Categories
Uncategorized

What is AirMax priority?

From UBNT:

airMAX Priority is a setting which can be changed on station devices in an airMAX network. This option can be found on the airMAX logo tab.

It defines the number of time slots (or amount of airtime) assigned to each client. By default the AP gives all active clients the same amount of time. However, if the clients are configured with different priorities, the AP will give clients more or less time, depending on the priority. For the best performance, an airMAX network whose clients have the best signals should receive the higher priorities, while clients with poorer signals should have less/no priority.

Note: airMAX Priority only functions when multiple clients have it enabled.

airMAX Priority options include:

–  High 4 time slots (4:1 ratio)
–  Medium 3 time slots (3:1 ratio)
–  Low 2 time slots (2:1 ratio)
–  None 1 time slot (Default setting for clients; 1:1 ratio)

Clients with a higher priority have access to more of the AP’s airtime, providing higher possible throughput and lower latency when sharing with other active clients.

For example, if there are 3 clients, 1 set to None, 1 set to Medium, and 1 set to High, the None client will get 1 time slot, the Medium client will get 3 time slots, and the High client will get 4 time slots.

Categories
Uncategorized

Protecting your Mikrotik from DNS Amplification

There are several reasons and benefits to using your Mikrotik as a DNS caching server.  Queries to the client are just a tad faster, which makes the overall user experience seem snappier.  It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.

There are two main avenues to think about when protecting Mikrotik from DNS.

The first is the incoming port 53 requests to the router.  You only want your customers to have access to query the Mikrotik.  In a simple scenario we have this:.

basic

ether1 is our upstream ISP connection.  Customers are other ports.  In this case if we want to block all port 53 requests from the outside world we specify the WAN interface to drop in the following code:

/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop

This will still allow your Mikrotik to send out DNS queries because they are sourced from a non reserved port. We are simply blocking the Mikrotik from not answering port 53 requests on the external interface.

In a later post we will talk about what to do if you have multiple wan interfaces or multiple exit paths on your router (say running OSPF)