:foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" \
|| name~\"windowsupdate\" || name~\"download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") \
&& (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}
/ip firewall nat
add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp
/system scheduler
add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" || name~\"windowsupdate\" || name~\"\
download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") && (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=00:01:00
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS
/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" layer7-protocol=MicrosoftUpdates new-packet-mark=ms passthrough=no
/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
We throttle WU because
In SA our internet is SLOW and windows takes all the bandwith.
I'm doing this so that i can continue using the web if windows is updating, i couldn't care if WU takes 2 hours to complete as log as it doesn't affect the rest.
Wolter
Code: Select all/ip firewall nat add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp /system scheduler add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" || name~\"windowsupdate\" || name~\"\ download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") && (type=\"A\") ] do={\r\ \n :local tmpAddress [/ip dns cache get \$i address];\r\ \ndelay delay-time=10ms\r\ \n#prevent script from using all cpu time\r\ \n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\ \n :local cacheName [/ip dns cache get \$i name] ;\r\ \n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\ \n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\ \n\r\ \n}\r\ \n\r\ \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=00:01:00 /ip firewall mangle add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS /queue simple add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
in the place i leave we have adsl and vdsl. there are hotels with 5mbps download and 1mbps upload and i have to share this line to customer free internet. yes windows update is a bandwidth hog after all. customers didnt come to hotel to upgrade their laptop or pc lolWhy would anybody want to throttle Windows Updates ?
If you are doing it because of network issues, then how about fixing the bigger problem - the network.
If you are throttling updates to paying customers, then you are opening yourself up to a law suite from customers.
If you need to throttle, then use a policy/queue that treats all sites on the internet and customers fairly.
Keep in mind that you can throttle customers down to a rate of speed for which they are purchasing.
North Idaho Tom Jones
Code: Select all/ip firewall layer7-protocol add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
Is there a way to bypass fasttrack for this, so still beeing able to use it on all other connections?REMEMBER to disable the defconf:fasttrack in the firewall, else the queue will not work
/ip firewall mangle
add action=mark-connection chain=prerouting comment=MicrosoftUpdates layer7-protocol=MicrosoftUpdates new-connection-mark=MicrosoftUpdates passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=MicrosoftUpdates new-packet-mark=MicrosoftUpdates passthrough=no
Here is what i have been using with a modified layer7 from above. Seems to be catching all windows updates, office updates etc
The following checks for the content and layer7 in connections tcp 80 and 443(do i need 443?) and then adds the src address to a list which is then marked.
/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack|update.microsoft.com|crl.microsoft.com|download.microsoft.com|office.microsoft.com|download.windowsupdate.com|windowsupdate.com|ntservicepack.microsoft.com|officeupdate.microsoft.com|stats.microsoft.com|v4.windowsupdate|v4.windowsupdate.microsoft.com|windowsupdate.microsoft.com|wustat.windows.com|test.stats.update.microsoft.com|.msu|.manifest|.mum).*\$"
/ip firewall mangle
add action=mark-connection chain=forward comment="MS Updates Content Address List Adding" in-interface=WAN new-connection-mark=ms-updates-conn-in passthrough=yes protocol=tcp src-port=80,443
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=crl.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=update.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=office.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=ntservicepack.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=officeupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=stats.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=wustat.windows.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=test.stats.update.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.manifest in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.mum in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.msu in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.cat disabled=yes in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=en-us disabled=yes in-interface=WAN log-prefix=en-us
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward comment="MS Updates Layer7 Address List Adding" connection-mark=ms-updates-conn-in in-interface=WAN layer7-protocol=MicrosoftUpdates
add action=mark-connection chain=forward comment="MS Updates Marking" in-interface=WAN new-connection-mark=ms-updates-in passthrough=yes src-address-list=ms-updates
add action=mark-packet chain=forward connection-mark=ms-updates-in in-interface=WAN new-packet-mark=ms-updates-in passthrough=no
add action=mark-connection chain=forward dst-address-list=ms-updates new-connection-mark=ms-updates-out out-interface=WAN passthrough=yes
add action=mark-packet chain=forward connection-mark=ms-updates-out new-packet-mark=ms-updates-out out-interface=WAN passthrough=no
/ip firewall address-list
add address=update.microsoft.com list=ms-updates
add address=crl.microsoft.com list=ms-updates
add address=download.microsoft.com list=ms-updates
add address=download.windowsupdate.com list=ms-updates
add address=ntservicepack.microsoft.com list=ms-updates
add address=office.microsoft.com list=ms-updates
add address=officeupdate.microsoft.com list=ms-updates
add address=stats.microsoft.com list=ms-updates
add address=v4.windowsupdate.com list=ms-updates
add address=windowsupdate.com list=ms-updates
add address=windowsupdate.microsoft.com list=ms-updates
add address=wustat.windows.com list=ms-updates
add address=test.stats.update.microsoft.com list=ms-updates
add address=c.microsoft.com list=ms-updates
add address=sls.update.microsoft.com.akadns.net list=ms-updates
add address=vortex.data.microsoft.com list=ms-updates
add address=vortex-win.data.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.akadns.net list=ms-updates
add address=statsfe2.update.microsoft.com.akadns.net list=ms-updates
add address=windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4.windowsupdate.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.nsatc.net list=ms-updates
i then add a queue with ms-updates-in and another with ms-updates-out.
Code: Select all/ip firewall layer7-protocol add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$" [/quote] Is there an updated list for 2017?
I don't want to block updates, merel limit the speed for the uploads / downloads of the updates. And I don't want to spend more money to purchase a Windows 2016 server license + PC just to make it a bit easier.It is a very bad idea to stop upgrades from taking place. You are placing your users under risk from all possible attacks. This will end up causing you more problems.
Instead, why don't you configure cache or maybe even a local Windows update service on Windows Server?
https://technet.microsoft.com/en-us/lib ... s.11).aspx
Hi!I don't know about anybody else, but I found that all windows updates were consistently coming from a particular IP address, 13.107.4.50
I was able to treat all packets from that IP as updates, and it seems to work for me to throttle them, without needing Layer 7.
/queue simple
add dst=13.107.4.50/32 max-limit=128k/1M name=WindowsUpdate target=WAN1