Community discussions

MikroTik App
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Throttle Windows Updates

Tue May 17, 2011 10:37 am

Hi

I,m trying to throttle windows updates.

Any ideas

I use a address list (doesn't work because updates.windows.com changes ip)
Mark the connection
Use a simple queue to limit connection

ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Updates 65.55.200.156
1 Updates 80.239.201.155

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-packet new-packet-mark=Update passthrough=yes
protocol=tcp dst-address-list=Updates

/queue> simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name="Updates" target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0
interface=all parent=none packet-marks=Update direction=both priority=8
queue=default-small/default-small limit-at=64k/64k max-limit=64k/64k
burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
total-queue=default-small
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Wed May 18, 2011 1:27 pm

I tried to use this script to update the ip

this script just add another address in the address list, in a few days i will fill my HDD wit the address list.

Any good ideas welcome



:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
# :put $cacheName;

:if (([:find $cacheName "update.microsoft.com"] != 0) || ([:find $cacheName "update.microsoft.com.nsatc.net"] != 0)) do={

:local tmpAddress [/ip dns cache get $i address] ;
# :put $tmpAddress;

# if address list is empty do not check
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=Updates comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=Updates comment=$cacheName;
}
}
}
}

Is there any way i can mark packets in the proxy server?
I added these websites

ip proxy access print
Flags: X - disabled
# DST-PORT DST-HOST PATH METHOD ACTION HITS
0 windowsupdate.microsoft.com allow 0
1 download.windowsupdate.com allow 14
2 www.update.microsoft.com allow 32
3 download.microsoft.com allow 0
4 wustat.windows.com allow 0
5 ntservicepack.microsoft.com allow 0
6 stats.microsoft.com allow 0
7 *.download.windowsupdate.com allow 0
8 *.update.microsoft.com allow 0
9 *.windowsupdate.com allow 0
10 *.windowsupdate.microsoft... allow 0
11 *.windowsupdate.microsoft... allow 0
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Fri May 20, 2011 3:09 pm

Ok need an expert on this

created a l7 rule

/ip firewall layer7-protocol print
# NAME REGEXP

0 .msu ^.*get.+\.msu.*$

Mark packet using Mangle


/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; msu files
chain=prerouting action=mark-packet new-packet-mark=msu passthrough=yes protocol=tcp layer7-protocol=.msu

Use queue to throttle

Will keep you updated to see if this works
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Fri Nov 04, 2016 10:13 am

I use this solution

force users to use mikrotik dns

/ip firewall nat
add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp

Schedule to get ip's from dns using:

/system schedule
add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" \
|| name~\"windowsupdate\" || name~\"download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") \
&& (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=\
00:01:00

Then mark connection

/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS

Then queue

/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
 
User avatar
nborson
just joined
Posts: 5
Joined: Thu Aug 10, 2006 12:35 am
Location: Gustavus, Alaska
Contact:

Re: Throttle Windows Updates

Sun Nov 06, 2016 2:35 am

I would like to try this method to throttle Windows updates -- thanks for sharing a way to address this critical need.

I cannot get the /system schedule portion of your solution to add IP addresses to address lists (and I do have many cached DNS entries matching the criteria). Can you provide code that I could paste into the Source: field in the Winbox GUI for a new script?

I'm talking about translating this part into a script.
:foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" \
|| name~\"windowsupdate\" || name~\"download.microsoft\" || name~\"wustat\" || name~\"ntservicepack\") \
&& (type=\"A\") ] do={\r\
\n :local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={ \r\
\n :local cacheName [/ip dns cache get \$i name] ;\r\
\n :log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
\n\r\
\n}\r\
\n\r\
\n}
Thanks, and sorry for my RouterOS scripting ignorance.
 
stoser
Member Candidate
Member Candidate
Posts: 123
Joined: Sun Aug 21, 2016 12:04 am

Re: Throttle Windows Updates

Sun Nov 06, 2016 3:44 pm

Have you tried using the dynamic address feature in IP/firewall/address-list? Put the http address in the address field, instead of the numeric ip address. Then Mtik dynamically creates entries in the address list. @ZeroByte mentioned this in another post, and it proved very helpful to me. Hope it helps you too. It was a new feature recently introduced, 6.3x, can't remember exactly which version, so check the change logs and make sure your version supports it. You of course need to know the text addresses that windows update uses ...

Kind regards,
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Throttle Windows Updates

Sun Nov 06, 2016 4:32 pm

Why would anybody want to throttle Windows Updates ?

If you are doing it because of network issues, then how about fixing the bigger problem - the network.
If you are throttling updates to paying customers, then you are opening yourself up to a law suite from customers.
If you need to throttle, then use a policy/queue that treats all sites on the internet and customers fairly.
Keep in mind that you can throttle customers down to a rate of speed for which they are purchasing.

North Idaho Tom Jones
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 8:52 am

We throttle WU because

In SA our internet is SLOW and windows takes all the bandwith.

I'm doing this so that i can continue using the web if windows is updating, i couldn't care if WU takes 2 hours to complete as log as it doesn't affect the rest.

Wolter


/ip firewall nat
add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp
/system scheduler
add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" ||  name~\"windowsupdate\" ||  name~\"\
    download.microsoft\" ||  name~\"wustat\" ||   name~\"ntservicepack\") && (type=\"A\") ] do={\r\
    \n     :local tmpAddress [/ip dns cache get \$i address];\r\
    \ndelay delay-time=10ms\r\
    \n#prevent script from using all cpu time\r\
    \n    :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={         \r\
    \n     :local cacheName [/ip dns cache get \$i name] ;\r\
    \n     :log info (\"added entry: \$cacheName  \$tmpAddress\");\r\
    \n     /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
    \n\r\
    \n}\r\
    \n\r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=00:01:00
    
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS


/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat



 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Throttle Windows Updates

Mon Nov 07, 2016 9:22 am

does it work for windows 10 updates? yes windows 10 updates hog all the bandwidth when downloading and you cant even surf.
instead of script couldnt this work with address list ?
You do not have the required permissions to view the files attached to this post.
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 10:07 am

Works with my Windows 10

No windows update servers are dymnamic, thats why i give it a timeout of 24hours


[img]
mt.JPG
[/img]
You do not have the required permissions to view the files attached to this post.
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 10:28 am

You may have a point

Will try this method and will get back to you

Wolter
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Throttle Windows Updates

Mon Nov 07, 2016 10:40 am

yes because in latert ROS address list are dynamic too if you place a name instead of ip
i cant remember from which version and after this feature was added.

update. ...
i found it 6.36

firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);

6.36.1

address-list - allow DNS names with "_" symbol;
Last edited by freemannnn on Mon Nov 07, 2016 10:48 am, edited 2 times in total.
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 10:44 am

doesn't seem to work

you would need to be able to add something like this

~.update.microsoft.com

doesn't accept ~. or *.

Wolter
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 1:42 pm

Another solution would be Layer 7

change ether1-WAN to your internet port

REMEMBER to disable the defconf:fasttrack in the firewall, else the queue will not work
/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" layer7-protocol=MicrosoftUpdates new-packet-mark=ms passthrough=no
/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
 
kivimart
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Thu Oct 10, 2013 3:06 pm

Re: Throttle Windows Updates

Mon Nov 07, 2016 2:51 pm

another example here.


/ip firewall layer7-protocol
add name=WINUPDATE regexp="^.*(download.*windowsupdate|l.windowsupdate|.*delivery.*mp.*microsoft)"

/ip firewall mangle
add action=add-dst-to-address-list address-list=A9-WinUpdate address-list-timeout=15m chain=postrouting comment=WinUpdate \
dst-address-list=!A9-WinUpdate layer7-protocol=WINUPDATE out-interface=ether1 protocol=tcp
add action=mark-connection chain=postrouting dst-address-list=A9-WinUpdate new-connection-mark=WinUpdate-CON out-interface=ether1 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=WinUpdate-CON in-interface=ether1 new-packet-mark=WinUpdate_IN passthrough=no
add action=mark-packet chain=postrouting connection-mark=WinUpdate-CON new-packet-mark=WinUpdate_OUT out-interface=ether1 passthrough=no


/queue tree
add comment=Up limit-at=29M max-limit=29M name=Up parent=global queue=default
add comment=Down limit-at=198M max-limit=198M name=Down parent=global queue=default
add name=WindowsUpdate packet-mark=WinUpdate_IN parent=Down queue=default
add name=WindowsUpdate_U packet-mark=WinUpdate_OUT parent=Up queue=default
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1550
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Throttle Windows Updates

Mon Nov 07, 2016 6:04 pm

We throttle WU because

In SA our internet is SLOW and windows takes all the bandwith.

I'm doing this so that i can continue using the web if windows is updating, i couldn't care if WU takes 2 hours to complete as log as it doesn't affect the rest.

Wolter


/ip firewall nat
add action=redirect chain=dstnat comment="DNS Dictator" dst-port=53 in-interface=!ether1-WAN protocol=udp
/system scheduler
add interval=2m name=microsoft on-event=":foreach i in=[/ip dns cache all find where (name~\"update.microsoft\" ||  name~\"windowsupdate\" ||  name~\"\
    download.microsoft\" ||  name~\"wustat\" ||   name~\"ntservicepack\") && (type=\"A\") ] do={\r\
    \n     :local tmpAddress [/ip dns cache get \$i address];\r\
    \ndelay delay-time=10ms\r\
    \n#prevent script from using all cpu time\r\
    \n    :if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\") do={         \r\
    \n     :local cacheName [/ip dns cache get \$i name] ;\r\
    \n     :log info (\"added entry: \$cacheName  \$tmpAddress\");\r\
    \n     /ip firewall address-list add address=\$tmpAddress list=MS timeout=23:59:59 comment=\$cacheName;\r\
    \n\r\
    \n}\r\
    \n\r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/2016 start-time=00:01:00
    
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list dst" dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=prerouting comment="ms list src" new-packet-mark=ms passthrough=no src-address-list=MS


/queue simple
add max-limit=1M/1M name=MS packet-marks=ms target=ether1-WAN time=6h-23h59m59s,sun,mon,tue,wed,thu,fri,sat




Ok - so the network is dead/saturated slow.
If you can't fix the network, then you may want to consider building a Squid caching proxy server.
A correctly configured Squid server can burst up to full Ethernet interface speeds on cache hits thus saving Internet WAN bandwidth.
A Squid cache miss can go into cache so that the next person doing the same thing ends up with a cache hit.

North Idaho Tom Jones
 
kaas
just joined
Topic Author
Posts: 19
Joined: Wed Mar 18, 2009 11:31 am

Re: Throttle Windows Updates

Mon Nov 07, 2016 8:02 pm

Point taken. With a squid you can also throttle WU. Been there done that, got the T-Shirt

Proxy doesn't solve the saturated line problem, it only elevates the traffic after its been cached.The first time its downloaded you still want to throttle the line speed. To configure squid to act as a WSUS is a fine art. (and doesn't always work). Windows 10 updates are distributed between Win10 machines on the LAN, thus using a proxy server to cache win10 updates doesn't make sense.

In fact, with so many sites moving to https (443) not a lot get cached,

Wolter
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Throttle Windows Updates

Mon Nov 07, 2016 8:19 pm

Why would anybody want to throttle Windows Updates ?

If you are doing it because of network issues, then how about fixing the bigger problem - the network.
If you are throttling updates to paying customers, then you are opening yourself up to a law suite from customers.
If you need to throttle, then use a policy/queue that treats all sites on the internet and customers fairly.
Keep in mind that you can throttle customers down to a rate of speed for which they are purchasing.

North Idaho Tom Jones
in the place i leave we have adsl and vdsl. there are hotels with 5mbps download and 1mbps upload and i have to share this line to customer free internet. yes windows update is a bandwidth hog after all. customers didnt come to hotel to upgrade their laptop or pc lol
 
User avatar
nborson
just joined
Posts: 5
Joined: Thu Aug 10, 2006 12:35 am
Location: Gustavus, Alaska
Contact:

Re: Throttle Windows Updates

Thu Nov 10, 2016 5:23 am

This is working perfectly for me; thanks! I was able to use the layer 7 protocol to mark packets and fit them into my queue tree. Now I can browse the web and check email on my $100/month 500 Kbps Internet connection (yes, that's about 0.5 Mbps -- buying my way out of this performance problem is not in my budget). Windows updates will still get installed -- as they must -- but their multitude of TCP connections will have limited impact on my foreground tasks instead of making the Internet unusable.
/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Throttle Windows Updates

Thu Nov 10, 2016 8:48 am

/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
[/quote][/quote]

yes this is working also for me. when my w10 pc at home starts downloading updates even internet radio stops playing. i make a simple queue with half my total bandwidth and it works. nice
Last edited by freemannnn on Fri Nov 11, 2016 12:44 pm, edited 1 time in total.
 
dadaniel
Member Candidate
Member Candidate
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

Re: Throttle Windows Updates

Fri Nov 11, 2016 11:25 am

I would try to make the mangle rule more specific (for ex. port 80 TCP), so that the layer7 matcher does not take up all cpu resources (it matches every single packet at the moment)
 
dadaniel
Member Candidate
Member Candidate
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

Re: Throttle Windows Updates

Fri Nov 18, 2016 4:33 pm

REMEMBER to disable the defconf:fasttrack in the firewall, else the queue will not work
Is there a way to bypass fasttrack for this, so still beeing able to use it on all other connections?
 
dave864
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Mar 11, 2016 2:37 pm

Re: Throttle Windows Updates

Sun Nov 20, 2016 5:02 pm

Thanks KAAS for the L7 work. it's very useful.
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: Throttle Windows Updates

Thu Dec 15, 2016 8:01 pm

Very interesting!
 
b3h3m07h
newbie
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Throttle Windows Updates

Mon Dec 19, 2016 9:15 am

Here is what i have been using with a modified layer7 from above. Seems to be catching all windows updates, office updates etc

The following checks for the content and layer7 in connections tcp 80 and 443(do i need 443?) and then adds the src address to a list which is then marked.

/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack|update.microsoft.com|crl.microsoft.com|download.microsoft.com|office.microsoft.com|download.windowsupdate.com|windowsupdate.com|ntservicepack.microsoft.com|officeupdate.microsoft.com|stats.microsoft.com|v4.windowsupdate|v4.windowsupdate.microsoft.com|windowsupdate.microsoft.com|wustat.windows.com|test.stats.update.microsoft.com|.msu|.manifest|.mum).*\$"

/ip firewall mangle
add action=mark-connection chain=forward comment="MS Updates Content Address List Adding" in-interface=WAN new-connection-mark=ms-updates-conn-in passthrough=yes protocol=tcp src-port=80,443
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=crl.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=update.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=office.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=ntservicepack.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=officeupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=stats.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=wustat.windows.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=test.stats.update.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.manifest in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.mum in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.msu in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.cat disabled=yes in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=en-us disabled=yes in-interface=WAN log-prefix=en-us
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward comment="MS Updates Layer7 Address List Adding" connection-mark=ms-updates-conn-in in-interface=WAN layer7-protocol=MicrosoftUpdates
add action=mark-connection chain=forward comment="MS Updates Marking" in-interface=WAN new-connection-mark=ms-updates-in passthrough=yes src-address-list=ms-updates
add action=mark-packet chain=forward connection-mark=ms-updates-in in-interface=WAN new-packet-mark=ms-updates-in passthrough=no
add action=mark-connection chain=forward dst-address-list=ms-updates new-connection-mark=ms-updates-out out-interface=WAN passthrough=yes
add action=mark-packet chain=forward connection-mark=ms-updates-out new-packet-mark=ms-updates-out out-interface=WAN passthrough=no

/ip firewall address-list
add address=update.microsoft.com list=ms-updates
add address=crl.microsoft.com list=ms-updates
add address=download.microsoft.com list=ms-updates
add address=download.windowsupdate.com list=ms-updates
add address=ntservicepack.microsoft.com list=ms-updates
add address=office.microsoft.com list=ms-updates
add address=officeupdate.microsoft.com list=ms-updates
add address=stats.microsoft.com list=ms-updates
add address=v4.windowsupdate.com list=ms-updates
add address=windowsupdate.com list=ms-updates
add address=windowsupdate.microsoft.com list=ms-updates
add address=wustat.windows.com list=ms-updates
add address=test.stats.update.microsoft.com list=ms-updates
add address=c.microsoft.com list=ms-updates
add address=sls.update.microsoft.com.akadns.net list=ms-updates
add address=vortex.data.microsoft.com list=ms-updates
add address=vortex-win.data.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.akadns.net list=ms-updates
add address=statsfe2.update.microsoft.com.akadns.net list=ms-updates
add address=windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4.windowsupdate.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.nsatc.net list=ms-updates

i then add a queue with ms-updates-in and another with ms-updates-out.
 
dadaniel
Member Candidate
Member Candidate
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

Re: Throttle Windows Updates

Wed Dec 21, 2016 4:31 pm

Is there any reason for you doing this in forward chain instead of mangle-prerouting? Is there any downside in marking connections using layer7 directly instead of adding it to an address list?
/ip firewall mangle
add action=mark-connection chain=prerouting comment=MicrosoftUpdates layer7-protocol=MicrosoftUpdates new-connection-mark=MicrosoftUpdates passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=MicrosoftUpdates new-packet-mark=MicrosoftUpdates passthrough=no
 
j3k3m3
just joined
Posts: 3
Joined: Wed Dec 21, 2016 3:34 am

Re: Throttle Windows Updates

Tue Dec 27, 2016 3:00 am

b3h3m07h - This seems to work flawlessly... Can someone very briefly point me in the right direction here.. Id like to use this example to throttle windows updates but id also like to modify it to mark routing to send data thru my wan2 connection. I assume prerouting marks somehow or another?
Here is what i have been using with a modified layer7 from above. Seems to be catching all windows updates, office updates etc

The following checks for the content and layer7 in connections tcp 80 and 443(do i need 443?) and then adds the src address to a list which is then marked.

/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack|update.microsoft.com|crl.microsoft.com|download.microsoft.com|office.microsoft.com|download.windowsupdate.com|windowsupdate.com|ntservicepack.microsoft.com|officeupdate.microsoft.com|stats.microsoft.com|v4.windowsupdate|v4.windowsupdate.microsoft.com|windowsupdate.microsoft.com|wustat.windows.com|test.stats.update.microsoft.com|.msu|.manifest|.mum).*\$"

/ip firewall mangle
add action=mark-connection chain=forward comment="MS Updates Content Address List Adding" in-interface=WAN new-connection-mark=ms-updates-conn-in passthrough=yes protocol=tcp src-port=80,443
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=crl.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=update.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=office.microsoft.com in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=download.windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=ntservicepack.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=officeupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=stats.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=v4.windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=windowsupdate.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=wustat.windows.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=test.stats.update.microsoft.com disabled=yes in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.manifest in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.mum in-interface=WAN
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.msu in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=.cat disabled=yes in-interface=WAN log-prefix=.msu
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward connection-mark=ms-updates-conn-in content=en-us disabled=yes in-interface=WAN log-prefix=en-us
add action=add-src-to-address-list address-list=ms-updates address-list-timeout=1d chain=forward comment="MS Updates Layer7 Address List Adding" connection-mark=ms-updates-conn-in in-interface=WAN layer7-protocol=MicrosoftUpdates
add action=mark-connection chain=forward comment="MS Updates Marking" in-interface=WAN new-connection-mark=ms-updates-in passthrough=yes src-address-list=ms-updates
add action=mark-packet chain=forward connection-mark=ms-updates-in in-interface=WAN new-packet-mark=ms-updates-in passthrough=no
add action=mark-connection chain=forward dst-address-list=ms-updates new-connection-mark=ms-updates-out out-interface=WAN passthrough=yes
add action=mark-packet chain=forward connection-mark=ms-updates-out new-packet-mark=ms-updates-out out-interface=WAN passthrough=no

/ip firewall address-list
add address=update.microsoft.com list=ms-updates
add address=crl.microsoft.com list=ms-updates
add address=download.microsoft.com list=ms-updates
add address=download.windowsupdate.com list=ms-updates
add address=ntservicepack.microsoft.com list=ms-updates
add address=office.microsoft.com list=ms-updates
add address=officeupdate.microsoft.com list=ms-updates
add address=stats.microsoft.com list=ms-updates
add address=v4.windowsupdate.com list=ms-updates
add address=windowsupdate.com list=ms-updates
add address=windowsupdate.microsoft.com list=ms-updates
add address=wustat.windows.com list=ms-updates
add address=test.stats.update.microsoft.com list=ms-updates
add address=c.microsoft.com list=ms-updates
add address=sls.update.microsoft.com.akadns.net list=ms-updates
add address=vortex.data.microsoft.com list=ms-updates
add address=vortex-win.data.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.akadns.net list=ms-updates
add address=statsfe2.update.microsoft.com.akadns.net list=ms-updates
add address=windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4windowsupdate.microsoft.nsatc.net list=ms-updates
add address=v4.windowsupdate.microsoft.com list=ms-updates
add address=fe2.update.microsoft.com.nsatc.net list=ms-updates

i then add a queue with ms-updates-in and another with ms-updates-out.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Throttle Windows Updates

Tue Dec 27, 2016 3:03 am

I don't know about anybody else, but I found that all windows updates were consistently coming from a particular IP address, 13.107.4.50

I was able to treat all packets from that IP as updates, and it seems to work for me to throttle them, without needing Layer 7.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Throttle Windows Updates

Tue Sep 05, 2017 12:23 pm

/ip firewall layer7-protocol
add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$"
[/quote]


Is there an updated list for 2017?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Throttle Windows Updates

Tue Sep 05, 2017 12:32 pm

It is a very bad idea to stop upgrades from taking place. You are placing your users under risk from all possible attacks. This will end up causing you more problems.

Instead, why don't you configure cache or maybe even a local Windows update service on Windows Server?
https://technet.microsoft.com/en-us/lib ... s.11).aspx
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Throttle Windows Updates

Tue Sep 05, 2017 1:12 pm

It is a very bad idea to stop upgrades from taking place. You are placing your users under risk from all possible attacks. This will end up causing you more problems.

Instead, why don't you configure cache or maybe even a local Windows update service on Windows Server?
https://technet.microsoft.com/en-us/lib ... s.11).aspx
I don't want to block updates, merel limit the speed for the uploads / downloads of the updates. And I don't want to spend more money to purchase a Windows 2016 server license + PC just to make it a bit easier.
 
kajolrock
just joined
Posts: 5
Joined: Fri Sep 15, 2017 5:32 pm

Re: Throttle Windows Updates

Tue Dec 05, 2017 3:05 pm

Try this

/ ip firewall filter
add action=reject chain=forward comment="block_Win_Update" content=update.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=download.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=download.windowsupdate.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=wustat.windows.com disabled=no
add action=reject chain=forward comment="block_Win_Update" content=stats.microsoft.com disabled=no
add action=reject chain=forward comment="block_Win_Update" content=ntservicepack.microsoft.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward comment="block_Win_Update" content=windowsupdate.com disabled=no reject-with=icmp-network-unreachable
 
Saleh9416
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Wed Feb 03, 2016 6:21 am

Re: Throttle Windows Updates

Wed Apr 25, 2018 7:14 am

I don't know about anybody else, but I found that all windows updates were consistently coming from a particular IP address, 13.107.4.50

I was able to treat all packets from that IP as updates, and it seems to work for me to throttle them, without needing Layer 7.
Hi!
/queue simple
add dst=13.107.4.50/32 max-limit=128k/1M name=WindowsUpdate target=WAN1
Would this approach work?

Who is online

Users browsing this forum: jaclaz and 25 guests