I've found these forums to be a great resource.
With that said I have a few issues I work for a small WISP I've inherited the task of network administration.
We have about 500-800 customers, We are a moto canopy shop we have about 40 AP's deployed in mainly clusters of 5-6.
We are just outside chicago and we are losing alot of customers to comcast and AT&T.
We have 2 nocs North and South each one has its own upstream connection.
The north has a 40mb circuit and south has a 20 mb circuit.
These are 2 separate networks but we have an ibgp link between north and south edge routers.
to be honest I know we have alot of issues due to the flat nature of our network.
My boss's won't allow for the downtime it'd take to install routers to each of the 8 ap towers we have deployed.
Recently We've had alot of complaints cancellations due to to poor voip performance over our network.
I'm wondering whats a guy to do my boss doesn't want to invest any money as were losing alot of money as it is.
I've tried to do my best as far as setting up mrtg and the dude to monitor our network.
Anything that doesn't cost us money.
I shudder to think of how much broadcast traffic is probably on our networks at any given time.
Is it possible to setup qos on just the 2 edge routers since we dont have a routed network with routers at each tower?
Also i do have 2 mikrotiks deployed at 2 of our towers but the ports are just bridged with a couple firewall rules on the bridge filter.
I'd like to be able to utilize what we have in place to do the best possible job i can.
I hate having a flat network as i know having a router at each tower would give us ultimate control over content and bandwidth.
btw in case it matters we use prizm/bam for authentication but dont utilize ems functions on it due to high cost of licenses, this device is used strictly for authentication really and applying our bandwidth packages.
Although i think we need to shop around now that moto is discontinuing support for prizm/bam ;;
I know I'm throwing alot out there but it's kinda overwhelming fielding calls which most times its speed related or qos related and it seems like atm not much can be done.
Another thing that bothers me is our marketing we offer 7 mbps down 3 mbps up, 2.5 mbps down 1024 mbps up, and 1mbps down 1 mbps up we have a few AP's with like 30-40 customers and 2 customers with 7 down 3 up package could potentially use all the ap's bandwidth. I have a feeling some of our ap's are bottlenecks for the ones that are saturated.
I know I've thrown alot out here but I'm trying hard to learn here, but so far I've only really learned what not to do ,but I am fortunate to be working in this economy but i really want to try to improve things as much as i can with what i got.
I'm looking for any help or advice other then find a new job, but I'm looking for helpful suggestions.
Thanks again sorry for the life story but felt background was needed.
Re: cry for help
How do the clients terminate into your network? Are you using PPPoE? Do any of your clients have global IP addresses? You should be able to do QoS at the edge routers. Is there no way to filter broadcast traffic at the APs? Do you have any bandwidth limitations now?
Re: cry for help
we're not using pppoe our edge routers route traffic for 7 /24's apiece public ip's in each set of 7 /24's we allocate a /24 for management devices 3 /24's for dhcp pool and 1 /24 for static ip residential customers and 2 /24s we divide into smalls ip blocks for businesses.
our moto canopy equipment is essentially a network bridge so a few times some customers advanced firewalls are able to see layer 2 traffic.
In an attempt to step up our email/bind server i've implemented firewall rules and figured out how to get to a rogue dhcp router our a business customers network, I learning this stuff.
We have 3 mikrotiks other then the edge routers deployed at 3 different ap towers.
These 3 mikrotiks have all live interfaces bridged and ocassionally employ a few firewall rules in the bridge firewall filter including rules to drop.
These devices only have an public ip on the bridge interface to allow us to winbox in if needed.
Theres no routes other then that for the admin address and default gateway.
no routing protocols being used. suggestions for what to block on these routers with bridge interface is welcome. i dont think qos would be possible in these locations unless traffic is being routed by these routers please correct me if im wrong.
Also if it were possible I still dont have a mikrotik at ever tower.
We control bandwidth via use of motorola prizm/bam server its a fully functional expensive EMS and Bandwidth Authentication Management software we don't use the EMS functionality because the licenses are real expensive.
Me and a colleague have combined to use combo of MRTG and the Dude for our network monitoring although i have been trying to figure out cactiez in my freetime.
I know a big part of the problem is offering such high bandwidth speeds on access points that have like a 14 mbps X 6 sectors but not all sectors are saturated I know qos would alleviate some of this especially in the case of voip.
I understand if our network were fully routed router at each tower you would want to do the qos as close to the customer as possible but as we only have only the 3 bridged routers at random towers i just don't see how.
our moto canopy equipment is essentially a network bridge so a few times some customers advanced firewalls are able to see layer 2 traffic.
In an attempt to step up our email/bind server i've implemented firewall rules and figured out how to get to a rogue dhcp router our a business customers network, I learning this stuff.
We have 3 mikrotiks other then the edge routers deployed at 3 different ap towers.
These 3 mikrotiks have all live interfaces bridged and ocassionally employ a few firewall rules in the bridge firewall filter including rules to drop.
These devices only have an public ip on the bridge interface to allow us to winbox in if needed.
Theres no routes other then that for the admin address and default gateway.
no routing protocols being used. suggestions for what to block on these routers with bridge interface is welcome. i dont think qos would be possible in these locations unless traffic is being routed by these routers please correct me if im wrong.
Also if it were possible I still dont have a mikrotik at ever tower.
We control bandwidth via use of motorola prizm/bam server its a fully functional expensive EMS and Bandwidth Authentication Management software we don't use the EMS functionality because the licenses are real expensive.
Me and a colleague have combined to use combo of MRTG and the Dude for our network monitoring although i have been trying to figure out cactiez in my freetime.
I know a big part of the problem is offering such high bandwidth speeds on access points that have like a 14 mbps X 6 sectors but not all sectors are saturated I know qos would alleviate some of this especially in the case of voip.
I understand if our network were fully routed router at each tower you would want to do the qos as close to the customer as possible but as we only have only the 3 bridged routers at random towers i just don't see how.
Re: cry for help
There are filters built in to the Moto software you can enable. Head over to www.dslreports.com/forum/wisp and post your problems. I can help, just not in this forum.
-
-
roc-noc.com
Forum Veteran
- Posts: 874
- Joined:
- Location: Rockford, IL USA
- Contact:
Re: cry for help
Sorry for the reality hammer but you will continue to lose customers to both AT&T and Comcast in that area. You are in the middle of one of their major battlegrounds. They are advertising everywhere and they are using fiber which has much more capacity than wireless. Last August, Comcast completed rolling out DOCSIS 3.0 in your area. That means speeds up to 50Mbps down and 10Mbps up. On their cheap $40 a month package I am seeing 20Mbps down and 3 Mbps up at my home. And they already have every home and most businesses wired. Add AT&T to the mix who is also rolling out FTTH in the area. They lost the battle to comcast in most areas but are struggling with very deep pockets to gain some market share.
That is probably why your boss doesn't want to spend the money. Wireless is extremely difficult to sell and make money in that type of environment.
So whatever your marketing, wireless will be a difficult sell.
I think you are on the right track to fix your network. Breaking it up into routed networks makes the most sense. And follow jcwn's advice onthe Canopy filters. But you have to accept the customer loss unless you can find customers without cable service.
Good luck,
Tom
That is probably why your boss doesn't want to spend the money. Wireless is extremely difficult to sell and make money in that type of environment.
So whatever your marketing, wireless will be a difficult sell.
I think you are on the right track to fix your network. Breaking it up into routed networks makes the most sense. And follow jcwn's advice onthe Canopy filters. But you have to accept the customer loss unless you can find customers without cable service.
Good luck,
Tom
Re: cry for help
ok ill copy my original post to that forum.
Re: cry for help
The Motorola mailing list is by far your best place for support on all things Motorola Canopy. Much discussion about Mikrotik there as well. We are a Canopy shop and still use Mikrotik a great deal for routers and hotspots.
http://afmug.com/the-group
"Current list membership exceeds 300 members, with anywhere from 50 to over 100 posts in a given day."
Subscribe to it and repost this there...
http://afmug.com/the-group
"Current list membership exceeds 300 members, with anywhere from 50 to over 100 posts in a given day."
Subscribe to it and repost this there...
-
-
desertadmin
Member Candidate
- Posts: 232
- Joined:
- Location: Las Vegas, New Mexico
- Contact:
Re: cry for help
Ok here is what I think you can do because you will have to put some money into this. I say you get your self a 750G make sure it is upgraded to the latest ROS4.x and then enable the switch port in it. Once you have done this then make one your feed interface have all of the VLANS on it VLAN 1-4 or so.. Then make a bridge with each interface and a VLAN on it. Do this to all of your ethernet interfaces. Once you have done this you should be able to do a Port based VLAN isolation per AP that is plugged into each interface. This should help in broadcast storms. You can also go further and once the IPs are linked to a VLAN id and are tagged you can VLAN off your other class C (/24) networks. This should help you in further reducing noise. Also on your transparent firewall (the RB750G) you can implement a series of rules such as this:
And then to help with VoIP
Never give up! Never surrender!
The advantage that WISPs have over the bulky corps are that you can provide services with a face and take cash check and do month to month plans. While a lot of big corps demand a 2-3 year contract with price locking. Sure you may not have the bulk bandwidth to drop down on the CPEs but you have the reliable hardcore WISP attitude of low latency and good bandwidth that is clean with packet shaping and prioritizing. Always sell your self as clear package that can allow the customer to use your VAR services like VoIP and the like. Hell make it worth your service to hookup their Xbox as part of the deal or run a cable from one room to the other professionally. Or feed MDUs with a wireless to BPL solution or something.
Anyways I just wanted to tell the other WISP folks out there that private small business still gives the corp industry a run for their money.
Remember that we are smarter and more effective then the big guys they just have deeper pockets that make everything a struggle but they will never have the heart and the ability to adapt like we do. In fact I think at times the bigger corps see how the small ones are functioning; but only creative small business will ever survive. No one ever said this industry was easy but it is worth it; I at least think this.
-Sincerely,
DesertAdmin
Code: Select all
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
Code: Select all
#first part for only adding in VOIP priority QOS
/ip firewall mangle
add action=mark-connection chain=prerouting comment=VOIP disabled=no dst-port=21,69,2400 new-connection-mark=VOIP_TRAFFIC passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=VOIP disabled=no dst-port=4569,5036 new-connection-mark=VOIP_TRAFFIC passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=VOIP disabled=no dst-port=5060-5061 new-connection-mark=VOIP_TRAFFIC passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=VOIP disabled=no dst-port=5004-5005 new-connection-mark=VOIP_TRAFFIC passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=VOIP disabled=no dst-port=10000-20000 new-connection-mark=VOIP_TRAFFIC passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=VOIP connection-mark=VOIP_TRAFFIC disabled=no new-packet-mark=VOIP_PACKET passthrough=yes
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=0/0 name=VOIP packet-marks=VOIP_PACKET parent=none priority=1 queue=ethernet-default/ethernet-default target-addresses=0.0.0.0/0 total-queue=default-small
move VOIP 2
#USed if they do not have the p2p
/ip firewall mangle
add action=mark-connection chain=prerouting comment=p2p disabled=no new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment=p2p connection-mark=p2p_conn disabled=no new-packet-mark=p2p_pack passthrough=yes
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=0/0 max-limit=1000/64000 name="p2p outbound timed" packet-marks=p2p_pack parent=none priority=8 queue=ethernet-default/ethernet-default target-addresses=0.0.0.0/0 time=6h-23h,sun,mon,tue,wed,thu,fri,sat total-queue=default-small
Script to do p2p move should be:
/queue simple move "P2P" 0
/queue simple move VOIP 0
The advantage that WISPs have over the bulky corps are that you can provide services with a face and take cash check and do month to month plans. While a lot of big corps demand a 2-3 year contract with price locking. Sure you may not have the bulk bandwidth to drop down on the CPEs but you have the reliable hardcore WISP attitude of low latency and good bandwidth that is clean with packet shaping and prioritizing. Always sell your self as clear package that can allow the customer to use your VAR services like VoIP and the like. Hell make it worth your service to hookup their Xbox as part of the deal or run a cable from one room to the other professionally. Or feed MDUs with a wireless to BPL solution or something.
Anyways I just wanted to tell the other WISP folks out there that private small business still gives the corp industry a run for their money.
Remember that we are smarter and more effective then the big guys they just have deeper pockets that make everything a struggle but they will never have the heart and the ability to adapt like we do. In fact I think at times the bigger corps see how the small ones are functioning; but only creative small business will ever survive. No one ever said this industry was easy but it is worth it; I at least think this.
-Sincerely,
DesertAdmin
Re: cry for help
I think you should start with through assesment of what you're really dealing with. The more you know about your network the better decisions you can make.
Enable netflow on your existing mikrotik and get RB750G if you need more ports. Install and configure free netflow analyzer - scrutinizer - and let it tell you what's going on.
You could do it also harder but cheaper way by creating firewall pasthrough rules which would cach specific type of traffic you want to watch for (ie mangle p2p, broadcast, bulk connections, VOIP etc)
I think it should also be possible, though I never tried, to limit broadcast traffic using bridge filter rules.
Enable netflow on your existing mikrotik and get RB750G if you need more ports. Install and configure free netflow analyzer - scrutinizer - and let it tell you what's going on.
You could do it also harder but cheaper way by creating firewall pasthrough rules which would cach specific type of traffic you want to watch for (ie mangle p2p, broadcast, bulk connections, VOIP etc)
I think it should also be possible, though I never tried, to limit broadcast traffic using bridge filter rules.
Re: cry for help
I havent checked this post in a while as I had reposted my situation on broadband reports.
I just got myself mikrotik certified last week!
Anyhow I do have a never die attitude I refuse to let this place be the end of me so to speak.
I've implemented a ton of firewall rules on our bridged mikrotiks and added more security to our edge routers.
I have to say the mikrotik community is something I'm proud to say I'm a part of.
I just got myself mikrotik certified last week!
Anyhow I do have a never die attitude I refuse to let this place be the end of me so to speak.
I've implemented a ton of firewall rules on our bridged mikrotiks and added more security to our edge routers.
I have to say the mikrotik community is something I'm proud to say I'm a part of.
Re: cry for help
Friends,
It is really hard to compete with just wireless. I was into UTP networks and then got into wireless ISP and after spending lot of money on marketing, promotionals and attractive/competing schemes I find that wireless is good/excellent only where reaching wires is a difficulty. We got into deploying FTTH and are having more satisifed customers on fibre/UTP.
Problems in wireless do get out of control and for reasons which keep on changing every time. MAy be I am wrong, but the way the telecom market is going it is best to have customers satisfied. Give them value and they won't leave u.
It is really hard to compete with just wireless. I was into UTP networks and then got into wireless ISP and after spending lot of money on marketing, promotionals and attractive/competing schemes I find that wireless is good/excellent only where reaching wires is a difficulty. We got into deploying FTTH and are having more satisifed customers on fibre/UTP.
Problems in wireless do get out of control and for reasons which keep on changing every time. MAy be I am wrong, but the way the telecom market is going it is best to have customers satisfied. Give them value and they won't leave u.