Web Squad ISP

Status
Not open for further replies.
websquadza said:
Yup, TCP packet volumes exceeded all threshold levels (which is what these multithread apps do very well) - we've relaxed these these for you a little. Can you test and see if you still hitting limits?
Click to expand...

Whoops - I was trying to saturate the line :) Will do another test shortly.

BTW - is this guide correct for IPv6 on WS or is the configuration different?

Manual:IPv6 PD over PPP - MikroTik Wiki

wiki.mikrotik.com wiki.mikrotik.com
 
Last edited:
DeatheCore said:
Just wondering why you would need 100-150 connections for NNTP? I can pretty much max out my 1Gbps connection to Astraweb's servers with 50 connections:
View attachment 876023
Perhaps performance differs per usenet provider? Also, disclaimer: I usually limit to 50MB/s as to not hog all the internets :ROFL:
Click to expand...

I max out around 50MB/sec with 50 connections. 100 gives me around ~75MB/sec. Could be usenet provider, could be Octotel's general garbage network, but I was curious to try :)
 
websquadza said:
Yup, TCP packet volumes exceeded all threshold levels (which is what these multithread apps do very well) - we've relaxed these these for you a little. Can you test and see if you still hitting limits?
Click to expand...

Just tried with 100 connections, am currently blackholed :laugh:
 
Seeyou said:
Whoops - I was trying to saturate the line :) Will do another test shortly.

BTW - is this guide correct for IPv6 on WS or is the configuration different?

Manual:IPv6 PD over PPP - MikroTik Wiki

wiki.mikrotik.com wiki.mikrotik.com
Click to expand...

No problem. I see you found the new limit!

With regards to IPv6; slightly different because we dynamically allocate your delegated prefix. Very important to remember firewalling on IPv6 too (Every device gets a public IP, so you can't rely on obscurity by NAT - so you actually need your firewall to track and manage connections).

I'll post a basic how to here so other Mikrotik users on GPON can set theirs up (Tenda AC8 and Totolink users, go to the IPv6 menu and click enable).

Step 1: Enable DHCP client on the PPPOE Session (this will receive your delegated prefix and store it in a pool called v6pool)

Code: 
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-websquad pool-name=v6pool request=prefix

Step 2: Assign a /64 from this delegated pool to your LAN Bridge (This assumes the default mikrotik configuration with your LAN ports in a bridge) - leave the Advertise box ticked so that the Mikrotik can delegate IPv6 addresses to any device that connects to it

Code: 
/ipv6 address
add from-pool=v6pool interface=br-default

Step 3: Enable your IPv6 Firewall (Please note this ruleset is based on your LAN ports/bridge being assigned to the LAN Interface list - edit this as required) This is a basic set of rules we recommend - please use these at your own risk.

Code: 
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
 
DeatheCore said:
Just wondering why you would need 100-150 connections for NNTP? I can pretty much max out my 1Gbps connection to Astraweb's servers with 50 connections:
View attachment 876023
Perhaps performance differs per usenet provider? Also, disclaimer: I usually limit to 50MB/s as to not hog all the internets :ROFL:
Click to expand...
Wow, I'm on eweka and I'm getting terrible speeds lately: probably 7.5MB/s on my 1gbps line.I left astraweb because content is always removed quickly, but their speeds seem amazing.
 
@websquadza Keep getting blackholed with 100 connections. Am having to limit to 50 or anytime I have an automatic download happen I lose connectivity for 5-10 mins.
 
Sorry for the spam, but I'm just testing. I get blackholed even at 30 connections, which I would think would be quite a reasonable amount - it doesn't even saturate the line. Somewhat silly to have a 1gbps profile if ~700mbps of traffic gets flagged and blackholed.
 
Seeyou said:
@websquadza Keep getting blackholed with 100 connections. Am having to limit to 50 or anytime I have an automatic download happen I lose connectivity for 5-10 mins.
Click to expand...
Seeyou said:
Sorry for the spam, but I'm just testing. I get blackholed even at 30 connections, which I would think would be quite a reasonable amount - it doesn't even saturate the line. Somewhat silly to have a 1gbps profile if ~700mbps of traffic gets flagged and blackholed.
Click to expand...
Seeyou said:
Happened again now even at 50 connections..
Click to expand...

Morning. We extended the limit for testing purposes yesterday - the issue here isn't speed limitation. It's that the the multithreading in your application creates abnormally massive packet volumes on single IP sessions (IP-IP) which exceed all normal traffic patterns. Lifting the limit to your IP yesterday by 4x allowed you to push further - but our records show that your packet volumes were higher than the entire CT region combined at one point, while only accounting for a small volume of traffic. At 2x our limit, we can't distinguish between clean traffic and DDOS. The reason you've dropped back down now is that I see you have a new IP since this morning (we implemented the increased limit specifically on your IP). We've sent all this information to the system vendor to see what they can suggest.
 
websquadza said:
Morning. We extended the limit for testing purposes yesterday - the issue here isn't speed limitation. It's that the the multithreading in your application creates abnormally massive packet volumes on single IP sessions (IP-IP) which exceed all normal traffic patterns. Lifting the limit to your IP yesterday by 4x allowed you to push further - but our records show that your packet volumes were higher than the entire CT region combined at one point, while only accounting for a small volume of traffic. At 2x our limit, we can't distinguish between clean traffic and DDOS. The reason you've dropped back down now is that I see you have a new IP since this morning (we implemented the increased limit specifically on your IP). We've sent all this information to the system vendor to see what they can suggest.
Click to expand...

Makes sense, but still seems odd. Deathecore mentioned having a similar NNTP setup without problems. I've also had this exact setup running since joining WS - it was only the 1gbps upgrade that I guess saw an increase in traffic on each connection to the usenet server. Would the blackhole then not be triggered on similar applications, like download managers, Torrents, etc?
 
Mrs is reporting a crazy high ping atm at home, and constant dropping ,

Are there any issues currently?
 
Seeyou said:
Makes sense, but still seems odd. Deathecore mentioned having a similar NNTP setup without problems. I've also had this exact setup running since joining WS - it was only the 1gbps upgrade that I guess saw an increase in traffic on each connection to the usenet server. Would the blackhole then not be triggered on similar applications, like download managers, Torrents, etc?
Click to expand...

So the blackhole isn't application specific - we've always said we don't shape and we don't implement layer 7 filters. Without divulging too much about our strategy online, in your example, we're looking at single IP to IP packet volumes (pps/IP). The smaller your application breaks up packets and splits them into multiple threads, the faster that limit is reached. Torrents do something similar, but to multiple IPs - so smaller pps/IP ratios. We've picked up IDM similarly multithreads and fragments packets and have seen trips happening there. We're working with the vendor to refine these rules - but in the same breath, attackers are working to make their traffic look more and more legit to get past these very tools ISPs use...
 
ijacobs3 said:
Mrs is reporting a crazy high ping atm at home, and constant dropping ,

Are there any issues currently?
Click to expand...

Nothing that I know of - not seeing any network notices from Vumatel. Could you ask her to send an MTR (use google.co.za as a host) to support?
 
websquadza said:
So the blackhole isn't application specific - we've always said we don't shape and we don't implement layer 7 filters. Without divulging too much about our strategy online, in your example, we're looking at single IP to IP packet volumes (pps/IP). The smaller your application breaks up packets and splits them into multiple threads, the faster that limit is reached. Torrents do something similar, but to multiple IPs - so smaller pps/IP ratios. We've picked up IDM similarly multithreads and fragments packets and have seen trips happening there. We're working with the vendor to refine these rules - but in the same breath, attackers are working to make their traffic look more and more legit to get past these very tools ISPs use...
Click to expand...

Makes perfect sense - carried on the conversation via PM.
 
Seeyou said:
Makes sense, but still seems odd. Deathecore mentioned having a similar NNTP setup without problems. I've also had this exact setup running since joining WS - it was only the 1gbps upgrade that I guess saw an increase in traffic on each connection to the usenet server. Would the blackhole then not be triggered on similar applications, like download managers, Torrents, etc?
Click to expand...
@DeatheCore is vuma akaik.
 
25 connections seems to be the magic number so far. Not really amazing speeds for NNTP but I at least don't lose the use of my line for the next 5 mins either :)
 
Status
Not open for further replies.
Back
Top
Sign up to the MyBroadband newsletter
X