Hi, I have 40 machines (26 wireless and 14 wired) in my lan, all at 192.168.0.x, from 192.168.0.2 to 192.168.0.26 are the IP from the wireless clientes computer, from 192.168.0.32 to 192.168.0.56 are the ip from the APs of clients (Im using edimax wifi 2.4 in all of them) and from 192.168.0.100 to 192.168.0.120 are all my wired computers.

I have an RB333 with XR2 and 8db omni to connect all my wireless clients. The problem is with the response time, when I ping my clients most of the times responses are above 700ms and other times at less than 10ms everyone.

Im guessing is a brodcast problem or a firewall miss configuration. I copy most of my rules from Dmitry firewall wiki, see below:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Limit TCP
chain=forward action=drop tcp-flags=syn protocol=tcp
connection-limit=26,32 time=20h-1d,sun,mon,tue,wed,thu,fri,sat

1 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check

2 ;;; drop
chain=drop action=drop

3 ;;; Deny illegal NAT traversal
chain=sanity-check action=jump jump-target=drop
packet-mark=nat-traversal

4 ;;; Block port scans
chain=sanity-check action=add-src-to-address-list psd=20,3s,3,1
address-list=blocked-addr address-list-timeout=1d protocol=tcp

5 ;;; Block TCP Null scan
chain=sanity-check action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack address-list=blocked-addr
address-list-timeout=1d protocol=tcp

6 ;;; Drop TCP RST
chain=sanity-check action=jump jump-target=drop tcp-flags=rst
protocol=tcp

7 ;;; Dropping invalid connections at once
chain=sanity-check action=jump jump-target=drop connection-state=invalid

8 ;;; Accepting already established connections
chain=sanity-check action=accept connection-state=established

9 ;;; Also accepting related connections
chain=sanity-check action=accept connection-state=related

10 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check action=jump jump-target=drop
dst-address-type=broadcast,multicast

11 ;;; Drop illegal destination addresses
chain=sanity-check action=jump jump-target=drop dst-address-type=!local
dst-address-list=illegal-addr in-interface=Local

12 ;;; Drop illegal source addresses
chain=sanity-check action=jump jump-target=drop
src-address-list=illegal-addr in-interface=Public

13 ;;; Sanity Check
chain=input action=jump jump-target=sanity-check

14 ;;; Dropping packets not destined to the router itself, including all bro>
ast traffic
chain=input action=jump jump-target=drop dst-address-type=!local

15 ;;; Allowing some services to be accessible from the local network
chain=input action=jump jump-target=local-services in-interface=Local

16 ;;; DNS
chain=local-services action=accept connection-mark=dns

17 ;;; Drop Telnet
chain=input action=jump jump-target=drop dst-port=23 protocol=tcp

18 ;;; Drop SSH
chain=input action=jump jump-target=drop dst-port=22 protocol=tcp

19 ;;; Drop NTB
chain=forward action=jump jump-target=drop dst-port=137-139 protocol=tcp

20 ;;; Drop FTP
chain=input action=jump jump-target=drop dst-port=21 protocol=tcp

21 ;;; Accept Counter-Strike UDP
chain=forward action=accept dst-port=1200,27000-27015 protocol=udp

22 ;;; Accept UDP CamFrog
chain=forward action=accept dst-port=5000,15000 protocol=udp

23 ;;; Drop UDP !53
chain=forward action=drop dst-port=!53 protocol=udp

the router is a V3 rc13, in a athlon 3600 DC, 1gb ddr2, hd 80gb and the resources monitor is frecuently at 0% usage or 1%. The connection is NAT, are the rules OK for this?

this are all the rules Im using and a simple queue for every machine IP address to limit the bandwidth to 256k or 512k.
What Im I doing wrong? Obviously when the wifi clients are downloading or working the most Ive got the high ping, maybe only 1 or 2 clients with p2p programs can cause the high pings and lag in all my wifi network. This happend also when the TCP rule is working, between 20hs an 24hs.

any idea? anyone with a WISP of 30 or 40 clients should been for the same problem? how do you fixed it? I read that 1 mikrotik could handle 100 wireless clients without problem, so the problem its me.

Thank anyone who took the time to read all this.

Mikrotik may be able to handle 100 clients but only with Nstream and polling enabled.

Take a look at your CPU utilization. Disable your firewall rules. Dump the Simple Queues and add a single PCQ queue.

Also, check your customers traffic, one customer can have a virus, or spam bot. If this is the case, hundreds of packets per second, if not more can overwhelm your AP and cause this. Basically one customer can bring down a B access point to the point that the ping times are stupid for all the rest of the customers.

Bittorrent and such do this as well. Sometimes not to the same extent.

a simple PCQ rule with divide the bandwidth among all users, I need to set diferent bandwidth to differents IP address

I cant use NSTREAM cause edimax AP client antenas doesnt accept that mode.

CPU utilizacion in RB333 is between 5 an 10% and in the x86 server less than 1%, I try erasing all the rules and simple queues and ping is still hi, its obviuos that is for the excesive connection, cause I reboot the server all the internet connections get lost and pings go down to less 10ms to all the clients.

I already limited TCP to 25 connect per client as you see in the rules above and block UDP !53 for only internet access and the ping is still high

I think the problem is as Dennis Burgess says some virus or troyan in the clients machines or bit torrent clients or any P2P, but I already limit TCP and UDP connections so if they are infected with something shouldnt that rules stop them?

another thing I notice is that in the rb333 I also have a sr9 card with a only 1 client and that IP always have 2ms of ping, always, so I dont know why with the same hardware and connected to the same server, the clientes in 2.4ghz get hi ping answers and the only 900mhz client always work well (the sr9 is working as WDS dynamic mode)

Thank you for your time.

I have the same stuff happening to me. With me it is p2p people. I have 60 people on the wireless side. I made the all-p2p action drop rule and I see a significant improvement. Try to look at the active connection under ip firewall. You will see the p2p traffic lablelled.

the thing is I dont want to drop them, else my clients could not use p2p software and they will reclaim to me about it, why ares cant connect or emule doesnt download and stuff.
I only want to limit them, I already drop all udp traffic except 53, and limit tcp connections to 25 per ip address (per client) and as I said before with this limitations wich should be better than dropping p2p traffic Im still getting high pings for the massive users connections.

any idea?

Cant you limit the upload/download of the P2P traffic. Rather than giving them a connection limit? Or you could use both... -Jordan

I just limit p2p speed and nobody complains.

On a side note, I had several AP's with high latency and packet loss with very low CCQ high ACK and excellent signal. All my CPE signals were from -50 to -71.

Turned out once I dropped my radios back to 23dbm everything works great. Signal levels at the AP were not affected - it still hears just as well with less power. Food for thought.

hi to all

I have speed limited to 256k simetrical to all my clients, not only for p2p, I have the simple queue apply to the IP address so all IP traffic from that client should be limited, incluyed the p2p right?
I manage my lan with 2mb simetrical wifi connection.

I have CCQ at tx/rx 100%/0% in almost ever client and signals between -54 to -76, all with ccq 100% =S.

power 28db (600mw) with xr2, cause I have a lot of isp in here and it really works better than with my previous 200mw card

so the problem persist, why limiting bandwidth per IP, blocking connections UDP !53 and limiting tcp to drop at 25 still getting high ping... =)

tamahome:

The problem is most likely interference on the wireless channel you're using... Ping times can be extremely high especially when there are other RF "radiators" in the area operating on or near the channel you are on.

I'd try changing channels on the wireless interface. and running pings from the mikrotik to the client to see what response times are. keep trying different channels until you can get a consistent <10ms ping to your clients.

Also transmitting at 28dB with an 8dbi omni probably isn't helping much.. turn on the regulatory domain function on the access point and set the gain of the antenna, this will turn the power down on your radio to meet your countries regulatory limits. You may want to try increasing the number in the gain field to higher than your antenna's actual gain to further reduce the TX power. More power does not equal a better connection. By increasing the TX power, yes it will increase the RX signal of your clients, but you're also going to increasing the noise.

The symptoms of the problem in your original post seem to point to in-band interference. You can also enable DFS (use no-radar-detect) this will choose a channel with the least amount of interference.

If there was a problem with firewall rules or queuing you'd usually see high/maxed out CPU usage thus resulting in higher ping times. Or in the case of a firewall blocking ICMP, you wouldn't see any replys at all (request timed out).

hi, First, the channel Im using is 5, I already test all the other 10 channels and this one is the one I got less interference, my floor noise is -91, in other channels were -73 to -54, horrible.

I have better experience with clients using 28db than less wich I had with my previous minipci card, before, I had packet lost of 10% usually, now its between 0 and 2%

about the cpu usage, the resources menu says its always between 0 and 1%, the mikrotik is installed in Athlon 3600 x2, 1gbddr2 800 and hd80gb, so there isnt any kind of overload in that way.

this firewall rule I guess is this one
10 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check action=jump jump-target=drop
dst-address-type=broadcast,multicast

in the winbox interfase it doesnt seem to be catching anything, bytes and packets indicators always are at cero.

the rb333 in the AP is only used as bridge and access list mac controll, so it doesnt get overloaded and the cpu load indicator goes from 0% to 10% tops

is the firewall rule I posted correct? it rear that doesnt catch anything.

Thank you all.

Hi. If it's not that late my answer, your firewall rules will probably not improve your latency in the network, if you have such a high level of noise.
Post a snooper print screen here, from the access point.
If I were you, I would consider changing the radio frequency, or, to spare some money, keep the antennas and switch all radios to mikrotik for nstreme, or something else capable of 5 or 10 mhz channels, wich also might improve your troughput.