Mikrotik ROS 6.30 - Foxtel IQHD cable settop box

toddfraser88 · Wed Jul 29, 2015 7:54 pm

OK, I have an issue with my Foxtel IQHD cable settop box where anything I try to download on the box goes painfully slowly, usually less than 1mbit.

so my setup is like this

Cable box

Telstra Gateway Max Cable Modem (C6300BD-202)
|
RB951G-2HnD
|
Foxtel IQHD cable settop box

This results in a painfully slow download.

Telstra Gateway Max Cable Modem (C6300BD-202)
|
Foxtel IQHD cable settop box

Same box, same network cable, just plugged into the modem directly, works properly.

I've tried resetting without a default configuration and setting up from scratch, but it made no difference.

I've attached some pictures of what happens on the foxtel box.

anyone able to help with this?

toddfraser88 · Wed Jul 29, 2015 7:56 pm

my config - wireless password removed.

if it helps.

normalcy · Thu Jul 30, 2015 12:42 am

If you do a regular speed test on a laptop is there also a similar slowdown? Or is it only the Foxtel box? When the cable modem is plugged into the mik is it put in bridge mode or are you double NAT'ing. Nothing really jumped out at me in your config. I guess you've tried with and without the simple queue.

normalcy · Thu Jul 30, 2015 1:08 am

Did some googling and I'm guessing this is your issue http://forums.whirlpool.net.au/archive/2421925

If so you've already tried a fair bit there. It's a weird issue.

toddfraser88 · Thu Jul 30, 2015 10:14 am

If you do a regular speed test on a laptop is there also a similar slowdown? Or is it only the Foxtel box?

every other device on the network performs normally, it's just foxtel acting up.

When the cable modem is plugged into the mik is it put in bridge mode or are you double NAT'ing. Nothing really jumped out at me in your config. I guess you've tried with and without the simple queue.

the modem is in bridge mode, the telstra firmware is not that good and is too dumbed down, bridge mode is the best option.

I also tried with bridge mode off, NAT switched on, on the modem, unfortunately no change.

and yes, that whirlpool thread is me.

normalcy · Thu Jul 30, 2015 1:55 pm

I guess the next thing I'd try in this situation is put a managed switch in between the modem and the routers and mirror the traffic to wireshark to look for any differences when it's working vs when it's not. Don't know if your comfortable at that low a level.

Eg: cable modem -> mirroring switch -> IQHD. And cable modem -> mirroring switch -> 951 -> IQHD.

Don't know if you have access a smart/managed switch or not, I'm not sure if the switch chip in your 951 could be used to mirror or not (might only be in the newer CRS devices) and I'd prefer switch hardware mirroring rather than a bridge+mangle sniff rules as you want to avoid the mikrotik cpu and any possible impact that might have on your bandwidth.

normalcy · Thu Jul 30, 2015 1:59 pm

You'd be looking for differences in the packets that could be nailed down to the different setups. Eg qos values, MSS, packet size etc. maybe even do the same with that netgear router that worked to see what it might be doing that the 951 isn't. Otherwise I suppose we would just be running through a laundry list of guesses, which you look to already have done a lot of.

toddfraser88 · Thu Jul 30, 2015 4:27 pm

I guess the next thing I'd try in this situation is put a managed switch in between the modem and the routers and mirror the traffic to wireshark to look for any differences when it's working vs when it's not. Don't know if your comfortable at that low a level.

Eg: cable modem -> mirroring switch -> IQHD. And cable modem -> mirroring switch -> 951 -> IQHD.

Don't know if you have access a smart/managed switch or not, I'm not sure if the switch chip in your 951 could be used to mirror or not (might only be in the newer CRS devices) and I'd prefer switch hardware mirroring rather than a bridge+mangle sniff rules as you want to avoid the mikrotik cpu and any possible impact that might have on your bandwidth.

I have a CRS125-24G-1S-2HnD-IN that I could try this with. I'd imagine there would be a way to switch off the routing function with this?

only have 1 though, do i need 2?

toddfraser88 · Fri Jul 31, 2015 9:05 am

toddfraser88 · Fri Jul 31, 2015 8:59 pm

normalcy · Sat Aug 01, 2015 5:57 am

Sorry I'm going away on holiday so won't be here for a while.

But basically you want to setup a switch group on the CRS for a few ports between your cable modem and the various downstream routers (maybe another one to plug the Foxtel box in and look at that traffic).

Then setup mirroring to send that traffic to another port/host running wireshark to look for any differences when it's slow vs fast.

http://wiki.mikrotik.com/wiki/Manual:CR ... _Mirroring

You want to do mirroring as its wire speed in the switchchip and you don't want the CRS router CPU to get in the way (like it might be in the 951) so no bridging and sniffing via mangle rules.

Hope that helps.

normalcy · Sat Aug 01, 2015 5:59 am

Oh and no you should only need the one CRS and yes you would only want a minimal config (enough to get management access via winbox - lots of wiki/forum threads about that)

toddfraser88 · Fri Aug 07, 2015 4:32 pm

OK, here is a wireshark port capture of what happens when it fails. - remove the txt extension

I'll upload the working capture later, it's much larger for some reason at 22megs

toddfraser88 · Fri Aug 07, 2015 10:08 pm

here is a download link to the 22meg capture of when it's working

http://www.megafileupload.com/97vX/port ... ing.pcapng

toddfraser88 · Sat Aug 08, 2015 8:56 am

bump.

toddfraser88 · Sun Aug 09, 2015 5:22 am

toddfraser88 · Mon Aug 10, 2015 7:24 am

toddfraser88 · Thu Aug 13, 2015 9:32 am

normalcy · Sat Aug 15, 2015 10:09 am

Hi. Back from a break. If your links are still good I'll have a look tomorrow. Hopefully we can find something!

normalcy · Sat Aug 15, 2015 1:08 pm

Can you re-upload the second link? i think it's expired on me.

toddfraser88 · Sat Aug 15, 2015 7:22 pm

second link worked fine for me.

but here it is again
http://s000.tinyupload.com/index.php?fi ... 1107670443

normalcy · Sun Aug 16, 2015 5:58 am

Ok got the second file. Are you performing one or two speed tests during these two captures?

Only a couple of things jump out at me on first look.

On the failing capture you're getting a lot of 'TCP Spurious Retransmissions' followed by DUP ACKs that could be a symptom or a contributor to the slowdown. If you look at the screenshot, the retransmits (black in the scrollbar on the right) coincide with the flatlining of the download.

Also, have you changed the router config to get 192.168.55.0/24 instead of 192.168.88.0/24? MAC looks different from bridge MAC in your config rsc posted earlier. Is this routerboard a different device? Are you not getting a public IP on the routerboard and double NAT'ing?

Other than that, not seeing anything too obvious.

I had thought it might be a DNS issue (getting a server from a different region due to DNS resolvers configured) but all the resolved servers are the same name/address (and same number of DNS requests/responses).

toddfraser88 · Sun Aug 16, 2015 7:27 am

Also, have you changed the router config to get 192.168.55.0/24 instead of 192.168.88.0/24? MAC looks different from bridge MAC in your config rsc posted earlier. Is this routerboard a different device?

yeah this is a different device, the one I was using before was a RB951G-2HnD, but I setup a separate network with a CRS125-24G-1S-2HnD-IN and do all my testing on that, so I don't interrupt Internet connectivity for the rest of the family.

Are you not getting a public IP on the routerboard and double NAT'ing?

I can get 2 public IPs from the modem for each of these networks, so no double NAT'ing

any idea why i might be getting the Spurious Retransmissions and DUP ACKs?

normalcy · Sun Aug 16, 2015 9:49 am

There's apparently a lot of things that can cause them as mentioned in that linked article, with the recommendation being that you capture close to the sender. However if you've now used two different mikrotik devices and get the same behaviour that would tend to suggest it's something with them. maybe queue size on the interfaces?

this only happens for IQHD? if someone else does a speediest at the same time it works ok?

I'm not a TCP guru, hopefully some of them can comment here, but as far as I can tell, both streams start off identically, and it's only once the TCP window fills up the first time (packet 172) that it all seems to fall over after that in congestion collapse.

Where did you capture the failing stream? Was it:

    "bridge mode modem" --> "mirror port"  --> "mikrotik device" --> IQHD,

or was it:

    "bridge mode modem" --> "mikrotik device"  --> "mirror port"  --> IQHD, or

I'm guessing the second?

normalcy · Sun Aug 16, 2015 11:41 am

What do you have for:

[admin@MikroTik] > ip firewall connection tracking print

and:

[admin@MikroTik] > ip settings print

Assuming these will be factory default settings.

normalcy · Sun Aug 16, 2015 2:35 pm

This might also be a bit of a long shot, but what happens to the speed test if you change the interface queue type of the ethernet ports?

queue interface set [find default-queue="only-hardware-queue"] queue=ethernet-default

toddfraser88 · Mon Aug 17, 2015 5:26 am

if you've now used two different mikrotik devices and get the same behaviour that would tend to suggest it's something with them. maybe queue size on the interfaces?

I tried changing the queue size, from 1 to 100000, still no change.

this only happens for IQHD? if someone else does a speediest at the same time it works ok?

only happens on the IQHD, every other device loads the image it tests with in about 5 seconds.

I'm not a TCP guru, hopefully some of them can comment here, but as far as I can tell, both streams start off identically, and it's only once the TCP window fills up the first time (packet 172) that it all seems to fall over after that in congestion collapse.

Where did you capture the failing stream? Was it:
Code: Select all
    "bridge mode modem" --> "mirror port"  --> "mikrotik device" --> IQHD, 
or was it:
Code: Select all
    "bridge mode modem" --> "mikrotik device"  --> "mirror port"  --> IQHD, or 
I'm guessing the second?

yep, the second.

toddfraser88 · Mon Aug 17, 2015 5:30 am

What do you have for:
Code: Select all
[admin@MikroTik] > ip firewall connection tracking print
and:
Code: Select all
[admin@MikroTik] > ip settings print
Assuming these will be factory default settings.

I'll get you these a bit later on tonight.

toddfraser88 · Mon Aug 17, 2015 5:32 am

This might also be a bit of a long shot, but what happens to the speed test if you change the interface queue type of the ethernet ports?
Code: Select all
queue interface set [find default-queue="only-hardware-queue"] queue=ethernet-default

I've tried this, and every other queue, even a custom queue with a length of 1-100000 packets. it makes no difference.

toddfraser88 · Tue Aug 18, 2015 7:02 pm

What do you have for:
Code: Select all
[admin@MikroTik] > ip firewall connection tracking print
and:
Code: Select all
[admin@MikroTik] > ip settings print
Assuming these will be factory default settings.

OK.


[admin@MikroTik] > ip settings print
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
         max-arp-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: no
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0
[admin@MikroTik] >


[admin@MikroTik] > ip firewall connection tracking print
                   enabled: auto
      tcp-syn-sent-timeout: 5s
  tcp-syn-received-timeout: 5s
   tcp-established-timeout: 1d
      tcp-fin-wait-timeout: 10s
    tcp-close-wait-timeout: 10s
      tcp-last-ack-timeout: 10s
     tcp-time-wait-timeout: 10s
         tcp-close-timeout: 10s
   tcp-max-retrans-timeout: 5m
       tcp-unacked-timeout: 5m
               udp-timeout: 10s
        udp-stream-timeout: 3m
              icmp-timeout: 10s
           generic-timeout: 10m
               max-entries: 218040
             total-entries: 5
[admin@MikroTik] >

toddfraser88 · Wed Aug 19, 2015 7:40 pm

anyone else got any ideas?

toddfraser88 · Fri Aug 21, 2015 9:41 am

anyone?

toddfraser88 · Sun Sep 06, 2015 7:04 am

user aoakeley helped me to come up with a solution for this,


/ip firewall mangle
add action=change-mss chain=forward comment="MSS 1300  to foxtel 1" \
    dst-address=192.168.88.11 new-mss=1300 protocol=tcp tcp-flags=syn \
    tcp-mss=1301-65535
add action=change-mss chain=forward comment="MSS 1300  from foxtel 1" \
    new-mss=1300 protocol=tcp src-address=192.168.88.11 tcp-flags=syn \
    tcp-mss=1301-65535
add action=change-mss chain=forward comment=\
    "Change MSS on WAN connection from foxtel 1" new-mss=1400 out-interface=\
    ether1-gateway protocol=tcp src-address=192.168.88.11 tcp-flags=syn \
    tcp-mss=1401-65535
add action=change-mss chain=forward comment=\
    "Change MSS on WAN connection to foxtel 1" dst-address=192.168.88.11 \
    in-interface=ether1-gateway new-mss=1400 protocol=tcp tcp-flags=syn \
    tcp-mss=1401-65535

thanks