Bad PPPoE providers and Ethernet flood

Entry, retreat or just a complaint about the fate of the villain and provider


I am writing this hub in the hope of making life for Moscow Akado subscribers, who are using expensive routers through routers, a little more understandable and maybe easier ...
(I’ll make a reservation - I’m an enikeysch or an advanced user, so the post does not pretend to be professional, but it may turn out to be accessible, understandable and to the point) An
approximate chronology of events is as follows:
Spring 2012 - purchase of a MikroTik RB751G-2HnD router in order to get full stable Internet speed (50Mbit / s in both directions)
Summer - somehow works, but for some reason Wi-Fi periodically you gives pings of 200ms to the router, and the CPU load for ordinary web surfing ~ 40%
Beginning of November - the situation escalates, throughput in the evening drops to 20mbit at best (usually no more than 5), I notice that at night the problem disappears by itself, there are vague suspicions ...
The second half of November is calling emergency responders, ringing all the bells and the universal ahtung .
November 28th, solution to the problem.

Beginning of the End


So, I lived for myself somehow with the Akado Internet until November of this year, enjoyed life, quietly gave myself priority over traffic to my neighbors, when suddenly the Internet became really bad, such that I was already thinking about switching to browsers that have for themselves YouTube’s P2P plugin, so that you can watch at least 720p on a beautiful FHD screen (for some reason, torrents could still pump out an average of 15Mbit / s) ...
As a result, the opera under which this plug-in was found categorically refused to download it: it simply issued a network error in the middle of the download. I decided “Stop it!”, Began to terrorize the support service, and later called the emergency services (okay, at least they didn’t impute a false call) - to no purpose, “There is direct speed”, I got an answer from the very beginning ... I started to sin on microtics and play with firmware, and to call specialists, the router also replaced it (with the same model) - just in case. In general, none of the Akado could even help me understand “where the pig is buried” ... It is worth saying that before the last calls to the TP, I still noticed that much more traffic arrives at the physical interface in the evenings than goes to the local network through PPPoE connection. In general, the sense of support was zero, even the moral and that of the provider did not feel.

Emergency workers

Oh, these nice guys in overalls and a netbook to the advantage, how can you not talk about such people?
In general, the application has been compiled, it separately states (as I was assured in TP) that I should call on my cell phone, that I do not use my home phone (although it is turned on), but no, because it’s not customary to look for easy ways!
I get a call on my home phone (and the hell did I pick up the phone?) At about 3 o’clock in the afternoon (thanks to the Habr, it was delicious at night) - “Is it from Akado, will you be home in an hour?”, - ok, where will I go if it's hot just yesterday?
Two specialists come (sensei and trainee, usual practice, staff turnover, as I understand, it’s worse there than McDonald’s (sensei, by the way, they just called me about the proposal for a new job)), they look, they show that there is speed ( show from my laptop, the netbook did not want to be friends with the speed test) and that, they say, I want from them ... 3 minutes I explain that the TP said in advance that it is necessary to help understand what kind of flood goes to the interface even with PPPoE turned off ... it turned out that in the field they’re working for themselves quite adequately and my “message” reached them, seniors , realizing that, in general, I also do not have an extra chromosome, I asked plaintively, “Can you connect to Corbin?” I reply that I already had the luck of sitting on Corbin and don’t even want to contact them, but I’ll definitely switch to online when he gets to Zhulebino, and now please be so kind ...
In general, an emergency worker phoned the administrator, quite so reasonably explained the situation, politely increased the number of routers I replaced from 1st to 5, and in general, I wanted to help and understood that the request was crooked, that he didn’t need anything it's time to leave ... well, okay, they had a fight with the admin, the admin noticed some, for me completely inexplicable packet loss, I started digging ...
In general, the emergency workers left me, and after a couple of hours my link disappeared ... well, I think everything, the switch burned out, there was a trouble in it, but no: I’m calling the TP, they assure that the rest of the house is in touch and that they will send the specialist tomorrow . I don’t mind, everyone seems to be saying the right thing, but the next day (just a half an hour ago the neighbor (the agreement to him) called) it turned out that they banned us, that we raised such a bad DHCP server on the WAN interface ... Then I’ll probably start to resent : what the hell dhcp server? Yes, I raised DHCP to the WAN, but it was the Client, so that it would be possible to ping the gate from the router during the visit of emergency responders ... as a result, today we have normal Internet again, only the router still hangs with the same DHCP settings. but today, for some reason, they don’t ban us ... In general, the deeper into the forest the thicker the n ... artisans.

Kind people


For my luck, I’m just wonderful, in every way, my father, and even, to put it mildly, “in the subject” (to the extent that we have optics to an apartment in Izhevsk, but I found out about any restrictions on traffic and tariffs precisely because he was always interested in what dad was doing at work ...), so he quickly responded to my pleas for help and immediately got into the situation: he said that this was a usual cracker for PPPoE and you either have to eat the provider Do you provide a LAN service? OK. And why then do I have PPPoE requests from the entire segment to the incoming interface, and then let's vice versa, with a local network, but without this garbage? ” (of course, it was easier said that this provider is just very lazy and greedy, but right now I have emotions right now, so I ask you to “Understand and forgive”),
In general, that evening, after the emergency workers left and the 3g router on the phone was turned on (it’s good that at least the mobile connection in the beeline is decent and anlim is not expensive (oh, I would have got into grandmothers without anlim, 1.5 GB per night with neighbors dragged (what I I’m at war with the provider, it doesn’t mean that the neighbors should suffer))), I sat down to look for where to turn something for me in the router (it’s hard to call me an optimist, there wasn’t much faith in the provider) and here begins the witchcraft and the payload of this post.

Tambourine and Shaman


I must say right away that even though Mikrotik has a terminal mode and a terminal in the configuration utility, but, as I already wrote, in this regard I am only an advanced user, in a word it was more convenient for me to “push buttons”.
As it turned out, even finding references to ACLs and access lists in the RouterOS manual is problematic, and I don’t really know, or “this is what it is called” or something else, in general, cut off excess traffic on the poppy before being processed by the main processor it is possible in the Switch >> Rule section:

this is how the options window for the created rule looks, the required fields are switch (from the list, in our case, the switch is only 1) and ports (physical interfaces of the switch):

and so the action window looks, it’s worth noting that here There is no such Drop action, but you can simply not send the packet to the CPU:

Separately, it is worth noting that the switch rules do not have a sequence - they are all executed, so the sequence of creating the rules does not play a role.
Now we need to find out, and from which poppy do we need to process packets? To do this, we have a wonderful tool in the configurator itself (there is also a web admin) PPP >> PPPoE Scan:

-then from here we take Src MAC Address, the presence of Dst address in my rule is rather an excess, you can see it in the window of the intended input interface, but this is not necessary Interfaces >> Interface >> Port of interest:

Next, we simply create an “empty” rule without the option of redirecting and copying to the CPU (the poppy protocol, in this case, is simply an excess):

Everything, now it will work, but we can only feel it - the WAN will still show excess traffic (well, the switch received it).

Curtain, credits, postscript


There will only be further developments with the provider (if there are any), you will not find anything technically curious here (however, I initially warned that the article would be more curious to users of acado who are imbued with the attitude of the acado to the client and understand that there is a mess in general )
That's all: I’m sitting with my megabits, and Akado is going to carefully study my claim for 2 months that it’s extremely difficult to even pull out the data that is critical for setting up it, and it’s just not nice to mess up a local network (which isn’t for the client) ... By the way, they can’t even now post my instructions on how to fix the problem on the site in the question and answer section (at least) and the problems themselves for many of their users will most likely remain inexplicable glitches that they don’t by Neither technical support nor the emergency worker who came can. For some reason, I wrote this post and a link to it (if he ever sees the light of an open article) will appear on the Mikrotik forum, where they could not immediately help me, and on the forum of my favorite provider, where I have not seen one answer.

Small PS: people (including habr), be kinder and simpler and do not, please, spoil my karma even more ...

Also popular now: