Archive for the Category » random «

Thursday, September 17th, 2015 | Author:
  • Part 1 – Introduction – Setting up Simple Queues (This post)
  • Part 2 – Reliably Identifying traffic – Setting up Mangle Rules (Coming Soon TM)
  • Part 3 – Priorities and Limits – Setting up Queue Trees (Coming Soon TM)
  • Part 4 – Monitoring Usage – Redefining Queues – Limiting Abusive Devices (Coming Soon TM)
  • Part 5 – ??? Profit ???


The first problem one usually comes across after being tasked with improving an Internet connection is that the connection is overutilised. Typically nobody knows why, who, or what is causing the problem – except of course everyone blames the ISP. Sometimes it is the ISP – but typically you can’t prove that without having an alternative connection immediately available. I currently manage or help manage four “sites/premises” that use QoS to manage their Internet connectivity. One is my workplace, two are home connections, and the last one is a slightly variable one – usually just a home connection but alternatively, for a weekend every few months, it becomes a 140-man (and growing) LAN. Fun. 🙂

MikroTik and RouterOS

MikroTik‘s RouterOS is very powerful in the right hands. Many other routers support QoS but not with the fine-grain control MikroTik provides. Alternatively you could utilise other Linux-based router OS’s, such as DD-WRT, Smoothwall, Untangle, and so forth. Most of these typically require that you have a spare server lying about or a compatible hardware router. Mikrotik sells RouterBoards that have RouterOS builtin – and they are relatively inexpensive.

My experience with routers is primarily with Cisco and MikroTik – and my experience with QoS is primarily with Allot’s NetEnforcer/NetXplorer systems and MikroTik. The most popular MikroTik devices in my experience (other than their dedicated long-range wireless devices) have been their rb750 (new version named “hEX“) and rb950-based boards. They have many others available and are relatively inexpensive. In historical comparison with Cisco’s premium devices, I’ve tended to describe MikroTik’s devices as “90% the features at 10% the cost”. As this guide is aimed primarily at SME/Home use, inexpensive makes more sense. If you’re looking at getting a MikroTik device, note that MikroTik routers do not typically include DSL modems, thus your existing equipment is typically still necessary. Note also that this is not a tutorial on setting up a MikroTik device from scratch. There are plenty of guides available online for that already.

Theory into practice – first steps

To set up QoS correctly, you need to have an idea of a policy that takes into account the following:

  • The overall connection speed
  • How many users/devices will be using the connection
  • The users/devices/services/protocols that should be prioritised for latency and/or throughput

To achieve the above in my examples, I will assume the following:

  • The MikroTik is set up with the default network configuration where the local network is and the Internet connection is provided via PPPoE.
  • The connection speed is 10/2Mbps (10 Mbps download speed; 2 Mbps upload speed)
  • There will be 5 users with as many as 15 devices (multiple computers/tablets/mobile phones/WiFi etc)
  • Typical downloads require high priority with throughput but low-priority with latency
  • Gaming/Skype/Administrative protocols require high priority with both latency and throughput
  • No users are to be prioritised over others

The first and probably quickest step is to set up what RouterOS refers to as a Simple Queue.

I’ve made a short script that I have saved on my MikroTik devices to set up the simple queues. It is as follows:

:for x from 1 to 254 do={
 /queue simple add name="internet-usage-$x" dst="pppoe" max-limit=1900k/9500k target="192.168.88.$x"

What the above does is limit the maximum speed any individual device can use to “1900k” (1.9Mb) upload and “9500k” (9.5Mb) download.


  • The reason why the max limits are at 95% of the line’s maximum speed is that this guarantees no single device can fully starve the connection, negatively affecting the other users. With a larger userbase I would enforce this limit further. For example, with 100 users on a 20Mb service I might set this limit to 15Mb or even as little as 1Mb. This is entirely dependent on how “abusive” the users are and, as you figure out where and how much abuse occurs, you can adjust it appropriately.
  • The prefix “internet-usage” in the name parameter can be customised. Typically I set these to refer to the premises name. For example, with premises named “alpha” and “beta”, I will typically put “internet-alpha” and “internet-beta”. This helps with instinctively differentiating between sites.
  • The dst parameter has “pppoe” in the example. This should be substituted with the name of the interface that provides the Internet connection.

Ensure you customise the script to be appropriate to your configuration. Save the script to the MikroTik and run it – or paste it directly into the MikroTik’s terminal to execute it.

In my next post I will go over setting up what RouterOS refers to as Mangle rules. These rules serve to identify/classify the network traffic in order to make finer-grained QoS possible.

Category: random  | Leave a Comment
Thursday, September 17th, 2015 | Author:

Privacy, Time, Money

I don’t like debit orders. I’ve never liked the idea that another entity can, at will, take almost any amount of my money (well … whatever’s available). A colleague pointed out the issue with MTN would have been avoided had I been using a debit order. Maybe the “convenience” factor isn’t such a bad thing.

I suppose the penultimate question here is whether or not you want the convenience and can trust institutions (in this case with your money) – or if you can’t trust them and are willing to forgo that convenience. In my case, even though I still question the convenience, I learned the hard way with MTN that it doubly can be inconvenient to have your connected world reduced to “remote island” status. Almost everyone today goes with the convenience factor.


On the other hand, now a long time ago, I had a dispute with Planet Fitness where convenience was a double-edged sword. I reported their business practice to the Consumer Complaints Commission (since re-organised as the National Consumer Commission) and never got feedback from them. The gist of the issue is that Planet Fitness’s sales agent lied to me and a friend in order to get more commission/money out of my pocket.

I’m a Discovery Vitality member which gives many benefits, including reduced rates on Premium brands – mostly health-related of course, as Discovery is a Medical Aid/Health Insurance provider. To put it simply, Discovery is awesome. Vitality’s benefits cover gym memberships which further includes Planet Fitness. You still have to pay something, a small token of sorts, to Discovery, for the gym membership. But, after all, they WANT me to be healthy, so they don’t mind footing the bulk of the bill. But, apparently, this means Planet Fitness’ sales agents don’t get the commission!

So what does this result in? The result is that PF’s sales agent gave me an inflated figure for a “Vitality-based” membership. He lied. He then had me sign on the dotted line for an inflated price of a “regular” membership (yes, it was actually more than even a regular membership would have cost), ending up about 4 and 5 times as much as the Vitality-based membership.


Some time in 2011 I finally wisened up to the costs I was supposed to be paying. Discovery I am sure wouldn’t be too happy about this fiasco. I spoke to the Manager at the gym, and I was assured that the entire contract would be scrapped. I’m not one for violence … unless its for sport … in an Octagon … but after my 5th visit to the Manager to ask why the Debit Orders were still happening, he told me he was surprised I hadn’t brought weapons with me for the visit. After a few more visits, the Manager had actually left Planet Fitness and explained to me that the “contract” was between myself and Head Office and that the local gym, apparently a franchise-style operation, had little to no say about whether or not it could be cancelled. If Head Office said no, tough luck.

By this point I’d lost it. I had my bank put a stop to the debit orders. It was a huge schlep: I had to contact the bank every month because the debit order descriptions would change ever so slightly. It also cost me a little every couple of months to “reinstate” the blocking service. I can’t help but think the banking system supports regular expressions but the staff don’t necessarily know how to use it.

Technically I’m still waiting on the CCC to get back to me (never happened – and of course they were re-organised as mentioned above so the case probably fell through the cracks). Of course, by that point PF also wanted to blacklist me for not paying!

The Unexpected Hero

A haphazard mention of the issue to Discovery (I think I called them about a dentist visit) resulted in a callback by one of Discovery’s agents. They then asked me to describe the problem, in detail and in writing, to better explain from my perspective what had really happened. I obliged. It turns out I was right about them not being “too happy” about it. In fact they really didn’t like it. About three weeks later, Planet Fitness refunded me in FULL for all monies that had ever been paid to them.

Discovery is Awesome. 🙂

Monday, October 29th, 2012 | Author:

It appears that, in infinite wisdom, Google have a security feature that can block an application from accessing or using your google account. I can see how this might be a problem for Google’s users, in particular their GTalk and Gmail users. In my case it was Pidgin having an issue with the Jabber service (which is technically part of GTalk). I found the solution after a little digging. I was surprised at how old the issue was and how long this feature has existed!

To unlock the account and get your application online, use Google’s Captcha page here.

Wednesday, June 08th, 2011 | Author:

I did a full update on my personal server at home as one is bound to do, often, with Arch. It’s a headless server so there’s always that slight anxiety concerning whether or not I have to connect a keyboard/monitor when things don’t just work. The wish was not granted today:

Arch Linux started booting up normally and init starts runlevel 3, the where it stats loading daemons:

:: Adjusting Hardware Clock     [Busy]

And that’s where it just hangs. No further. Ctrl+Alt+Del works, single user mode works, but standard runlevel 3 will not. It turns out that the cause is a bug between hwclock and the server’s hardware clock. The backup battery on the motherboard, powering the CMOS memory and, subsequently, the hardware clock, is dead. While the system is powered up the battery isn’t needed – however since the hardware clock knows it has reset, it won’t tick until we tell it what the time is. Counter to this is that when hwclock starts, it’s waiting for a clock tick in order for it to know if the hardware clock’s rate of progress is good. Catch 22.

The solution in my case was to go into single user mode where I could disable hwclock in /etc/rc.conf. I’ve been using ntpd to keep the system time in sync which works just fine. I’m not too bothered with whether or not the hardware clock is right – I just want the live system’s clock to be right. It will still be a good idea to get a replacement battery since, until that’s done, every time the server boots it will think its back in 1997.

Category: random  | Leave a Comment
Friday, September 24th, 2010 | Author:

The upgrade to WordPress 3 was long overdue (as are many draft articles). Surprisingly, nothing looks different since the upgrade has been completed, though I also would not be surprised if I’ve missed an important plugin breakage.

I’ll be spending a day this weekend solely on polishing the site and finishing up some articles. You have something to look forward to. 🙂