*) multicast – fixed possible crash during PIM startup;
*) report platform name in “/sysrem resource”;
This feature I like.
*) fixed problem – vlans were not working on RB750 ether1;
This is a big one!
*) fixed mac address handling on RB750, some specific arp requests did not work;
Another big one!
*) more than two dns servers allowed in /ip dns;
*) sniffer and torch could process packet from other interfaces;
*) ospf – fixed DR and BDR election;
*) ospf – changed “/routing ospf route” to show type 2 metric instead of
internal metric for type 2 external routes;
I don’t mean to brag, but I found this one…and I’m totally awesome.
*) added IPv6 support to trafflow (v9 only);
*) rewritten user-manager (formerly known as userman-test);
I’m excited about this one, as I’ve used usermanager a good bit as of late.
Change log is here.
As most of you are security minded people out there, you already know what Bogons are. If not, here is what wikipedia has to say about it. It’s basically addressing that no packets should be addressed from.
Steve-o clued me into the Team Cymru bogon project. In a nutshell what they do is setup a BGP peer with you and send you the updated bogon list with a community string attached. You can then in your router setup a script or route-map to blackhole all traffic sourced from these addresses. Best part is that when they update the list on their routers, it updates automatically on your infrastructure. Did I mention that it’s free?
This being a free service and all, I would say use it at your own risk. I know it would make for a good April fools day joke to blackhole google 😛
Looks like Steve over at learnmikrotik is holding some training classes April 19-22nd. If you are looking to get certified, pop over and have a look.
I’m lazy and thus I’ve just updated my VPN training video with the new info. Pop on over and see the nifty little script that makes it all happen. 🙂