MikroTik

Hi all,

Some months ago I'd a problem with speed in my towers than, after a lot of tests and trys, I discovery that the problem was with the amount of P2P connections. Than I create the firewall rule bellow to limmit the number of P2P connections per client:

/ip firewall filter add chain=forward protocol=tcp p2p=all-p2p connection-limit=10,32 action=drop

But after I limmited the connections my customers did start to have problems to download using P2P softwares (specially bit torrent clients). Than I tied to put the "tcp-flags=syn" tag on the rule but if I do this I have problems with speed again.

I'm crazy... I can't drop the P2P softwares on my network, but I can't permit that this softwares cause problems in my network.

PS: I've 4 (four) towers where I'm using the mikrotik (all towers with the same hardware and software configuration) but I've problem with the P2P sofwares just I one tower.

Thanks in advanced,

Fabrício

of course your customers had problems with P2P software, because your rule does exactly that - slows down P2P traffic! what did you expect it will do? limiting number of connections for these programs will slow them down or cripple their functionality. you can't have both - small number of connections and perfect operation.

did you upgrade to 2.9.10 ? there the handling of many connections is improved

Hi Normis,

There aren't problem to slow the P2P traffic (not very much). What's happen is if I don't put the rule to limmit the p2p sotware I've slowness in the tower for all services p2p, http, ftp, ping, etc

If I don't put the rule on mikrotik the ping average up to about 300ms with a bit of packet lost and with the rule the ping average is about 3ms.

I need to normalize this situation... I don't want to limmit my clients connections, but I can't to harm the speed of my cutomers for cause of the P2P softwares... but I can't support the phone calls of the residential customers complaining because the P2P software don't work right

I'm using 2.9.8, I'll upgrade to 2.9.10 now!

Thanks again.

I notice you are dropping TCP in the above rule.
Bit Torrent opens many UDP "connections", could that rule be modified to:

/ip firewall filter add chain=forward protocol=udp p2p=all-p2p connection-limit=10,32 action=drop

I already have a max connections for TCP on each IP,,
but UDP is tricky as DNS uses UDP so you do not want to drop UDP generally.

Thanks, Hugh

But connection limit works only with TCP protocol... I can't setup it with udp connections!

Thanks

I don't want to limmit my clients connections, but I can't to harm the speed of my cutomers for cause of the P2P softwares

What about limiting just the P2P traffic, or create queues with P2P being the lowest priority and no limit. If your connection is being maxed out by constant downloads your clients will suffer without some restrictions or priority.

Trying to provide your clients with the maximium speed available is not necessarily giving them the best service possible.

OK yogi,

I agree with you but I don't how can I do this.

I'm using fixed IPs for each client with a simple queue in the Mikrotik for each customer to limit the bandwidth of upload and download.

How can I use a queue to limit the bandwidth of the P2P software together with the simple queue that limit the general traffic of each customer?

PS: I'm not sure if the P2P is the exactly problem of my tower... I just know that if I drop all P2P connection my clients have a very good speed and if I allow all P2P traffic my clients have problems with the speed, especilly between 11:00AM and 19:00PM.

I'm crazy... I've this problems for 3 months...

Thanks again

Fabrício F. Kammer

And if you dont drop anything? Do you have problem then?

Yes!

I started to drop the P2P connections because I started to be crazy with this tower! I change everthing on it, really everthing, the machine, the cables, the omni antenna, the directional antenna (of the ptp), the wireless cards, the no break, the electrical installation... I change everthing on the tower... The channel of the AP (I tried to use the 11 channels available)

And the problem persists: very high ping response (to ping the all customers associated on the AP) and very slow speed do download and upload, than I imagined that the problem was logical and I started to kick the solution when I block the P2P connections the quality of the speed increases a lot and the ping response decrese very much ( from 300ms to 10ms average). Because this I'm dropping the P2P connections...

The strange is that this problem just occour on this tower... I've more 3 towers that working fine without dropping the P2P connections...

I just want a solution for my problems... dropping or not dropping the connections I need to estabilizing the connections of my customers on this tower...

Put something like this above your existing simple queues, and change their priorities to 7. So there will be 128k available for P2P when the bandwidth is available. I am sure from the example you can find some happy medium if this is the problem.

normis you said:

> did you upgrade to 2.9.10 ? there the handling of many connections is improved


may we know what exactly is improved? There's nothing in changelog mentioning this. BTW, may we know the connection tracking table size in version 2.9.8 and later and before 2.9.8 ?

Conchalnet: there are a couple of things I have done which seems to help.
First limit the total number of TCP connections per IP (80-100):
This will help with the saturation of TCP connections that occures with P2P programs.
Next: many P2P programs will allow download based upon the amount of upload,,so I use the following PCQ to limit Uploads before it hits the simple queue.

1)Create a PCQ type --using pcq-rate, and classifier-src-address

2)Mangle src-address, p2p=all p2p,,PASSTHROUGH.

3) now queue it in the queue tree, (as it is applied before simple queue)
parent=global out, flow p2p, queue=PCQ

Regards, Hugh

Conchalnet: there are a couple of things I have done which seems to help.
First limit the total number of TCP connections per IP (80-100):
This will help with the saturation of TCP connections that occures with P2P programs.
Next: many P2P programs will allow download based upon the amount of upload,,so I use the following PCQ to limit Uploads before it hits the simple queue.

1)Create a PCQ type --using pcq-rate, and classifier-src-address

2)Mangle src-address, p2p=all p2p,,PASSTHROUGH.

3) now queue it in the queue tree, (as it is applied before simple queue)
parent=global out, flow p2p, queue=PCQ

Regards, Hugh

Hi Hugh Hartman, sorry but I didn't understand what I've to do

Can you give the example of how implement this?

Thanks again